Flags Supported in Authlete

Overview

Over the years, Authlete has implemented a large number of standard specifications. Among them, there have been several occasions where changes to Authlete’s implementation were necessary due to overlooked details, misinterpretations, or breaking changes in the specifications themselves. This article shares various flags created from these challenges.

Service flags in Authlete provide essential configuration flexibility that allows developers to fine-tune the behavior of their OAuth 2.0 and OpenID Connect implementations. These boolean switches and configuration parameters enable organizations to balance strict specification compliance with practical deployment considerations.

Service flags serve multiple crucial purposes:

• Allow gradual migration to stricter compliance requirements without breaking existing integrations
• Provide options for handling edge cases or ambiguities in the specifications
• Enable customization of security policies to meet specific organizational requirements
• Facilitate interoperability with a wide range of client applications, including those that may not fully comply with the latest standards

Flags for Specification Compliance

The table below shows an overview of the Authlete service flags:

Flag	Type	Description	Default Value
Service.missingClientIdAllowed	Boolean	When set to true or enabled in the console, the client is identified from the authorization code when the client_id request parameter is missing.	False
Service.claimShortcutRestrictive	Boolean	Ensures strict adherence to the OpenID Connect specification regarding claim embedding. When set to true or enabled in the console, it ensures that claims requested by the profile, email, address, and phone scope values are only included in the ID Token if no Access Token is issued.	True
Service.dcrDuplicateSoftwareIdBlocked	Boolean	When set to True, Authlete rejects dynamic client registration requests containing a registered software_id	False
Service.dcrScopeUsedAsRequestable	Boolean	Limits the range of scopes that the client application can request. When set to True, follows RFC 7591 standard by treating scopes specified during dynamic client registration as requestable scopes.	False
Service.frontChannelRequestObjectEncryptionRequired	Boolean	When sending a request object via the front channel, it must be encrypted.	False
Service.idTokenAudType	Array, String, or Null	Addresses the JWT specification flexibility where the aud claim can be either an array or a single string, causing inconsistency in how receiving systems must process tokens. It can also be overridden at runtime using the idTokenAudType parameter in Authlete APIs that issue ID tokens (such as /auth/authorization/issue).	Null
Service.idTokenReissuable	Boolean	controls whether the /auth/token API returns ID_TOKEN_REISSUABLE. When set to True, the /auth/token API returns "action": "ID_TOKEN_REISSUABLE" if the conditions are all met.	False
Service.issSuppressed	Boolean	When set to True, does not include iss response parameter in the authorization response.	False
Service.loopbackRedirectionUriVariable	Boolean	Controls how the authorization server handles port numbers in loopback IP address redirection URIs during OAuth 2.0 flows. When set to True, Treats the port number as variable when the host part of the redirection URI is a loopback IP address, following RFC 8252 Section 7.3	False
Service.nbfOptional	Boolean	When set to True, the authorization server does not enforce the request object lifespan check, even in scenarios where FAPI 1.0 Part 2 compliance would normally require it. In other words, the nbf claim is treated as optional rather than mandatory.	False
Service.refreshTokenIdempotent	Boolean	When set to True or enabled in the console, ensures consistent results for duplicate token refresh requests within a 60-second window, preventing issues when the same refresh token is used multiple times.	False
Service.refreshTokenKept	Boolean	Controls the behavior of refresh token rotation. When set to True, refresh token rotation will not occur.	True
Service.requestObjectEncryptionAlgMatchRequired	Boolean	The algorithm specified in the alg parameter of the encrypted request object must be a specific value.	False
Service.requestObjectEncryptionEncMatchRequired	Boolean	The algorithm specified in the enc parameter of the encrypted request object must be a specific value.	False
Service.scopeRequired	Boolean	Controls how authorization requests without a scope parameter are handled. When set to True, Authorization requests without a scope parameter will either use configured default scopes or be rejected with an invalid scope error if no defaults exist.	False
Service.traditionalRequestObjectProcessingApplied	Boolean	Allows switching between processing request objects using the OIDC Core method (for backward compatibility) or the RFC 9101 method.	False
Service.unauthorizedOnClientConfigSupported	Boolean	When this flag is set to true, Authlete will return UNAUTHORIZED where applicable. When false, for backward compatibility, Authlete will return BAD_REQUEST instead (even though this does not strictly follow RFC 7592).	False

Configure Flags in the Management Console

Starting with Authlete 3.0, flags have been introduced in the management console to enforce strict requirements to meet OAuth/OIDC specifications.

The following sections demonstrate configuring service setting flags in the Authlete Management Console:

Client ID Omission

To Configure the Service.missingClientIdAllowed flag in the management console:

1. Navigate to Service Settings > Endpoints > Token > General
2. To enable the flag, toggle the “Client ID Omission" option.
3. Click Save Changes to apply the updates.

Restrict Shortcut

To Configure the Service.claimShortcutRestrictive flag in the management console:

1. Navigate to Service Settings > Tokens and Claims > Claims > Supported Claims
2. To turn on, toggle the “Restrict Shortcut” option.
3. Click Save Changes to apply the updates.

