This chapter describes in detail the XML structure of the client configuration file format.

Some elements are only relevant for those F2 applications that functions as identity providers using OpenID Connect (F2AuthenticateService and IdentityHub) - these elements are marked with [IDP].

This is the root element for the client configuration file.

 A client configuration (repeatable).

This element represents the configuration of a single client.

 Client ID Client secret. Use a complex secret that is difficult to guess! Description of the client. If true then clients are required to supply passwords for the F2 users they login as. Usually this is set to false, such that F2 user passwords can be left out of the configuration of the third-party clients, in which case the client secret is the only credential needed. If true then allow client to supply it's Client ID in the body of OAuth2 token requests. If true then allow client to authenticate with an F2 desktop-client session ID. If true then allow client to authenticate with an JWT identity from a third party identity provider. If true then allow client to authenticate with an OAuth2 authorization code. If true then allow client to login on behalf of any F2 user. This cannot be combined with RequireUserPassword set to false! If true then allow client to access the distributed requisition part of F2-REST. List of F2 users the client is allowed to login on behalf of. Defines the "intended audience" value of OpenID Connect ID-tokens. Default is to use the Client ID if IntendedAudience is not specified [IDP]. Defines a string template for merging external identity provider's SAML attributes into a identity string [IDP]. Name of JWT claim for F2 user identity in OpenID Connect ID-tokens [IDP]. Method for signing OpenID Connect responses [IDP]. List of allowed redirect URLs [IDP]. URL for logout on clients that uses OpenID Connect [IDP]. Wildcards * and ? can be used for URL matching. This is the default logout URL if nothing is specified by the client. Logout URLs are validated against both LogoutUrl and all of the URLs in RedirectUrls. Configuration for clients that integrates with F2-Desktop's "Document selection" feature. This is only used with F2-Service. How many seconds a custom query should run, before timing out. This value can be overridden by the custom query itself. Default: 5 List of allowed redirect URLs [IDP].

This element represents configuration of the signing method to use when signing OpenID Connect ID-tokens [IDP]

 Location of certificate. Thumbprint identifying certificate. Method to use for signing tokens. Current user certificate store. Machine certificate store. Use client secret for signing. Use a certificate for signing.

This element represents the list of F2 users a client is allowed to login as.

 F2 username

This element represents the list of allowed redirect URLs for a client.

 Redirect URL for either login or logout (repeatable). Wildcards * and ? can be used for URL matching.

This element represents the configuration of F2-Desktop's "document selection" feature.

 URL to POST result to. Format of payload. Data serialized in JSON format. Data serialized in XML format.