Use the GET/oauth/clientSettings endpoint to configure the OAuth client settings.

Status codes

Code Reason
200 Success.
403 PingFederate does not have its OAuth 2.0 authorization server role enabled. Operation not available.

ClientSettings - The client settings.

Property Type Description
clientMetadata array[ClientMetadata] The client metadata.
dynamicClientRegistration DynamicClientRegistration Dynamic client registration settings.

ClientMetadata - The client metadata.

Property Type Description
description string The metadata description.
multiValued boolean If the field should allow multiple values.
parameter string The metadata name.

DynamicClientRegistration - Dynamic client registration settings.

Property Type Description
allowedExclusiveScopes array[string] The exclusive scopes to allow.
bypassActivationCodeConfirmationOverride boolean Indicates if the Activation Code Confirmation page should be bypassed if ‘verification_url_complete’ is used by the end user to authorize a device.
cibaPollingInterval integer The minimum amount of time in seconds that the Client must wait between polling requests to the token endpoint. The default is 3 seconds.
cibaRequireSignedRequests boolean Determines whether CIBA signed requests are required for this client.
clientCertIssuerRef ResourceLink Client TLS Certificate Issuer DN.
clientCertIssuerType ClientCertificateIssuerType Client TLS Certificate Issuer Type.
defaultAccessTokenManagerRef ResourceLink The default access token manager for this client.
deviceFlowSettingType DeviceFlowSettingType Allows an administrator to override the Device Authorization Settings set globally for the OAuth AS. Defaults to SERVER_DEFAULT.
devicePollingIntervalOverride integer The amount of time client should wait between polling requests, in seconds.
enforceReplayPrevention boolean Enforce replay prevention.
initialAccessTokenScope string The initial access token to prevent unwanted client registrations.
oidcPolicy ClientRegistrationOIDCPolicy Open ID Connect Policy settings. This is included in the message only when OIDC is enabled.
pendingAuthorizationTimeoutOverride integer The ‘device_code’ and ‘user_code’ timeout, in seconds.
persistentGrantExpirationTime integer The persistent grant expiration time.
persistentGrantExpirationTimeUnit PersistentGrantLifetimeUnit The persistent grant expiration time unit.
persistentGrantExpirationType PersistentGrantLifetimeType Allows an administrator to override the Persistent Grant Lifetime set globally for the OAuth AS. Defaults to SERVER_DEFAULT.
persistentGrantIdleTimeout integer The persistent grant idle timeout.
persistentGrantIdleTimeoutTimeUnit PersistentGrantLifetimeUnit The persistent grant idle timeout time unit.
persistentGrantIdleTimeoutType PersistentGrantLifetimeType Allows an administrator to override the Persistent Grant Idle Timeout set globally for the OAuth AS. Defaults to SERVER_DEFAULT.
policyRefs array[ResourceLink] The client registration policies.
refreshRolling RefreshRollingType Use ROLL or DONT_ROLL to override the Roll Refresh Token Values setting on the Authorization Server Settings. SERVER_DEFAULT will default to the Roll Refresh Token Values setting on the Authorization Server Setting screen. Defaults to SERVER_DEFAULT.
requestPolicyRef ResourceLink The CIBA request policy.
requireProofKeyForCodeExchange boolean Determines whether Proof Key for Code Exchange (PKCE) is required for the dynamically created client.
requireSignedRequests boolean Require signed requests.
restrictCommonScopes boolean Restrict common scopes.
restrictedCommonScopes array[string] The common scopes to restrict.
tokenExchangeProcessorPolicyRef ResourceLink The Token Exchange Processor policy.
userAuthorizationUrlOverride string The URL is used as ‘verification_url’ and ‘verification_url_complete’ values in a Device Authorization request.

ResourceLink - A reference to a resource.

Property Type Description
id * string The ID of the resource.
location string A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null.

ClientRegistrationOIDCPolicy - Client Registration Open ID Connect Policy settings.

Property Type Description
idTokenContentEncryptionAlgorithm ContentEncryptionAlgorithm The JSON Web Encryption [JWE] content encryption algorithm for the ID Token.
AES_128_CBC_HMAC_SHA_256 - Composite AES-CBC-128 HMAC-SHA-256
AES_192_CBC_HMAC_SHA_384 - Composite AES-CBC-192 HMAC-SHA-384
AES_256_CBC_HMAC_SHA_512 - Composite AES-CBC-256 HMAC-SHA-512
AES-GCM-128 - AES_128_GCM
AES_192_GCM - AES-GCM-192
AES_256_GCM - AES-GCM-256
idTokenEncryptionAlgorithm EncryptionAlgorithm The JSON Web Encryption [JWE] encryption algorithm used to encrypt the content encryption key for the ID Token.
DIR - Direct Encryption with symmetric key
A128KW - AES-128 Key Wrap
A192KW - AES-192 Key Wrap
A256KW - AES-256 Key Wrap
A128GCMKW - AES-GCM-128 key encryption
A192GCMKW - AES-GCM-192 key encryption
A256GCMKW - AES-GCM-256 key encryption
ECDH_ES - ECDH-ES
ECDH_ES_A128KW - ECDH-ES with AES-128 Key Wrap
ECDH_ES_A192KW - ECDH-ES with AES-192 Key Wrap
ECDH_ES_A256KW - ECDH-ES with AES-256 Key Wrap
RSA_OAEP - RSAES OAEP
idTokenSigningAlgorithm SigningAlgorithm The JSON Web Signature [JWS] algorithm required for the ID Token.
NONE - No signing algorithm
HS256 - HMAC using SHA-256
HS384 - HMAC using SHA-384
HS512 - HMAC using SHA-512
RS256 - RSA using SHA-256
RS384 - RSA using SHA-384
RS512 - RSA using SHA-512
ES256 - ECDSA using P256 Curve and SHA-256
ES384 - ECDSA using P384 Curve and SHA-384
ES512 - ECDSA using P521 Curve and SHA-512
PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256
PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384
PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512
A null value will represent the default algorithm which is RS256.
RSASSA-PSS is only supported with SafeNet Luna, Thales nCipher or Java 11
policyGroup ResourceLink The Open ID Connect policy. A null value will represent the default policy group.