Use the GET /oauth/clients/{{oauthClientId}} endpoint to find the OAuth client by ID.

Path parameters

Parameter Value Description
oauthClientId string(required) ID of the client.

Status codes

Code Reason
200 Success.
403 PingFederate does not have its OAuth 2.0 authorization server role enabled. Operation not available.
404 Resource not found.

Client - OAuth client.

Property Type Description
bypassActivationCodeConfirmationOverride boolean Indicates if the Activation Code Confirmation page should be bypassed if ‘verification_url_complete’ is used by the end user to authorize a device. This overrides the ‘bypassUseCodeConfirmation’ value present in Authorization Server Settings.
bypassApprovalPage boolean Use this setting, for example, when you want to deploy a trusted application and authenticate end users via an IdP adapter or IdP connection.
cibaDeliveryMode CibaDeliveryMode The token delivery mode for the client. The default value is ‘POLL’.
cibaNotificationEndpoint string The endpoint the OP will call after a successful or failed end-user authentication.
cibaPollingInterval integer The minimum amount of time in seconds that the Client must wait between polling requests to the token endpoint. The default is 3 seconds.
cibaRequestObjectSigningAlgorithm CibaRequestObjectSigningAlgorithm The JSON Web Signature [JWS] algorithm that must be used to sign the CIBA Request Object. All signing algorithms are allowed if value is not present
RS256 - RSA using SHA-256
RS384 - RSA using SHA-384
RS512 - RSA using SHA-512
ES256 - ECDSA using P256 Curve and SHA-256
ES384 - ECDSA using P384 Curve and SHA-384
ES512 - ECDSA using P521 Curve and SHA-512
PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256
PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384
PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512
RSASSA-PSS is only supported with SafeNet Luna, Thales nCipher or Java 11.
cibaRequireSignedRequests boolean Determines whether CIBA signed requests are required for this client.
cibaUserCodeSupported boolean Determines whether CIBA user code is supported for this client.
clientAuth ClientAuth Client authentication settings. If this model is null, it indicates that no client authentication will be used.
clientId * string A unique identifier the client provides to the Resource Server to identify itself. This identifier is included with every request the client makes. For PUT requests, this field is optional and it will be overridden by the ‘id’ parameter of the PUT request.
defaultAccessTokenManagerRef ResourceLink The default access token manager for this client.
description string A description of what the client application does. This description appears when the user is prompted for authorization.
deviceFlowSettingType DeviceFlowSettingType Allows an administrator to override the Device Authorization Settings set globally for the OAuth AS. Defaults to SERVER_DEFAULT.
devicePollingIntervalOverride integer The amount of time client should wait between polling requests, in seconds. This overrides the ‘devicePollingInterval’ value present in Authorization Server Settings.
enabled boolean Specifies whether the client is enabled. The default value is true.
exclusiveScopes array[string] The exclusive scopes available for this client.
extendedParameters Map[string, ParameterValues] OAuth Client Metadata can be extended to use custom Client Metadata Parameters. The names of these custom parameters should be defined in /extendedProperties.
grantTypes * Set[GrantType] The grant types allowed for this client. The EXTENSION grant type applies to SAML/JWT assertion grants.
jwksSettings JwksSettings JSON Web Key Set Settings of the OAuth client. Required if private key JWT client authentication or signed requests is enabled.
