authlete_ruby_sdk 0.0.1.beta

data/lib/authlete/models/components/client_input.rb

@@ -0,0 +1,872 @@
+# Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT.
+
+# typed: true
+# frozen_string_literal: true
+
+
+module Authlete
+  module Models
+    module Components
+    
+
+      class ClientInput
+        extend T::Sig
+        include Crystalline::MetadataFields
+
+        # The name of the client application. This property corresponds to `client_name` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :client_name, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientName') } }
+        # Client names with language tags. If the client application has different names for different
+        # languages, this property can be used to register the names.
+        # 
+        field :client_names, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TaggedValue)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientNames') } }
+        # The description about the client application.
+        field :description, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('description') } }
+        # Descriptions about the client application with language tags. If the client application has different
+        # descriptions for different languages, this property can be used to register the descriptions.
+        # 
+        field :descriptions, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TaggedValue)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('descriptions') } }
+        # The value of the client's `client_id` property used in OAuth and OpenID Connect calls. By
+        # default, this is a string version of the `clientId` property.
+        # 
+        field :client_id_alias, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientIdAlias') } }
+        # Deprecated. Always set to `true`.
+        field :client_id_alias_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientIdAliasEnabled') } }
+        # The client type, either `CONFIDENTIAL` or `PUBLIC`. See [RFC 6749, 2.1. Client Types](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)
+        # for details.
+        # 
+        field :client_type, Crystalline::Nilable.new(Models::Components::ClientType), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientType'), 'decoder': Utils.enum_from_string(Models::Components::ClientType, true) } }
+        # The application type. The value of this property affects the validation steps for a redirect URI.
+        # See the description about `redirectUris` property for more details.
+        # 
+        field :application_type, Crystalline::Nilable.new(Models::Components::ApplicationType), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('applicationType'), 'decoder': Utils.enum_from_string(Models::Components::ApplicationType, true) } }
+        # The URL pointing to the logo image of the client application.
+        # 
+        # This property corresponds to `logo_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.
+        # Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :logo_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('logoUri') } }
+        # Logo image URLs with language tags. If the client application has different logo images for
+        # different languages, this property can be used to register URLs of the images.
+        # 
+        field :logo_uris, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TaggedValue)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('logoUris') } }
+        # An array of email addresses of people responsible for the client application.
+        # 
+        # This property corresponds to contacts in [OpenID Connect Dynamic Client Registration 1.0, 2. Client
+        # Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :contacts, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('contacts') } }
+        # The flag to indicate whether this client use TLS client certificate bound access tokens.
+        # 
+        field :tls_client_certificate_bound_access_tokens, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientCertificateBoundAccessTokens') } }
+        # The unique identifier string assigned by the client developer or software publisher used by
+        # registration endpoints to identify the client software to be dynamically registered.
+        # 
+        # This property corresponds to the `software_id metadata` defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)
+        # of [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).
+        # 
+        field :software_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('softwareId') } }
+        # The unique identifier of the developer who created this client application.
+        # 
+        field :developer, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('developer') } }
+        # The version identifier string for the client software identified by the software ID.
+        # 
+        # This property corresponds to the software_version metadata defined in [2. Client Metadata](https://datatracker.ietf.org/doc/html/rfc7591#section-2)
+        # of [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591).
+        # 
+        field :software_version, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('softwareVersion') } }
+        # The hash of the registration access token for this client.
+        # 
+        field :registration_access_token_hash, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('registrationAccessTokenHash') } }
+        # A string array of grant types which the client application declares that it will restrict itself to using.
+        # This property corresponds to `grant_types` in [OpenID Connect Dynamic Client Registration 1.0,
+        # 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :grant_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::GrantType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('grantTypes') } }
+        # A string array of response types which the client application declares that it will restrict itself to using.
+        # This property corresponds to `response_types` in [OpenID Connect Dynamic Client Registration 1.0,
+        # 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :response_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ResponseType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('responseTypes') } }
+        # Redirect URIs that the client application uses to receive a response from the authorization endpoint.
+        # Requirements for a redirect URI are as follows.
+        # 
+        # **Requirements by RFC 6749** (From [RFC 6749, 3.1.2. Redirection Endpoint](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2))
+        # 
+        # - Must be an absolute URI.
+        # - Must not have a fragment component.
+        # 
+        # **Requirements by OpenID Connect** (From "[OpenID Connect Dynamic Client Registration 1.0, 2.
+        # Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata),
+        # application_type")
+        # 
+        # - The scheme of the redirect URI used for Implicit Grant by a client application whose application
+        # is `web` must be `https`. This is checked at runtime by Authlete.
+        # - The hostname of the redirect URI used for Implicit Grant by a client application whose application
+        # type is `web` must not be `localhost`. This is checked at runtime by Authlete.
+        # - The scheme of the redirect URI used by a client application whose application type is `native`
+        # must be either (1) a custom scheme or (2) `http`, which is allowed only when the hostname part
+        # is `localhost`. This is checked at runtime by Authlete.
+        # 
+        # **Requirements by Authlete**
+        # 
+        # - Must consist of printable ASCII letters only.
+        # - Must not exceed 200 letters.
+        # 
+        # Note that Authlete allows the application type to be `null`. In other words, a client application
+        # does not have to choose `web` or `native` as its application type.
+        # If the application type is `null`, the requirements by OpenID Connect are not checked at runtime.
+        # 
+        # An authorization request from a client application which has not registered any redirect URI
+        # fails unless at least all the following conditions are satisfied.
+        # 
+        # - The client type of the client application is `confidential`.
+        # - The value of `response_type` request parameter is `code`.
+        # - The authorization request has the `redirect_uri` request parameter.
+        # - The value of `scope` request parameter does not contain `openid`.
+        # 
+        # RFC 6749 allows partial match of redirect URI under some conditions (see [RFC 6749, 3.1.2.2.
+        # Registration Requirements](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.2) for
+        # details), but OpenID Connect requires exact match.
