Skip to main content

OidcClientInput

Input type for creating a new OIDC client.

input OidcClientInput {
allowAnyPartner: Boolean
applicationType: OidcApplicationType
authorizationRequestsTypeJarEnabled: Boolean
authorizationRequestsTypeStandardEnabled: Boolean
backgroundColor: String
backgroundImage: DataURL
claimConstraint: ClaimConstraint
clientJwks: JSONObject
clientJwksUri: URL
clientSecret: String
clientType: OidcClientType!
credentialTypes: [String!]
faceCheckConfidenceThreshold: Int
logo: DataURL
name: String!
partnerIds: [ID!]
policyUrl: URL
postLogoutUris: [URL!]!
redirectUris: [URL!]!
relyingPartyJwks: JSONObject
relyingPartyJwksUri: URL
requireFaceCheck: Boolean
responseTypes: [OidcResponseType!]
termsOfServiceUrl: URL
tokenEndpointAuthMethod: OidcTokenEndpointAuthMethod
uniqueClaimsForSubjectId: [String!]
vcPolicy: OidcClientVcPolicyInput
}

Fields

OidcClientInput.allowAnyPartner ● Boolean scalar

Indicates whether the client allows presentations of credentials from any configured partner.

OidcClientInput.applicationType ● OidcApplicationType enum

The type of OIDC application, web is the default.

OidcClientInput.authorizationRequestsTypeJarEnabled ● Boolean scalar

Indicates whether JWT-secured authorisation requests (JAR) are enabled for this client.

OidcClientInput.authorizationRequestsTypeStandardEnabled ● Boolean scalar

Indicates whether standard authorisation requests (query params) are enabled for this client.

OidcClientInput.backgroundColor ● String scalar

The background color, to be displayed during auth interactions, in hexadecimal format.

OidcClientInput.backgroundImage ● DataURL scalar

The URL of the background image to be displayed during auth interactions, can be an image encoded as a data URL.

OidcClientInput.claimConstraint ● ClaimConstraint input

A claim constraint to configure on this client. Exactly one operator (values, contains, startsWith) must be set. Pass null to clear an existing constraint.

OidcClientInput.clientJwks ● JSONObject scalar

The client's public key set (JWKS) as a JSON string, used for private_key_jwt client authentication.

Note:

  • Accepts a single JWK object or a JWKS object containing a keys array.
  • Only public keys (RSA or EC) are accepted.
  • Multiple keys can be provided to support key rotation.
  • Mutually exclusive with clientJwksUri.

OidcClientInput.clientJwksUri ● URL scalar

A URI pointing to the client's public key set (JWKS), used for private_key_jwt client authentication.

Note:

  • The URI must serve a valid JWKS document.
  • Keys are fetched and cached by the OIDC provider.
  • Mutually exclusive with clientJwks.

OidcClientInput.clientSecret ● String scalar

The client secret, only applicable to confidential clients using client_secret_post authentication. Optional for update operations (existing secret will be retained when not provided).

OidcClientInput.clientType ● OidcClientType! non-null enum

The type of OIDC client.

OidcClientInput.credentialTypes ● [String!] list scalar

The types of credentials that can be presented for authentication with this client.

Note:

  • If not specified, any credential type can be presented.
  • The client can specify the credential type to use for authentication via the vc_type auth request parameter.
  • If values are defined here and the vc_type auth request parameter is provided, it is validated to be from this list.

OidcClientInput.faceCheckConfidenceThreshold ● Int scalar

The face check match confidence threshold (50–100). Only applicable when requireFaceCheck is true. When set, this value is sent as the matchConfidenceThreshold in the presentation request.

The URL of the client logo to be displayed during auth interactions, can be an image encoded as a data URL.

OidcClientInput.name ● String! non-null scalar

The name of the client.

OidcClientInput.partnerIds ● [ID!] list scalar

The IDs of the partners that the client allows presentations of credentials from.

OidcClientInput.policyUrl ● URL scalar

The URL of a privacy policy for the client, displayed during auth interactions.

OidcClientInput.postLogoutUris ● [URL!]! non-null scalar

The post-logout URIs that the client is allowed to use.

OidcClientInput.redirectUris ● [URL!]! non-null scalar

The redirect URIs that the client is allowed to use.

OidcClientInput.relyingPartyJwks ● JSONObject scalar

The relying party's public key set (JWKS) as a JSON string, used for verifying JWT-secured authorisation requests (JAR).

Note:

  • Accepts a single JWK object or a JWKS object containing a keys array.
  • Only public keys (RSA or EC) are accepted.
  • Mutually exclusive with relyingPartyJwksUri.

OidcClientInput.relyingPartyJwksUri ● URL scalar

A URI pointing to the relying party's public key set (JWKS), used for verifying JWT-secured authorisation requests (JAR).

Note:

  • The URI must serve a valid JWKS document.
  • Mutually exclusive with relyingPartyJwks.

OidcClientInput.requireFaceCheck ● Boolean scalar

Indicates this client must use face check with every authentication presentation.

OidcClientInput.responseTypes ● [OidcResponseType!] list enum

The OAuth response types supported by this client. Defaults to [CODE]. Rules:

  • At least one response type must be specified when provided.
  • CODE and ID_TOKEN may be used individually or together.
  • When both are specified, hybrid flow (code id_token) is enabled.
  • Omit or pass null to use the default [CODE].

OidcClientInput.termsOfServiceUrl ● URL scalar

The URL of the terms of service for the client, displayed during auth interactions.

OidcClientInput.tokenEndpointAuthMethod ● OidcTokenEndpointAuthMethod enum

The token endpoint authentication method. Defaults to client_secret_post for confidential clients and none for public clients.

Note:

  • Confidential clients must use either client_secret_post or private_key_jwt, not both.
  • When client_secret_post is used, clientSecret is required.
  • When private_key_jwt is used, clientJwks or clientJwksUri is required.

OidcClientInput.uniqueClaimsForSubjectId ● [String!] list scalar

The unique claim(s) which can be used to derive the subject identifier (sub claim value) from partner credentials.

Note:

  • This is not needed for authentication using VO credentials, the issuanceId claim is used.
  • The authentication client also can specify the claim to use via the vc_unique_claim_for_sub auth request parameter.
  • Multiple values can be specified here, if not specified via the client vc_unique_claim_for_sub auth request parameter, the first claim that is present in the partner presentation will be used.
  • If values are defined here and the vc_unique_claim_for_sub auth request parameter is provided, it is validated to be from this list.

OidcClientInput.vcPolicy ● OidcClientVcPolicyInput input

The vc_* authorisation parameter policy for this client. Controls how each vc_* parameter is resolved at runtime. Omitted fields default to client_supplied.

Member Of

createOidcClient mutation ● updateOidcClient mutation