Skip to content
Parako.ID

OIDC Clients

An OIDC client represents an application that authenticates users through Parako.ID. Each client has a unique client_id and, for confidential clients, a client_secret. Six presets cover the standard application shapes; you can fine-tune any field after creation.

Presets

Section titled “Presets”
PresetAuth methodSecretPKCEUse case
Regular Web Applicationclient_secret_basicYesOptionalServer-rendered apps (Node.js, PHP, Ruby)
Single Page ApplicationnoneNoRequiredClient-side JavaScript (React, Vue, Angular)
Native / Mobile ApplicationnoneNoRequirediOS, Android, desktop
Machine-to-Machine (M2M)client_secret_basicYesNoBackend services, daemons
Device Flowclient_secret_postYesNoSmart TVs, CLIs, IoT (RFC 8628)
Management APIclient_secret_basicYesNoProgrammatic access to the Management API

Each preset sets application_type, grant_types, response_types, token_endpoint_auth_method, and scope to safe defaults. The preset is immutable after creation.

Registering a client

Section titled “Registering a client”

Via the CLI (file-based, single-tenant)

Section titled “Via the CLI (file-based, single-tenant)”
Terminal window
pnpm client list   # list registered clients
pnpm client add    # interactive wizard

The wizard prompts for client type, name, redirect URIs, and allowed scopes, then prints the client_id and client_secret. Copy the secret immediately — it is encrypted at rest and cannot be retrieved afterward.

For inspecting, updating, removing, importing, or exporting clients, use the admin panel or the Management API. The shape of runtime/parako-rp.jsonc is documented in parako-rp.example.json.

Via the admin panel

Section titled “Via the admin panel”

Sign in at /admin with an admin account. Under OIDC Clients, choose a preset, fill in the quick-start fields (name, description, redirect URIs, post-logout redirect URIs), and optionally expand OIDC Configuration / Advanced Settings / Resource Indicators / Management API Scope pickers. The secret is displayed once on save.

Edit, activate / deactivate, regenerate secret, and delete are all available from the same panel. See Admin Panel.

Static clients

Section titled “Static clients”

Clients defined in runtime/parako-rp.jsonc are loaded at startup. They are not shown in the admin panel; edit the file to modify them.

Client configuration fields

Section titled “Client configuration fields”

Core OIDC

Section titled “Core OIDC”
FieldTypeDescription
client_idstringUnique identifier (auto-generated or custom)
client_secretstringEncrypted at rest
client_namestringDisplay name
application_typestringweb, native, or spa
redirect_urisstring[]Allowed redirect URIs
post_logout_redirect_urisstring[]Allowed post-logout redirect URIs
grant_typesstring[]Allowed grant types
response_typesstring[]Allowed response types
scopestringSpace-separated allowed scopes
token_endpoint_auth_methodstringHow the client authenticates at the token endpoint
require_pkcebooleanWhether PKCE is required
id_token_signed_response_algstringID-token signing algorithm (default: RS256)
subject_typestringpublic or pairwise
allowedResourcesstring[]Resource-server URIs this client can request tokens for (RFC 8707)
resourcesScopesstringSpace-separated scopes for resource-server access
isInternalClientbooleanFirst-party flag — bypasses consent, blocked from DCR (admin-only)

Additional metadata

Section titled “Additional metadata”
FieldTypeDescription
descriptionstringFree-text
activebooleanfalse rejects the client at the token endpoint
presetstringweb, spa, native, m2m, device, api_management — immutable
client_uristringHome page URL
logo_uristringLogo URL
policy_uristringPrivacy policy URL
tos_uristringTerms-of-service URL
tagsstring[]Filtering and grouping
contactsstring[]Owner emails
default_max_agenumberDefault max auth age (seconds)

Grant types

Section titled “Grant types”
GrantUse caseAuth methodSecret requiredPKCENotes
Authorization Code + PKCEWeb, SPA, native, mobileclient_secret_basic / noneConfidential clients onlyRequired for public clients (OAuth 2.1)Standard interactive flow
Client CredentialsM2M, backend servicesclient_secret_basicYesNoNo user context; aud from resource
Device Flow (RFC 8628)Smart TVs, CLIs, IoTclient_secret_postYesNo/oidc/v1/device/auth; user-code TTL 600s
Refresh TokenConfidential clients, native appsvariesvariesn/aInclude offline_access; tokens rotate on use

Token TTLs for each grant are listed in OIDC Endpoints → Token TTLs.