+        # 
+        field :redirect_uris, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('redirectUris') } }
+        # The client authentication method that the client application declares that it uses at the token
+        # endpoint. This property corresponds to `token_endpoint_auth_method` in [OpenID Connect Dynamic
+        # Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :token_auth_method, Crystalline::Nilable.new(Models::Components::ClientAuthMethod), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenAuthMethod'), 'decoder': Utils.enum_from_string(Models::Components::ClientAuthMethod, true) } }
+        # The key ID of a JWK containing a self-signed certificate of this client.
+        # 
+        field :self_signed_certificate_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('selfSignedCertificateKeyId') } }
+        # The string representation of the expected subject distinguished name of the certificate this
+        # client will use in mutual TLS authentication.
+        # 
+        # See `tls_client_auth_subject_dn` in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client
+        # Registration" for details.
+        # 
+        field :tls_client_auth_subject_dn, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientAuthSubjectDn') } }
+        # The string representation of the expected DNS subject alternative name of the certificate this
+        # client will use in mutual TLS authentication.
+        # 
+        # See `tls_client_auth_san_dns` in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client
+        # Registration" for details.
+        # 
+        field :tls_client_auth_san_dns, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientAuthSanDns') } }
+        # The string representation of the expected URI subject alternative name of the certificate this
+        # client will use in mutual TLS authentication.
+        # 
+        # See `tls_client_auth_san_uri` in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client
+        # Registration" for details.
+        # 
+        field :tls_client_auth_san_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientAuthSanUri') } }
+        # The string representation of the expected IP address subject alternative name of the certificate
+        # this client will use in mutual TLS authentication.
+        # 
+        # See `tls_client_auth_san_ip` in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client
+        # Registration" for details.
+        # 
+        field :tls_client_auth_san_ip, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientAuthSanIp') } }
+        # The string representation of the expected email address subject alternative name of the certificate
+        # this client will use in mutual TLS authentication.
+        # 
+        # See `tls_client_auth_san_email` in "Mutual TLS Profiles for OAuth Clients, 2.3. Dynamic Client
+        # Registration" for details.
+        # 
+        field :tls_client_auth_san_email, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientAuthSanEmail') } }
+        # The flag to indicate whether this client is required to use the pushed authorization request endpoint.
+        # This property corresponds to the `require_pushed_authorization_requests` client metadata defined
+        # in "OAuth 2.0 Pushed Authorization Requests".
+        # 
+        field :par_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('parRequired') } }
+        # The flag to indicate whether authorization requests from this client are always required to
+        # utilize a request object by using either `request` or `request_uri` request parameter.
+        # 
+        # If this flag is set to `true` and the service's `traditionalRequestObjectProcessingApplied` is
+        # set to `false`, authorization requests from this client are processed as if `require_signed_request_object`
+        # client metadata of this client is `true`. The metadata is defined in "JAR (JWT Secured Authorization Request)".
+        # 
+        field :request_object_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectRequired') } }
+        # An array of URLs each of which points to a request object.
+        # 
+        # Authlete requires that URLs used as values for `request_uri` request parameter be pre-registered.
+        # This property is used for the pre-registration.
+        # See [OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter) for details.
+        # 
+        field :request_uris, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestUris') } }
+        # The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter.
+        # 
+        # This property corresponds to `default_max_age` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :default_max_age, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('defaultMaxAge') } }
+        # The default ACRs (Authentication Context Class References). This value is used when an authorization
+        # request from the client application has neither `acr_values` request parameter nor `acr` claim
+        # in claims request parameter.
+        # 
+        field :default_acrs, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('defaultAcrs') } }
+        # The flag to indicate whether this client requires `auth_time` claim to be embedded in the ID token.
+        # 
+        # This property corresponds to `require_auth_time` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :auth_time_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authTimeRequired') } }
+        # The subject type that the client application requests. Details about the subject type are described in
+        # [OpenID Connect Core 1.0, 8. Subjct Identifier Types](https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
+        # 
+        # This property corresponds to `subject_type` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :subject_type, Crystalline::Nilable.new(Models::Components::SubjectType), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('subjectType'), 'decoder': Utils.enum_from_string(Models::Components::SubjectType, true) } }
+        # The value of the sector identifier URI.
+        # This represents the `sector_identifier_uri` client metadata which is defined in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata)
+        # 
+        field :sector_identifier_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('sectorIdentifierUri') } }
+        # The URL pointing to the JWK Set of the client application.
+        # The content pointed to by the URL is JSON which complies with the format described in
+        # [JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).
+        # The JWK Set must not include private keys of the client application.
+        # 
+        # If the client application requests encryption for ID tokens (from the authorization/token/userinfo endpoints)
+        # and/or signs request objects, it must make available its JWK Set containing public keys for the
+        # encryption and/or the signature at the URL of `jwksUri`. The service (Authlete) fetches the JWK
+        # Set from the URL as necessary.
+        # 
+        # [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
+        # says that `jwks` must not be used when the client can use `jwks_uri`, but Authlete allows both
+        # properties to be registered at the same time. However, Authlete does not use the content of `jwks`
+        # when `jwksUri` is registered.
+        # 
+        # This property corresponds to `jwks_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.
+        # Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwksUri') } }
+        # The content of the JWK Set of the client application.
+        # The format is described in
+        # [JSON Web Key (JWK), 5. JWK Set Format](https://datatracker.ietf.org/doc/html/rfc7517#section-5).
+        # The JWK Set must not include private keys of the client application.
+        # 
+        # [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
+        # says that `jwks` must not be used when the client can use `jwks_uri`, but Authlete allows both
+        # properties to be registered at the same time. However, Authlete does not use the content of `jwks`
+        # when `jwksUri` is registered.
+        # 
+        # This property corresponds to `jwks_uri` in [OpenID Connect Dynamic Client Registration 1.0, 2.
+        # Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :jwks, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwks') } }
+        # The URL which a third party can use to initiate a login by the client application.
+        # 
+        # This property corresponds to `initiate_login_uri` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :login_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('loginUri') } }
+        # The URL pointing to the "Terms Of Service" page.
