Interface: Client
March 19, 2026 Ā· View on GitHub
Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
Recognized Client Metadata that have an effect on the exposed functionality.
See
IANA OAuth Client Registration Metadata registry
Indexable
[
metadata:string]:JsonValue|undefined
Properties
client_id
ā¢ client_id: string
Client identifier.
[clockSkew]?
ā¢ optional [clockSkew]?: number
See clockSkew.
[clockTolerance]?
ā¢ optional [clockTolerance]?: number
See clockTolerance.
authorization_signed_response_alg?
ā¢ optional authorization_signed_response_alg?: string
JWS alg algorithm required for signing authorization responses. When not configured the
default is to allow only algorithms listed in
as.authorization\_signing\_alg\_values\_supported
and fall back to RS256 when the authorization server metadata is not set.
default_max_age?
ā¢ optional default_max_age?: number
Default Maximum Authentication Age.
id_token_signed_response_alg?
ā¢ optional id_token_signed_response_alg?: string
JWS alg algorithm required for signing the ID Token issued to this Client. When not
configured the default is to allow only algorithms listed in
as.id\_token\_signing\_alg\_values\_supported
and fall back to RS256 when the authorization server metadata is not set.
introspection_signed_response_alg?
ā¢ optional introspection_signed_response_alg?: string
JWS alg algorithm REQUIRED for signed introspection responses. When not configured the
default is to allow only algorithms listed in
as.introspection\_signing\_alg\_values\_supported
and fall back to RS256 when the authorization server metadata is not set.
require_auth_time?
ā¢ optional require_auth_time?: boolean
Boolean value specifying whether the auth\_time Claim in the ID Token
is REQUIRED. Default is false.
use_mtls_endpoint_aliases?
ā¢ optional use_mtls_endpoint_aliases?: boolean
Indicates the requirement for a client to use mutual TLS endpoint aliases defined by the AS
where present. Default is false.
When combined with customFetch (to use a Fetch API implementation that supports client certificates) this can be used to target security profiles that utilize Mutual-TLS for either client authentication or sender constraining.
Examples
(Node.js) Using nodejs/undici for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.
import * as undici from 'undici'
let as!: oauth.AuthorizationServer
let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
let params!: URLSearchParams
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate
let clientAuth = oauth.TlsClientAuth()
let agent = new undici.Agent({ connect: { key, cert } })
let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, {
// @ts-ignore
[oauth.customFetch]: (...args) =>
undici.fetch(args[0], { ...args[1], dispatcher: agent }),
})
(Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.
let as!: oauth.AuthorizationServer
let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
let params!: URLSearchParams
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate
let clientAuth = oauth.TlsClientAuth()
// @ts-ignore
let agent = Deno.createHttpClient({ key, cert })
let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, {
// @ts-ignore
[oauth.customFetch]: (...args) => fetch(args[0], { ...args[1], client: agent }),
})
See
RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
userinfo_signed_response_alg?
ā¢ optional userinfo_signed_response_alg?: string
JWS alg algorithm REQUIRED for signing UserInfo Responses. When not configured the default is
to allow only algorithms listed in
as.userinfo\_signing\_alg\_values\_supported
and fail otherwise.