Resource indicators (RFC 8707)

Section titled “Resource indicators (RFC 8707)”

Resource Indicators let clients request audience-restricted tokens scoped to a specific resource server.

Built-in Management API

Section titled “Built-in Management API”

Parako.ID ships a built-in resource server at urn:parako:api:v1. Management-API-preset clients have this resource pre-configured; tokens issued for it are JWTs with aud: "urn:parako:api:v1". The full scope list and risk-tier taxonomy live in Management API → Authorization Scopes.

Custom resource servers

Section titled “Custom resource servers”

M2M clients can target your own resource servers. Set allowedResources to your URIs and resourcesScopes to the space-separated scopes your resource server accepts. Tokens can be jwt (aud = resource URI) or opaque depending on your resource server.

Dynamic Client Registration

Section titled “Dynamic Client Registration”

RFC 7591 DCR can be enabled in configuration:

{
  "features": {
    "oidc": {
      "dynamic_client_registration": { "enabled": true },
    },
  },
}

Important: When DCR is enabled, require_initial_access_token is always enforced regardless of configuration. Open registration without an initial access token is never permitted.

Generate an initial access token via the Management API with the parako:registration-tokens:write scope, then:

Terminal window
curl -X POST https://your-host/oidc/v1/register-rp \
  -H "Authorization: Bearer INITIAL_ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "client_name": "Dynamic App",
    "redirect_uris": ["https://app.example.com/callback"],
    "grant_types": ["authorization_code"],
    "response_types": ["code"],
    "token_endpoint_auth_method": "none"
  }'

Management API

Section titled “Management API”

Programmatic management via REST. All endpoints require a valid token with the appropriate scope, issued for urn:parako:api:v1. See Management API for authentication and the full scope list.

Client endpoints

Section titled “Client endpoints”
MethodPathScopeDescription
GET/api/v1/clientsparako:clients:readList
POST/api/v1/clientsparako:clients:writeCreate
GET/api/v1/clients/:client_idparako:clients:readRead
PUT/api/v1/clients/:client_idparako:clients:writeFull update
PATCH/api/v1/clients/:client_idparako:clients:writePartial update
DELETE/api/v1/clients/:client_idparako:clients:deleteDelete
POST/api/v1/clients/:client_id/activateparako:clients:writeActivate
POST/api/v1/clients/:client_id/deactivateparako:clients:writeDeactivate
POST/api/v1/clients/:client_id/secretparako:clients:deleteRegenerate secret
GET/api/v1/clients/:client_id/statsparako:clients:readUsage stats

Registration token endpoints

Section titled “Registration token endpoints”
MethodPathScopeDescription
GET/api/v1/registration-tokensparako:registration-tokens:readList
POST/api/v1/registration-tokensparako:registration-tokens:writeCreate
GET/api/v1/registration-tokens/:jtiparako:registration-tokens:readRead
DELETE/api/v1/registration-tokens/:jtiparako:registration-tokens:deleteRevoke

Client secret management

Section titled “Client secret management”

Secrets are encrypted at rest using ENCRYPTION_KEY. Rotate via the Management API or the admin panel; the old secret is immediately invalidated.

Terminal window
curl -X POST https://your-host/api/v1/clients/CLIENT_ID/secret \
  -H "Authorization: Bearer API_TOKEN"

See also

Section titled “See also”

Parako.ID by Dahkenangnon · docs source · Licensed under MIT.