+        # 
+        # This property corresponds to `tos_uri` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :tos_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tosUri') } }
+        # URLs of "Terms Of Service" pages with language tags.
+        # 
+        # If the client application has different "Terms Of Service" pages for different languages,
+        # this property can be used to register the URLs.
+        # 
+        field :tos_uris, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TaggedValue)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tosUris') } }
+        # The URL pointing to the page which describes the policy as to how end-user's profile data is used.
+        # 
+        # This property corresponds to `policy_uri` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :policy_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('policyUri') } }
+        # URLs of policy pages with language tags.
+        # If the client application has different policy pages for different languages, this property can be used to register the URLs.
+        # 
+        field :policy_uris, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TaggedValue)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('policyUris') } }
+        # The URL pointing to the home page of the client application.
+        # 
+        # This property corresponds to `client_uri` in
+        # [OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
+        # 
+        field :client_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientUri') } }
+        # Home page URLs with language tags.
+        # If the client application has different home pages for different languages, this property can
+        # be used to register the URLs.
+        # 
+        field :client_uris, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TaggedValue)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientUris') } }
+        # The backchannel token delivery mode.
+        # 
+        # This property corresponds to the `backchannel_token_delivery_mode` metadata.
+        # The backchannel token delivery mode is defined in the specification of "CIBA (Client Initiated
+        # Backchannel Authentication)".
+        # 
+        field :bc_delivery_mode, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('bcDeliveryMode') } }
+        # The backchannel client notification endpoint.
+        # 
+        # This property corresponds to the `backchannel_client_notification_endpoint` metadata.
+        # The backchannel token delivery mode is defined in the specification of "CIBA (Client Initiated
+        # Backchannel Authentication)".
+        # 
+        field :bc_notification_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('bcNotificationEndpoint') } }
+        # The boolean flag to indicate whether a user code is required when this client makes a backchannel
+        # authentication request.
+        # 
+        # This property corresponds to the `backchannel_user_code_parameter` metadata.
+        # 
+        field :bc_user_code_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('bcUserCodeRequired') } }
+        # The attributes of this client.
+        # 
+        field :attributes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Pair)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('attributes') } }
+
+        field :extension, Crystalline::Nilable.new(Models::Components::ClientExtension), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('extension') } }
+        # The authorization details types that this client may use as values of the `type` field in
+        # `authorization_details`.
+        # 
+        # This property corresponds to the `authorization_details_types` metadata. See [OAuth 2.0 Rich
+        # Authorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) for details.
+        # 
+        # Note that the property name was renamed from authorizationDataTypes to authorizationDetailsTypes
+        # to align with the change made by the 5th draft of the RAR specification.
+        # 
+        field :authorization_details_types, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationDetailsTypes') } }
+        # The custom client metadata in JSON format.
+        # 
+        # Standard specifications define client metadata as necessary. The following are such examples.
+        # 
+        # * [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
+        # * [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol](https://www.rfc-editor.org/rfc/rfc7591.html)
+        # * [RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html)
+        # * [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)
+        # * [The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/)
+        # * [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
+        # * [OAuth 2.0 Pushed Authorization Requests (PAR)](https://datatracker.ietf.org/doc/rfc9126/)
+        # * [OAuth 2.0 Rich Authorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/)
+        # 
+        # Standard client metadata included in Client Registration Request and Client Update Request (cf.
+        # [OIDC DynReg](https://openid.net/specs/openid-connect-registration-1_0.html), [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591.html)
+        # and [RFC 7592](https://www.rfc-editor.org/rfc/rfc7592.html)) are, if supported by Authlete, set
+        # to corresponding properties of the client application. For example, the value of the `client_name`
+        # client metadata in Client Registration/Update Request is set to the clientName property. On the
+        # other hand, unrecognized client metadata are discarded.
+        # 
+        # By listing up custom client metadata in advance by using the `supportedCustomClientMetadata` property
+        # of Service, Authlete can recognize them and stores their values into the database. The stored
+        # custom client metadata values can be referenced by this property.
+        # 
+        field :custom_metadata, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('customMetadata') } }
+        # The flag indicating whether encryption of request object is required when the request object
+        # is passed through the front channel.
+        # 
+        # This flag does not affect the processing of request objects at the Pushed Authorization Request
+        # Endpoint, which is defined in [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/rfc9126/).
+        # Unecrypted request objects are accepted at the endpoint even if this flag is `true`.
+        # 
+        # This flag does not indicate whether a request object is always required. There is a different
+        # flag, `requestObjectRequired`, for the purpose.
+        # 
+        # Even if this flag is `false`, encryption of request object is required if the `frontChannelRequestObjectEncryptionRequired`
+        # flag of the service is `true`.
+        # 
+        field :front_channel_request_object_encryption_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('frontChannelRequestObjectEncryptionRequired') } }
+        # The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`
+        # client metadata.
+        # 
+        # The `request_object_encryption_alg` client metadata itself is defined in [OpenID Connect Dynamic
+        # Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) as follows.
+        # 
+        # > request_object_encryption_alg
+        # >
+        # > OPTIONAL. JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting Request
+        #   Objects sent to the OP. This parameter SHOULD be included when symmetric encryption will be used,
+        #   since this signals to the OP that a client_secret value needs to be returned from which the
+        #   symmetric key will be derived, that might not otherwise be returned. The RP MAY still use other
+        #   supported encryption algorithms or send unencrypted Request Objects, even when this parameter
+        #   is present. If both signing and encryption are requested, the Request Object will be signed
+        #   then encrypted, with the result being a Nested JWT, as defined in [JWT]. The default, if omitted,
+        #   is that the RP is not declaring whether it might encrypt any Request Objects.
+        # 
+        # The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted
+        # Request Objects, even when this parameter is present."
+        # 
+        # The property that represents the client metadata is `requestEncryptionAlg`. See the description
+        # of `requestEncryptionAlg` for details.