DCR with Duplicate Software ID

To Configure the Service.dcrDuplicateSoftwareIdBlocked flag in the management console:

1. Navigate to Service Settings > Endpoints > Advanced > Dynamic Client Registration
2. Go to“DCR with Duplicate Software ID” and toggle the Accept option.
3. Click Save Changes to apply the updates.

DCR’s Scope Parameter

To Configure the Service.dcrScopeUsedAsRequestable flag in the management console:

1. Navigate to Service Settings > Endpoints > Advanced > Dynamic Client Registration
2. Go to "DCR's Scope Parameter" and toggle the Enable option.
3. Click Save Changes to apply the updates.

Encryption in Front Channel

To Configure the Service.frontChannelRequestObjectEncryptionRequired flag in the management console:

1. Navigate to Service Settings > Endpoints > Authorization > Request Object
2. Go to "Encryption in Front Channel" and toggle the Require option.
3. Click Save Changes to apply the updates.

Choose Audience Claim Format

To Configure the Service.idTokenAudType flag in the management console:

1. Navigate to Service Settings > Tokens and Claims > ID Token
2. Open the “Choose Audience Claim Format” menu and select an option.
3. Click Save Changes to apply the updates.

Enable Reissuable

To Configure the Service.idTokenReissuable flag in the management console:

1. Navigate to Service Settings > Tokens and Claims > ID Token
2. Under ID Tokens section, toggle the "Enable Reissuable” option.
3. Click Save Changes to apply the updates.

Issuer Identification Response Parameter

To Configure the Service.issSuppressed flag in the management console:

1. Navigate to Service Settings > Endpoints > Authorization
2. Under "Issuer Identification Response Parameter", toggle the Suppress iss Response Parameter option.
3. Click Save Changes to apply the updates.

Loopback Redirection URI

To configure the Service.loopbackRedirectionUriVariable flag in the management console:

1. Navigate to Service Settings > Endpoints > Authorization > General
2. Go to "Loopback Redirection URI" and toggle the Loopback Redirection URI option.
3. Click Save Changes to apply the updates.

nbf claim

To configure the Service.nbfOptional flag in the management console:

1. Navigate to Service Settings > Endpoints > Authorization > Request Object
2. Go to "nbf claim"" and toggle the "Require" option.
3. Click Save Changes to apply the updates.

Enable Idempotency

To configure the Service.refreshTokenIdempotent flag in the management console:

1. Navigate to Service Settings > Tokens and Claims > Refresh Tokens > General
2. Under Refresh Token Rotation, toggle the Enable Idempotency option.
3. Click Save Changes to apply the updates.

Enable Token Rotation

To configure the Service.refreshTokenKept flag in the management console:

1. Navigate to Service Settings > Token and Claims > Refresh Tokens
2. Under Refresh Token Rotation, toggle the "Enable Token Rotation" option. By default Enable Token Rotation is enabled.
3. Click Save Changes to apply the updates.

Encryption Algorithm Match

To configure the Service.requestObjectEncryptionAlgMatchRequired flag in the management console:

1. Navigate to Service Settings > Endpoints > Authorization > Request Object
2. Go to the "Encryption Algorithm Match" option, toggle Require.
3. Click Save Changes to apply the updates.

Encryption Encoding Algorithm Match

To configure the Service.requestObjectEncryptionEncMatchRequired flag in the management console:

1. Navigate to Service Settings > Endpoints > Authorization > Request Object
2. Go to the "Encryption Encoding Algorithm Match" and toggle Require.
3. Click Save Changes to apply the updates.

Requests Without Scope Parameter

To configure the Service.scopeRequired flag in the management console:

1. Navigate to Service Settings > Tokens and Claims > Advanced > Scopes
2. Go to "Requests Without Scope Parameter" and toggle Reject.
3. Click Save Changes to apply the updates.

Request Object Processing

To configure the Service.traditionalRequestObjectProcessingApplied flag in the management console:

1. Navigate to Service Settings > Endpoints > Authorization > Request Object
2. Go to "Request Object Processing" and toggle the Enable JAR Compatibility option.
3. Click Save Changes to apply the updates.

Return UNAUTHORIZED

To configure the Service.unauthorizedOnClientConfigSupported flag in the management console:

1. Navigate to Service Settings > Endpoints > Advanced > Dynamic Client Registration
2. Go to "Client Configuration Error Behavior" option and toggle Return UNAUTHORIZED.
3. Click Save Changes to apply the updates.

Example Request

Service Configurations for Service.setUnauthorizedOnClientConfigSupported flag. The following example uses a POST request /api/{serviceId}/service/update.

• Authlete API Request that shows how to update the unauthorizedOnClientConfigSupported flag to true.

curl -v -X POST https://us.authlete.com/api/21653835348762/service/update \
  -H 'Content-Type:application/json' \
  -H 'Authorization: Bearer V5a40R6dWvw2gMkCOBFdZcM95q4HC0Z-T0YKD9-nR6F' \
  -d '{
    "unauthorizedOnClientConfigSupported": true
  }'

Make sure to replace the following credentials in the actual request:

• YOUR_SERVICE_ID and
• Access Token with your actual service credentials
• API Cluster - US, JP, EU, BR

Further Reading

• For more in-depth information, see OAuth/OIDC Implementation Mistakes! How We Overcame Overlooked Details and Breaking Changes in the Specifications