Table of Contents

Client Attributes

Overview

Client attributes are arbitrary attributes in key-value format and associated on a per-client basis. An authorization server would use the attributes, for example, to define affiliations or roles of clients, to control authentication and authorization flows, and to determine scopes of access tokens and claims in ID tokens to be created. Resource servers would also use the client attributes, resulting from introspection, to make API responses that should be returned to the requesting client.

This article describes how to configure the client attributes feature and its use cases.

This feature is available in Authlete version 2.2 or later.

Configuration

To set client attributes, follow the steps below.

Log in to the Authlete Management Console
Click on your Organization name and choose your Service.
Navigate to Client Settings > Basic Settings > Advanced
Scroll down to Client Attributes and click the add button.
Enter values of “Key” and “Value” for the new attribute and click the Save button. Note that these values of each attribute are treated as a string.
Click Save Changes to apply updates.

The following is an example of setting an attribute with “affiliation” as a key and “partner” as a value.

client-attributes_1 — Configuration of client attributes

Use cases

You can use client attributes in a variety of situations. Here are some typical use cases.

Control of Configuration Items in Client Management

Client attributes can be obtained as part of the client information. The following is an example response from Authlete’s /client/get/{clientId} API.

[...]
  "attributes": [
    {
      "key": "affiliation",
      "value": "partner"
    }
  ],
[...]

Based on this response, the authorization server identifies the client as an external partner application and regulates the items that the client administrator is permitted to configure.

Control of authorization flows

An authorization server can use client attributes obtained as a response from Authlete’s /auth/authorization API to control the subsequent authorization flow. The following is an example of an API response.

{
  "type": "authorizationResponse",
  "action": "INTERACTION",
  "client": {
    "attributes": [
      {
        "key": "affiliation",
        "value": "partner"
      }
    ],
[...]

In this case, the authorization server identifies the client as a ‘partner’ and informs the user during authentication or consent confirmation that the client requesting access is an external partner application.

Control of API responses

Authlete makes a token introspection response, that may include client attributes. The following is an example response from the /auth/introspection API.

{
    "type": "introspectionResponse",
    "action": "OK",
    "clientAttributes": [
        {
            "key": "affiliation",
            "value": "partner"
        }
    ],
    [...]
}

Based on these attributes, a resource server would determine that the client making the API request with the access token is an external partner application and control the API response.