+        # 
+        # Even if this flag is `false`, the match is required if the `requestObjectEncryptionAlgMatchRequired`
+        # flag of the service is `true`.
+        # 
+        field :request_object_encryption_alg_match_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectEncryptionAlgMatchRequired') } }
+        # The flag indicating whether the JWE enc of encrypted request object must match the `request_object_encryption_enc`
+        # client metadata.
+        # 
+        # The `request_object_encryption_enc` client metadata itself is defined in [OpenID Connect Dynamic
+        # Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) as follows.
+        # 
+        # > request_object_encryption_enc
+        # >
+        # > OPTIONAL. JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request
+        #   Objects sent to the OP. If request_object_encryption_alg is specified, the default for this
+        #   value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg
+        #   MUST also be provided.
+        # 
+        # The property that represents the client metadata is `requestEncryptionEnc`. See the description
+        # of `requestEncryptionEnc`  for details.
+        # 
+        # Even if this flag is `false`, the match is required if the `requestObjectEncryptionEncMatchRequired`
+        # flag of the service is `true`.
+        # 
+        field :request_object_encryption_enc_match_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectEncryptionEncMatchRequired') } }
+        # The digest algorithm that this client requests the server to use
+        # when it computes digest values of [external attachments](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#name-external-attachments), which may be referenced from within ID tokens
+        # or userinfo responses (or any place that can have the `verified\_claims` claim).
+        # Possible values are listed in the [Hash Algorithm Registry](https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg) of IANA (Internet Assigned Numbers Authority),
+        # but the server does not necessarily support all the values there. When
+        # this property is omitted, `sha-256` is used as the default algorithm.
+        # This property corresponds to the `digest\_algorithm` client metadata
+        # which was defined by the third implementer's draft of
+        # [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1\_0.html).
+        # 
+        field :digest_algorithm, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('digestAlgorithm') } }
+        # If `Enabled` is selected, an attempt to issue a new access token invalidates existing access tokens that are associated with the same combination of subject and client.
+        # 
+        # Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject.
+        # 
+        # Even if `Disabled` is selected here, single access token per subject is effective if `singleAccessTokenPerSubject` of the `Service` this client belongs to is Enabled.
+        # 
+        field :single_access_token_per_subject, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('singleAccessTokenPerSubject') } }
+        # The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.
+        # 
+        # If `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.
+        # 
+        # See [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.
+        # 
+        field :pkce_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pkceRequired') } }
+        # The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.
+        # 
+        # If this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request
+        # whenever it includes the `code_challenge` request parameter.
+        # Neither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.
+        # 
+        field :pkce_s256_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pkceS256Required') } }
+        # If the DPoP is required for this client
+        # 
+        field :dpop_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dpopRequired') } }
+        # The flag indicating whether this client was registered by the
+        # "automatic" client registration of OIDC Federation.
+        # 
+        field :automatically_registered, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('automaticallyRegistered') } }
+        # The flag indicating whether this client was registered by the
+        # "explicit" client registration of OIDC Federation.
+        # 
+        field :explicitly_registered, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('explicitlyRegistered') } }
+        # The flag indicating whether this service signs responses from the resource server.
+        # 
+        field :rs_request_signed, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('rsRequestSigned') } }
+        # The key ID of a JWK containing the public key used by this client to sign requests to the resource server.
+        # 
+        field :rs_signed_request_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('rsSignedRequestKeyId') } }
+        # The client registration types that the client has declared it may use.
+        # 
+        field :client_registration_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientRegistrationType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientRegistrationTypes') } }
+        # The human-readable name representing the organization that manages this client. This property corresponds
+        # to the organization_name client metadata that is defined in OpenID Connect Federation 1.0.
+        # 
+        field :organization_name, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('organizationName') } }
+        # The URI of the endpoint that returns this client's JWK Set document in the JWT format. This property
+        # corresponds to the `signed_jwks_uri` client metadata defined in OpenID Connect Federation 1.0.
+        # 
+        field :signed_jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('signedJwksUri') } }
+        # the entity ID of this client.
+        # 
+        field :entity_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('entityId') } }
+        # The entity ID of the trust anchor of the trust chain that was used when this client was registered or updated by
+        # the mechanism defined in OpenID Connect Federation 1.0
+        # 
+        field :trust_anchor_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustAnchorId') } }
+        # The trust chain that was used when this client was registered or updated by the mechanism defined in
+        # OpenID Connect Federation 1.0
+        # 
+        field :trust_chain, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustChain') } }
+        # the expiration time of the trust chain that was used when this client was registered or updated by the mechanism
+        # defined in OpenID Connect Federation 1.0. The value is represented as milliseconds elapsed since the Unix epoch (1970-01-01).
+        # 
+        field :trust_chain_expires_at, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustChainExpiresAt') } }
+        # the time at which the trust chain was updated by the mechanism defined in OpenID Connect Federation 1.0
+        # 
+        field :trust_chain_updated_at, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustChainUpdatedAt') } }
+        # The flag which indicates whether this client is locked.
+        # 
+        field :locked, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('locked') } }
+        # The URL of the credential offer endpoint at which this client
+        # (wallet) receives a credential offer from the credential issuer.
+        # 
+        field :credential_offer_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialOfferEndpoint') } }
+        # The FAPI modes for this client.
+        # 
+        # When the value of this property is not `null`, Authlete always processes requests from this client
+        # based on the specified FAPI modes if the FAPI feature is enabled in Authlete, the FAPI profile
+        # is supported by the service, and the FAPI modes for the service are set to `null`.
+        # 
+        # For instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete
+        # always processes requests from this client based on "Financial-grade API Security Profile 1.0 -
+        # Part 2: Advanced" if the FAPI feature is enabled in Authlete, the FAPI profile is supported by
+        # the service, and the FAPI modes for the service are set to `null`.
+        # 
+        field :fapi_modes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::FapiMode)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('fapiModes') } }
+        # The response modes that this client may use.
+        field :response_modes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ResponseMode)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('responseModes') } }
+        # True if credential responses to this client must be always encrypted.
