Skip to main content

OidcClientInput

Input type for creating a new OIDC client.

input OidcClientInput {
  allowAnyPartner: Boolean
  applicationType: OidcApplicationType
  authorizationRequestsTypeJarEnabled: Boolean
  authorizationRequestsTypeStandardEnabled: Boolean
  backgroundColor: String
  backgroundImage: DataURL
  clientJwks: JSONObject
  clientJwksUri: URL
  clientSecret: String
  clientType: OidcClientType!
  credentialTypes: [String!]
  logo: DataURL
  name: String!
  partnerIds: [ID!]
  policyUrl: URL
  postLogoutUris: [URL!]!
  redirectUris: [URL!]!
  relyingPartyJwks: JSONObject
  relyingPartyJwksUri: URL
  requireFaceCheck: Boolean
  termsOfServiceUrl: URL
  tokenEndpointAuthMethod: OidcTokenEndpointAuthMethod
  uniqueClaimsForSubjectId: [String!]
}

Fields

OidcClientInput.allowAnyPartner ● Boolean scalar

Indicates whether the client allows presentations of credentials from any configured partner.

OidcClientInput.applicationType ● OidcApplicationType enum

The type of OIDC application, web is the default.

OidcClientInput.authorizationRequestsTypeJarEnabled ● Boolean scalar

Indicates whether JWT-secured authorisation requests (JAR) are enabled for this client.

OidcClientInput.authorizationRequestsTypeStandardEnabled ● Boolean scalar

Indicates whether standard authorisation requests (query params) are enabled for this client.

OidcClientInput.backgroundColor ● String scalar

The background color, to be displayed during auth interactions, in hexadecimal format.

OidcClientInput.backgroundImage ● DataURL scalar

The URL of the background image to be displayed during auth interactions, can be an image encoded as a data URL.

OidcClientInput.clientJwks ● JSONObject scalar

The client's public key set (JWKS) as a JSON string, used for private_key_jwt client authentication.

Note:

  • Accepts a single JWK object or a JWKS object containing a keys array.
  • Only public keys (RSA or EC) are accepted.
  • Multiple keys can be provided to support key rotation.
  • Mutually exclusive with clientJwksUri.

OidcClientInput.clientJwksUri ● URL scalar

A URI pointing to the client's public key set (JWKS), used for private_key_jwt client authentication.

Note:

  • The URI must serve a valid JWKS document.
  • Keys are fetched and cached by the OIDC provider.
  • Mutually exclusive with clientJwks.

OidcClientInput.clientSecret ● String scalar

The client secret, only applicable to confidential clients using client_secret_post authentication. Optional for update operations (existing secret will be retained when not provided).

OidcClientInput.clientType ● OidcClientType! non-null enum

The type of OIDC client.

OidcClientInput.credentialTypes ● [String!] list scalar

The types of credentials that can be presented for authentication with this client.

Note:

  • If not specified, any credential type can be presented.
  • The client can specify the credential type to use for authentication via the vc_type auth request parameter.
  • If values are defined here and the vc_type auth request parameter is provided, it is validated to be from this list.

OidcClientInput.logo ● DataURL scalar

The URL of the client logo to be displayed during auth interactions, can be an image encoded as a data URL.

OidcClientInput.name ● String! non-null scalar

The name of the client.

OidcClientInput.partnerIds ● [ID!] list scalar

The IDs of the partners that the client allows presentations of credentials from.

OidcClientInput.policyUrl ● URL scalar

The URL of a privacy policy for the client, displayed during auth interactions.

OidcClientInput.postLogoutUris ● [URL!]! non-null scalar

The post-logout URIs that the client is allowed to use.

OidcClientInput.redirectUris ● [URL!]! non-null scalar

The redirect URIs that the client is allowed to use.

OidcClientInput.relyingPartyJwks ● JSONObject scalar

The relying party's public key set (JWKS) as a JSON string, used for verifying JWT-secured authorisation requests (JAR).

Note:

  • Accepts a single JWK object or a JWKS object containing a keys array.
  • Only public keys (RSA or EC) are accepted.
  • Mutually exclusive with relyingPartyJwksUri.

OidcClientInput.relyingPartyJwksUri ● URL scalar

A URI pointing to the relying party's public key set (JWKS), used for verifying JWT-secured authorisation requests (JAR).

Note:

  • The URI must serve a valid JWKS document.
  • Mutually exclusive with relyingPartyJwks.

OidcClientInput.requireFaceCheck ● Boolean scalar

Indicates this client must use face check with every authentication presentation.

OidcClientInput.termsOfServiceUrl ● URL scalar

The URL of the terms of service for the client, displayed during auth interactions.

OidcClientInput.tokenEndpointAuthMethod ● OidcTokenEndpointAuthMethod enum

The token endpoint authentication method. Defaults to client_secret_post for confidential clients and none for public clients.

Note:

  • Confidential clients must use either client_secret_post or private_key_jwt, not both.
  • When client_secret_post is used, clientSecret is required.
  • When private_key_jwt is used, clientJwks or clientJwksUri is required.

OidcClientInput.uniqueClaimsForSubjectId ● [String!] list scalar

The unique claim(s) which can be used to derive the subject identifier (sub claim value) from partner credentials (where no unique claim value is known).

Note:

  • This is not needed for authentication using VO credentials, the issuanceId claim is used.
  • The authentication client also can specify the claim to use via the vc_unique_claim_for_sub auth request parameter.
  • Multiple values can be specified here, if not specified via the client vc_unique_claim_for_sub auth request parameter, the first claim that is present in the partner presentation will be used.
  • If values are defined here and the vc_unique_claim_for_sub auth request parameter is provided, it is validated to be from this list.

Member Of

createOidcClient mutation ● updateOidcClient mutation