logoUrl string The location of the logo used on user-facing OAuth grant authorization and revocation pages.
name * string A descriptive name for the client instance. This name appears when the user is prompted for authorization.
oidcPolicy ClientOIDCPolicy Open ID Connect Policy settings. This is included in the message only when OIDC is enabled.
pendingAuthorizationTimeoutOverride integer The ‘device_code’ and ‘user_code’ timeout, in seconds. This overrides the ‘pendingAuthorizationTimeout’ value present in Authorization Server Settings.
persistentGrantExpirationTime integer The persistent grant expiration time. -1 indicates an indefinite amount of time.
persistentGrantExpirationTimeUnit PersistentGrantLifetimeUnit The persistent grant expiration time unit.
persistentGrantExpirationType PersistentGrantLifetimeType Allows an administrator to override the Persistent Grant Lifetime set globally for the OAuth AS. Defaults to SERVER_DEFAULT.
persistentGrantIdleTimeout integer The persistent grant idle timeout.
persistentGrantIdleTimeoutTimeUnit PersistentGrantLifetimeUnit The persistent grant idle timeout time unit.
persistentGrantIdleTimeoutType PersistentGrantLifetimeType Allows an administrator to override the Persistent Grant Idle Timeout set globally for the OAuth AS. Defaults to SERVER_DEFAULT.
redirectUris array[string] URIs to which the OAuth AS may redirect the resource owner’s user agent after authorization is obtained. A redirection URI is used with the Authorization Code and Implicit grant types. Wildcards are allowed. However, for security reasons, make the URL as restrictive as possible.For example: https://.company.com/ Important: If more than one URI is added or if a single URI uses wildcards, then Authorization Code grant and token requests must contain a specific matching redirect uri parameter.
refreshRolling RefreshRollingType Use ROLL or DONT_ROLL to override the Roll Refresh Token Values setting on the Authorization Server Settings. SERVER_DEFAULT will default to the Roll Refresh Token Values setting on the Authorization Server Setting screen. Defaults to SERVER_DEFAULT.
requestObjectSigningAlgorithm RequestObjectSigningAlgorithm The JSON Web Signature [JWS] algorithm that must be used to sign the Request Object. All signing algorithms are allowed if value is not present
RS256 - RSA using SHA-256
RS384 - RSA using SHA-384
RS512 - RSA using SHA-512
ES256 - ECDSA using P256 Curve and SHA-256
ES384 - ECDSA using P384 Curve and SHA-384
ES512 - ECDSA using P521 Curve and SHA-512
PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256
PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384
PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512
RSASSA-PSS is only supported with SafeNet Luna, Thales nCipher or Java 11.
requestPolicyRef ResourceLink The CIBA request policy.
requireProofKeyForCodeExchange boolean Determines whether Proof Key for Code Exchange (PKCE) is required for this client.
requireSignedRequests boolean Determines whether signed requests are required for this client
restrictScopes boolean Restricts this client’s access to specific scopes.
restrictedResponseTypes array[string] The response types allowed for this client. If omitted all response types are available to the client.
restrictedScopes array[string] The scopes available for this client.
tokenExchangeProcessorPolicyRef ResourceLink The Token Exchange Processor policy.
userAuthorizationUrlOverride string The URL used as ‘verification_url’ and ‘verification_url_complete’ values in a Device Authorization request. This property overrides the ‘userAuthorizationUrl’ value present in Authorization Server Settings.
validateUsingAllEligibleAtms boolean Validates token using all eligible access token managers for the client.