+        field :credential_response_encryption_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialResponseEncryptionRequired') } }
+        # The flag indicating whether the client intends to prefer mutual TLS endpoints over non-MTLS endpoints.
+        # 
+        # This property corresponds to the `use_mtls_endpoint_aliases` client metadata that is defined in
+        # [FAPI 2.0 Security Profile, 8.1.1. use_mtls_endpoint_aliases](https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-8.1.1).
+        # 
+        field :mtls_endpoint_aliases_used, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('mtlsEndpointAliasesUsed') } }
+        # The flag indicating whether this client is in scope for token migration 
+        # operations.
+        # 
+        field :in_scope_for_token_migration, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('inScopeForTokenMigration') } }
+        # Location of the Client ID Metadata Document that was used for this client.
+        # 
+        field :metadata_document_location, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('metadataDocumentLocation') } }
+        # Expiration time of the metadata document (UNIX time in milliseconds).
+        # 
+        field :metadata_document_expires_at, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('metadataDocumentExpiresAt') } }
+        # Last-updated time of the metadata document (UNIX time in milliseconds).
+        # 
+        field :metadata_document_updated_at, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('metadataDocumentUpdatedAt') } }
+        # Indicates whether this client was discovered via a Client ID Metadata Document.
+        # 
+        field :discovered_by_metadata_document, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('discoveredByMetadataDocument') } }
+        # Source of this client record.
+        # 
+        field :client_source, Crystalline::Nilable.new(Models::Components::ClientSource), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientSource'), 'decoder': Utils.enum_from_string(Models::Components::ClientSource, true) } }
+
+        field :additional_properties, Crystalline::Nilable.new(Crystalline::Hash.new(Symbol, ::Object)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('additional_properties') } }
+        # The signature algorithm for JWT. This value is represented on 'alg' attribute
+        # of the header of JWT.
+        # 
+        # it's semantics depends upon where is this defined, for instance:
+        #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
+        #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
+        #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
+        # 
+        field :authorization_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) } }
+        # this is the 'alg' header value for encrypted JWT tokens.
+        # Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:
+        # - as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
+        # - as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
+        # - as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens
+        # 
+        # **Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.
+        # 
+        field :authorization_encryption_alg, Crystalline::Nilable.new(Models::Components::JweAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationEncryptionAlg'), 'decoder': Utils.enum_from_string(Models::Components::JweAlg, true) } }
+        # This is the encryption algorithm to be used when encrypting a JWT on client or server side.
+        # Depending upon the context, this refers to encryption done by the client or by the server. For instance:
+        #   - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response
+        #   - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
+        #   - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens
+        # 
+        field :authorization_encryption_enc, Crystalline::Nilable.new(Models::Components::JweEnc), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationEncryptionEnc'), 'decoder': Utils.enum_from_string(Models::Components::JweEnc, true) } }
+        # The signature algorithm for JWT. This value is represented on 'alg' attribute
+        # of the header of JWT.
+        # 
+        # it's semantics depends upon where is this defined, for instance:
+        #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
+        #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
+        #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
+        # 
+        field :token_auth_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenAuthSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) } }
+        # The signature algorithm for JWT. This value is represented on 'alg' attribute
+        # of the header of JWT.
+        # 
+        # it's semantics depends upon where is this defined, for instance:
+        #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
+        #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
+        #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
+        # 
+        field :request_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) } }
+        # this is the 'alg' header value for encrypted JWT tokens.
+        # Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:
+        # - as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
+        # - as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
+        # - as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens
+        # 
+        # **Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.
+        # 
+        field :request_encryption_alg, Crystalline::Nilable.new(Models::Components::JweAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestEncryptionAlg'), 'decoder': Utils.enum_from_string(Models::Components::JweAlg, true) } }
+        # This is the encryption algorithm to be used when encrypting a JWT on client or server side.
+        # Depending upon the context, this refers to encryption done by the client or by the server. For instance:
+        #   - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response
+        #   - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
+        #   - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens
+        # 
+        field :request_encryption_enc, Crystalline::Nilable.new(Models::Components::JweEnc), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestEncryptionEnc'), 'decoder': Utils.enum_from_string(Models::Components::JweEnc, true) } }
+        # The signature algorithm for JWT. This value is represented on 'alg' attribute
+        # of the header of JWT.
+        # 
+        # it's semantics depends upon where is this defined, for instance:
+        #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
+        #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
+        #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
+        # 
+        field :id_token_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) } }
+        # this is the 'alg' header value for encrypted JWT tokens.
+        # Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:
+        # - as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
+        # - as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
+        # - as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens
+        # 
+        # **Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.
+        # 
+        field :id_token_encryption_alg, Crystalline::Nilable.new(Models::Components::JweAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenEncryptionAlg'), 'decoder': Utils.enum_from_string(Models::Components::JweAlg, true) } }
+        # This is the encryption algorithm to be used when encrypting a JWT on client or server side.
+        # Depending upon the context, this refers to encryption done by the client or by the server. For instance:
+        #   - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response
+        #   - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
+        #   - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens
+        # 
+        field :id_token_encryption_enc, Crystalline::Nilable.new(Models::Components::JweEnc), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenEncryptionEnc'), 'decoder': Utils.enum_from_string(Models::Components::JweEnc, true) } }
+        # The signature algorithm for JWT. This value is represented on 'alg' attribute
+        # of the header of JWT.
+        # 
+        # it's semantics depends upon where is this defined, for instance:
+        #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
+        #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
+        #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
+        # 
+        field :user_info_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userInfoSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) } }
+        # this is the 'alg' header value for encrypted JWT tokens.
+        # Depending upon the context, this refers to key transport scheme to be used by the client and by the server. For instance:
+        # - as `authorizationEncryptionAlg` value, it refers to the encoding algorithm used by server for transporting they keys on JARM objects
+        # - as `requestEncryptionAlg` value, it refers to the expected key transport encoding algorithm that server expect from client when encrypting a Request Object
+        # - as `idTokenEncryptionAlg` value, it refers to the algorithm used by the server to key transport of id_tokens
+        # 
+        # **Please note that some of the algorithms are more secure than others, some are not supported very well cross platforms and some (like RSA1_5) is known to be weak**.
