Table of Contents

Client Attributes

Overview

Client attributes are arbitrary attributes in key-value format and associated on a per-client basis. An authorization server would use the attributes, for example, to define affiliations or roles of clients, to control authentication and authorization flows, and to determine scopes of access tokens and claims in ID tokens to be created. Resource servers would also use the client attributes, resulting from introspection, to make API responses that should be returned to the requesting client.

This article describes how to configure the client attributes feature and its use cases.

This feature is available in Authlete version 2.2 or later.

Configuration

To set client attributes, follow the steps below.

Log in to the client application developer console and open the edit screen for the target client.
Click the “Create Attribute” button to open the dialog box for creating attributes.
Enter values of “Key” and “Value” for the new attribute and click the “Create” button. Note that these values of each attribute are treated as a string.

The following is an example of setting an attribute with “affiliation” as a key and “partner” as a value.

client-attributes_1 — Configuration of client attributes

Use cases

You can use client attributes in a variety of situations. Here are some typical use cases.

Control of configuration items in client management

Client attributes can be obtained as part of the client information. The following is an example response from Authlete’s /client/get/{clientId} API.

[...]
  "attributes": [
    {
      "key": "affiliation",
      "value": "partner"
    }
  ],
[...]

Based on this response, an authorization server would determine that the client is an external partner application and would be able to control what items the client administrator can configure.

Control of authorization flows

An authorization server can use client attributes obtained as a response from Authlete’s /auth/authorization API to control the subsequent authorization flow. The following is an example of an API response.

{
  "type": "authorizationResponse",
  "action": "INTERACTION",
  "client": {
    "attributes": [
      {
        "key": "affiliation",
        "value": "partner"
      }
    ],
[...]

In this case, an authorization server would determine that this client is classified as a “partner” and would indicate to the user that the client requesting access is an external partner application, during user authentication or consent confirmation.

Control of API responses

Authlete makes a token introspection response, that may include client attributes. The following is an example response from the /auth/introspection API.

{
    "type": "introspectionResponse",
    "action": "OK",
    "clientAttributes": [
        {
            "key": "affiliation",
            "value": "partner"
        }
    ],
    [...]
}

Based on these attributes, a resource server would be able to determine that the client making the API request with the access token is an external partner application and control the API response.