ResourceLink - A reference to a resource.

Property Type Description
id * string The ID of the resource.
location string A read-only URL that references the resource. If the resource is not currently URL-accessible, this property will be null.

ClientOIDCPolicy - OAuth Client Open ID Connect Policy.

Property Type Description
grantAccessSessionRevocationApi boolean Determines whether this client is allowed to access the Session Revocation API.
idTokenContentEncryptionAlgorithm ContentEncryptionAlgorithm The JSON Web Encryption [JWE] content encryption algorithm for the ID Token.
AES_128_CBC_HMAC_SHA_256 - Composite AES-CBC-128 HMAC-SHA-256
AES_192_CBC_HMAC_SHA_384 - Composite AES-CBC-192 HMAC-SHA-384
AES_256_CBC_HMAC_SHA_512 - Composite AES-CBC-256 HMAC-SHA-512
AES-GCM-128 - AES_128_GCM
AES_192_GCM - AES-GCM-192
AES_256_GCM - AES-GCM-256
idTokenEncryptionAlgorithm EncryptionAlgorithm The JSON Web Encryption [JWE] encryption algorithm used to encrypt the content encryption key for the ID Token.
DIR - Direct Encryption with symmetric key
A128KW - AES-128 Key Wrap
A192KW - AES-192 Key Wrap
A256KW - AES-256 Key Wrap
A128GCMKW - AES-GCM-128 key encryption
A192GCMKW - AES-GCM-192 key encryption
A256GCMKW - AES-GCM-256 key encryption
ECDH_ES - ECDH-ES
ECDH_ES_A128KW - ECDH-ES with AES-128 Key Wrap
ECDH_ES_A192KW - ECDH-ES with AES-192 Key Wrap
ECDH_ES_A256KW - ECDH-ES with AES-256 Key Wrap
RSA_OAEP - RSAES OAEP
idTokenSigningAlgorithm SigningAlgorithm The JSON Web Signature [JWS] algorithm required for the ID Token.
NONE - No signing algorithm
HS256 - HMAC using SHA-256
HS384 - HMAC using SHA-384
HS512 - HMAC using SHA-512
RS256 - RSA using SHA-256
RS384 - RSA using SHA-384
RS512 - RSA using SHA-512
ES256 - ECDSA using P256 Curve and SHA-256
ES384 - ECDSA using P384 Curve and SHA-384
ES512 - ECDSA using P521 Curve and SHA-512
PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256
PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384
PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512
A null value will represent the default algorithm which is RS256.
RSASSA-PSS is only supported with SafeNet Luna, Thales nCipher or Java 11
logoutUris array[string] A list of client logout URI’s which will be invoked when a user logs out through one of PingFederate’s SLO endpoints.
pairwiseIdentifierUserType boolean Determines whether the subject identifier type is pairwise.
pingAccessLogoutCapable boolean Set this value to true if you wish to enable client application logout, and the client is PingAccess, or its logout endpoints follow the PingAccess path convention.
policyGroup ResourceLink The Open ID Connect policy. A null value will represent the default policy group.
sectorIdentifierUri string The URI references a file with a single JSON array of Redirect URI and JWKS URL values.

ClientAuth - Client Authentication.

Property Type Description
clientCertIssuerDn string Client TLS Certificate Issuer DN.
clientCertSubjectDn string Client TLS Certificate Subject DN.
encryptedSecret string For GET requests, this field contains the encrypted client secret, if one exists. For POST and PUT requests, if you wish to reuse the existing secret, this field should be passed back unchanged.
enforceReplayPrevention boolean Enforce replay prevention on JSON Web Tokens. This field is applicable only for Private Key JWT Client Authentication.
secret string Client secret for Basic Authentication. To update the client secret, specify the plaintext value in this field. This field will not be populated for GET requests.
tokenEndpointAuthSigningAlgorithm TokenEndpointAuthSigningAlgorithm The JSON Web Signature [JWS] algorithm that must be used to sign the JSON Web Tokens. This field is applicable only for Private Key JWT Client Authentication. All signing algorithms are allowed if value is not present
RS256 - RSA using SHA-256
RS384 - RSA using SHA-384
RS512 - RSA using SHA-512
ES256 - ECDSA using P256 Curve and SHA-256
ES384 - ECDSA using P384 Curve and SHA-384
ES512 - ECDSA using P521 Curve and SHA-512
PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256
PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384
PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512
RSASSA-PSS is only supported with SafeNet Luna, Thales nCipher or Java 11.
type ClientAuthType Client authentication type.
The required field for type SECRET is secret.
The required fields for type CERTIFICATE are clientCertIssuerDn and clientCertSubjectDn.
The required field for type PRIVATE_KEY_JWT is: either jwks or jwksUrl.

JwksSettings - JSON Web Key Set Settings.

Property Type Description
jwks string JSON Web Key Set (JWKS) document of the OAuth client. Either ‘jwks’ or ‘jwksUrl’ must be provided if private key JWT client authentication or signed requests is enabled. If the client signs its JWTs using an RSASSA-PSS signing algorithm, PingFederate must either use Java 11 or be integrated with a hardware security module (HSM) to process the digital signatures.
jwksUrl string JSON Web Key Set (JWKS) URL of the OAuth client. Either ‘jwks’ or ‘jwksUrl’ must be provided if private key JWT client authentication or signed requests is enabled. If the client signs its JWTs using an RSASSA-PSS signing algorithm, PingFederate must either use Java 11 or be integrated with a hardware security module (HSM) to process the digital signatures.

ParameterValues - Parameter Values.

Property Type Description
values array[string] A List of values