+        # 
+        field :user_info_encryption_alg, Crystalline::Nilable.new(Models::Components::JweAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userInfoEncryptionAlg'), 'decoder': Utils.enum_from_string(Models::Components::JweAlg, true) } }
+        # This is the encryption algorithm to be used when encrypting a JWT on client or server side.
+        # Depending upon the context, this refers to encryption done by the client or by the server. For instance:
+        #   - as `authorizationEncryptionEnc` value, it refers to the encryption algorithm used by server when creating a JARM response
+        #   - as `requestEncryptionEnc` value, it refers to the expected encryption algorithm used by the client when encrypting a Request Object
+        #   - as `idTokenEncryptionEnc` value, it refers to the algorithm used by the server to encrypt id_tokens
+        # 
+        field :user_info_encryption_enc, Crystalline::Nilable.new(Models::Components::JweEnc), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userInfoEncryptionEnc'), 'decoder': Utils.enum_from_string(Models::Components::JweEnc, true) } }
+        # The signature algorithm for JWT. This value is represented on 'alg' attribute
+        # of the header of JWT.
+        # 
+        # it's semantics depends upon where is this defined, for instance:
+        #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
+        #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
+        #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
+        # 
+        field :bc_request_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('bcRequestSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) } }
+
+        sig { params(client_name: T.nilable(::String), client_names: T.nilable(T::Array[Models::Components::TaggedValue]), description: T.nilable(::String), descriptions: T.nilable(T::Array[Models::Components::TaggedValue]), client_id_alias: T.nilable(::String), client_id_alias_enabled: T.nilable(T::Boolean), client_type: T.nilable(Models::Components::ClientType), application_type: T.nilable(Models::Components::ApplicationType), logo_uri: T.nilable(::String), logo_uris: T.nilable(T::Array[Models::Components::TaggedValue]), contacts: T.nilable(T::Array[::String]), tls_client_certificate_bound_access_tokens: T.nilable(T::Boolean), software_id: T.nilable(::String), developer: T.nilable(::String), software_version: T.nilable(::String), registration_access_token_hash: T.nilable(::String), grant_types: T.nilable(T::Array[Models::Components::GrantType]), response_types: T.nilable(T::Array[Models::Components::ResponseType]), redirect_uris: T.nilable(T::Array[::String]), token_auth_method: T.nilable(Models::Components::ClientAuthMethod), self_signed_certificate_key_id: T.nilable(::String), tls_client_auth_subject_dn: T.nilable(::String), tls_client_auth_san_dns: T.nilable(::String), tls_client_auth_san_uri: T.nilable(::String), tls_client_auth_san_ip: T.nilable(::String), tls_client_auth_san_email: T.nilable(::String), par_required: T.nilable(T::Boolean), request_object_required: T.nilable(T::Boolean), request_uris: T.nilable(T::Array[::String]), default_max_age: T.nilable(::Integer), default_acrs: T.nilable(T::Array[::String]), auth_time_required: T.nilable(T::Boolean), subject_type: T.nilable(Models::Components::SubjectType), sector_identifier_uri: T.nilable(::String), jwks_uri: T.nilable(::String), jwks: T.nilable(::String), login_uri: T.nilable(::String), tos_uri: T.nilable(::String), tos_uris: T.nilable(T::Array[Models::Components::TaggedValue]), policy_uri: T.nilable(::String), policy_uris: T.nilable(T::Array[Models::Components::TaggedValue]), client_uri: T.nilable(::String), client_uris: T.nilable(T::Array[Models::Components::TaggedValue]), bc_delivery_mode: T.nilable(::String), bc_notification_endpoint: T.nilable(::String), bc_user_code_required: T.nilable(T::Boolean), attributes: T.nilable(T::Array[Models::Components::Pair]), extension: T.nilable(Models::Components::ClientExtension), authorization_details_types: T.nilable(T::Array[::String]), custom_metadata: T.nilable(::String), front_channel_request_object_encryption_required: T.nilable(T::Boolean), request_object_encryption_alg_match_required: T.nilable(T::Boolean), request_object_encryption_enc_match_required: T.nilable(T::Boolean), digest_algorithm: T.nilable(::String), single_access_token_per_subject: T.nilable(T::Boolean), pkce_required: T.nilable(T::Boolean), pkce_s256_required: T.nilable(T::Boolean), dpop_required: T.nilable(T::Boolean), automatically_registered: T.nilable(T::Boolean), explicitly_registered: T.nilable(T::Boolean), rs_request_signed: T.nilable(T::Boolean), rs_signed_request_key_id: T.nilable(::String), client_registration_types: T.nilable(T::Array[Models::Components::ClientRegistrationType]), organization_name: T.nilable(::String), signed_jwks_uri: T.nilable(::String), entity_id: T.nilable(::String), trust_anchor_id: T.nilable(::String), trust_chain: T.nilable(T::Array[::String]), trust_chain_expires_at: T.nilable(::Integer), trust_chain_updated_at: T.nilable(::Integer), locked: T.nilable(T::Boolean), credential_offer_endpoint: T.nilable(::String), fapi_modes: T.nilable(T::Array[Models::Components::FapiMode]), response_modes: T.nilable(T::Array[Models::Components::ResponseMode]), credential_response_encryption_required: T.nilable(T::Boolean), mtls_endpoint_aliases_used: T.nilable(T::Boolean), in_scope_for_token_migration: T.nilable(T::Boolean), metadata_document_location: T.nilable(::String), metadata_document_expires_at: T.nilable(::Integer), metadata_document_updated_at: T.nilable(::Integer), discovered_by_metadata_document: T.nilable(T::Boolean), client_source: T.nilable(Models::Components::ClientSource), additional_properties: T.nilable(T::Hash[Symbol, ::Object]), authorization_sign_alg: T.nilable(Models::Components::JwsAlg), authorization_encryption_alg: T.nilable(Models::Components::JweAlg), authorization_encryption_enc: T.nilable(Models::Components::JweEnc), token_auth_sign_alg: T.nilable(Models::Components::JwsAlg), request_sign_alg: T.nilable(Models::Components::JwsAlg), request_encryption_alg: T.nilable(Models::Components::JweAlg), request_encryption_enc: T.nilable(Models::Components::JweEnc), id_token_sign_alg: T.nilable(Models::Components::JwsAlg), id_token_encryption_alg: T.nilable(Models::Components::JweAlg), id_token_encryption_enc: T.nilable(Models::Components::JweEnc), user_info_sign_alg: T.nilable(Models::Components::JwsAlg), user_info_encryption_alg: T.nilable(Models::Components::JweAlg), user_info_encryption_enc: T.nilable(Models::Components::JweEnc), bc_request_sign_alg: T.nilable(Models::Components::JwsAlg)).void }
+        def initialize(client_name: nil, client_names: nil, description: nil, descriptions: nil, client_id_alias: nil, client_id_alias_enabled: nil, client_type: nil, application_type: nil, logo_uri: nil, logo_uris: nil, contacts: nil, tls_client_certificate_bound_access_tokens: nil, software_id: nil, developer: nil, software_version: nil, registration_access_token_hash: nil, grant_types: nil, response_types: nil, redirect_uris: nil, token_auth_method: nil, self_signed_certificate_key_id: nil, tls_client_auth_subject_dn: nil, tls_client_auth_san_dns: nil, tls_client_auth_san_uri: nil, tls_client_auth_san_ip: nil, tls_client_auth_san_email: nil, par_required: nil, request_object_required: nil, request_uris: nil, default_max_age: nil, default_acrs: nil, auth_time_required: nil, subject_type: nil, sector_identifier_uri: nil, jwks_uri: nil, jwks: nil, login_uri: nil, tos_uri: nil, tos_uris: nil, policy_uri: nil, policy_uris: nil, client_uri: nil, client_uris: nil, bc_delivery_mode: nil, bc_notification_endpoint: nil, bc_user_code_required: nil, attributes: nil, extension: nil, authorization_details_types: nil, custom_metadata: nil, front_channel_request_object_encryption_required: nil, request_object_encryption_alg_match_required: nil, request_object_encryption_enc_match_required: nil, digest_algorithm: nil, single_access_token_per_subject: nil, pkce_required: nil, pkce_s256_required: nil, dpop_required: nil, automatically_registered: nil, explicitly_registered: nil, rs_request_signed: nil, rs_signed_request_key_id: nil, client_registration_types: nil, organization_name: nil, signed_jwks_uri: nil, entity_id: nil, trust_anchor_id: nil, trust_chain: nil, trust_chain_expires_at: nil, trust_chain_updated_at: nil, locked: nil, credential_offer_endpoint: nil, fapi_modes: nil, response_modes: nil, credential_response_encryption_required: nil, mtls_endpoint_aliases_used: nil, in_scope_for_token_migration: nil, metadata_document_location: nil, metadata_document_expires_at: nil, metadata_document_updated_at: nil, discovered_by_metadata_document: nil, client_source: nil, additional_properties: nil, authorization_sign_alg: nil, authorization_encryption_alg: nil, authorization_encryption_enc: nil, token_auth_sign_alg: nil, request_sign_alg: nil, request_encryption_alg: nil, request_encryption_enc: nil, id_token_sign_alg: nil, id_token_encryption_alg: nil, id_token_encryption_enc: nil, user_info_sign_alg: nil, user_info_encryption_alg: nil, user_info_encryption_enc: nil, bc_request_sign_alg: nil)
+          @client_name = client_name
+          @client_names = client_names
+          @description = description
+          @descriptions = descriptions
+          @client_id_alias = client_id_alias
+          @client_id_alias_enabled = client_id_alias_enabled
+          @client_type = client_type
+          @application_type = application_type
+          @logo_uri = logo_uri
+          @logo_uris = logo_uris
+          @contacts = contacts
+          @tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens
+          @software_id = software_id
+          @developer = developer
+          @software_version = software_version
+          @registration_access_token_hash = registration_access_token_hash
+          @grant_types = grant_types
+          @response_types = response_types
+          @redirect_uris = redirect_uris
+          @token_auth_method = token_auth_method
+          @self_signed_certificate_key_id = self_signed_certificate_key_id
+          @tls_client_auth_subject_dn = tls_client_auth_subject_dn
+          @tls_client_auth_san_dns = tls_client_auth_san_dns
+          @tls_client_auth_san_uri = tls_client_auth_san_uri
+          @tls_client_auth_san_ip = tls_client_auth_san_ip
+          @tls_client_auth_san_email = tls_client_auth_san_email
+          @par_required = par_required
+          @request_object_required = request_object_required
+          @request_uris = request_uris
+          @default_max_age = default_max_age
+          @default_acrs = default_acrs
+          @auth_time_required = auth_time_required
+          @subject_type = subject_type
+          @sector_identifier_uri = sector_identifier_uri
+          @jwks_uri = jwks_uri
+          @jwks = jwks
+          @login_uri = login_uri
+          @tos_uri = tos_uri
+          @tos_uris = tos_uris
+          @policy_uri = policy_uri
+          @policy_uris = policy_uris
+          @client_uri = client_uri
+          @client_uris = client_uris
+          @bc_delivery_mode = bc_delivery_mode
+          @bc_notification_endpoint = bc_notification_endpoint
+          @bc_user_code_required = bc_user_code_required
+          @attributes = attributes
+          @extension = extension
+          @authorization_details_types = authorization_details_types
+          @custom_metadata = custom_metadata
+          @front_channel_request_object_encryption_required = front_channel_request_object_encryption_required
+          @request_object_encryption_alg_match_required = request_object_encryption_alg_match_required
+          @request_object_encryption_enc_match_required = request_object_encryption_enc_match_required
+          @digest_algorithm = digest_algorithm
+          @single_access_token_per_subject = single_access_token_per_subject
+          @pkce_required = pkce_required
+          @pkce_s256_required = pkce_s256_required
+          @dpop_required = dpop_required
+          @automatically_registered = automatically_registered
+          @explicitly_registered = explicitly_registered
+          @rs_request_signed = rs_request_signed
+          @rs_signed_request_key_id = rs_signed_request_key_id
+          @client_registration_types = client_registration_types
+          @organization_name = organization_name
+          @signed_jwks_uri = signed_jwks_uri
+          @entity_id = entity_id
+          @trust_anchor_id = trust_anchor_id
+          @trust_chain = trust_chain
+          @trust_chain_expires_at = trust_chain_expires_at
+          @trust_chain_updated_at = trust_chain_updated_at
+          @locked = locked
+          @credential_offer_endpoint = credential_offer_endpoint
+          @fapi_modes = fapi_modes
+          @response_modes = response_modes
+          @credential_response_encryption_required = credential_response_encryption_required
+          @mtls_endpoint_aliases_used = mtls_endpoint_aliases_used
+          @in_scope_for_token_migration = in_scope_for_token_migration
+          @metadata_document_location = metadata_document_location
+          @metadata_document_expires_at = metadata_document_expires_at
+          @metadata_document_updated_at = metadata_document_updated_at
+          @discovered_by_metadata_document = discovered_by_metadata_document
+          @client_source = client_source
+          @additional_properties = additional_properties
+          @authorization_sign_alg = authorization_sign_alg
+          @authorization_encryption_alg = authorization_encryption_alg
+          @authorization_encryption_enc = authorization_encryption_enc
+          @token_auth_sign_alg = token_auth_sign_alg
+          @request_sign_alg = request_sign_alg
+          @request_encryption_alg = request_encryption_alg
+          @request_encryption_enc = request_encryption_enc
+          @id_token_sign_alg = id_token_sign_alg
+          @id_token_encryption_alg = id_token_encryption_alg
+          @id_token_encryption_enc = id_token_encryption_enc
+          @user_info_sign_alg = user_info_sign_alg
+          @user_info_encryption_alg = user_info_encryption_alg
+          @user_info_encryption_enc = user_info_encryption_enc
+          @bc_request_sign_alg = bc_request_sign_alg
+        end
+
+        sig { params(other: T.untyped).returns(T::Boolean) }
+        def ==(other)
+          return false unless other.is_a? self.class
+          return false unless @client_name == other.client_name
+          return false unless @client_names == other.client_names
+          return false unless @description == other.description
+          return false unless @descriptions == other.descriptions
+          return false unless @client_id_alias == other.client_id_alias
+          return false unless @client_id_alias_enabled == other.client_id_alias_enabled
+          return false unless @client_type == other.client_type
+          return false unless @application_type == other.application_type
+          return false unless @logo_uri == other.logo_uri
+          return false unless @logo_uris == other.logo_uris
+          return false unless @contacts == other.contacts
+          return false unless @tls_client_certificate_bound_access_tokens == other.tls_client_certificate_bound_access_tokens
+          return false unless @software_id == other.software_id
+          return false unless @developer == other.developer
+          return false unless @software_version == other.software_version
+          return false unless @registration_access_token_hash == other.registration_access_token_hash
+          return false unless @grant_types == other.grant_types
+          return false unless @response_types == other.response_types
+          return false unless @redirect_uris == other.redirect_uris
+          return false unless @token_auth_method == other.token_auth_method
+          return false unless @self_signed_certificate_key_id == other.self_signed_certificate_key_id
+          return false unless @tls_client_auth_subject_dn == other.tls_client_auth_subject_dn
+          return false unless @tls_client_auth_san_dns == other.tls_client_auth_san_dns
+          return false unless @tls_client_auth_san_uri == other.tls_client_auth_san_uri
+          return false unless @tls_client_auth_san_ip == other.tls_client_auth_san_ip
+          return false unless @tls_client_auth_san_email == other.tls_client_auth_san_email
+          return false unless @par_required == other.par_required
+          return false unless @request_object_required == other.request_object_required
+          return false unless @request_uris == other.request_uris
+          return false unless @default_max_age == other.default_max_age
+          return false unless @default_acrs == other.default_acrs
+          return false unless @auth_time_required == other.auth_time_required
+          return false unless @subject_type == other.subject_type
+          return false unless @sector_identifier_uri == other.sector_identifier_uri
+          return false unless @jwks_uri == other.jwks_uri
+          return false unless @jwks == other.jwks
+          return false unless @login_uri == other.login_uri
+          return false unless @tos_uri == other.tos_uri
+          return false unless @tos_uris == other.tos_uris
+          return false unless @policy_uri == other.policy_uri
+          return false unless @policy_uris == other.policy_uris
+          return false unless @client_uri == other.client_uri
+          return false unless @client_uris == other.client_uris
+          return false unless @bc_delivery_mode == other.bc_delivery_mode
+          return false unless @bc_notification_endpoint == other.bc_notification_endpoint
+          return false unless @bc_user_code_required == other.bc_user_code_required
+          return false unless @attributes == other.attributes
+          return false unless @extension == other.extension
+          return false unless @authorization_details_types == other.authorization_details_types
+          return false unless @custom_metadata == other.custom_metadata
+          return false unless @front_channel_request_object_encryption_required == other.front_channel_request_object_encryption_required
+          return false unless @request_object_encryption_alg_match_required == other.request_object_encryption_alg_match_required
+          return false unless @request_object_encryption_enc_match_required == other.request_object_encryption_enc_match_required
+          return false unless @digest_algorithm == other.digest_algorithm
+          return false unless @single_access_token_per_subject == other.single_access_token_per_subject
+          return false unless @pkce_required == other.pkce_required
+          return false unless @pkce_s256_required == other.pkce_s256_required
+          return false unless @dpop_required == other.dpop_required
+          return false unless @automatically_registered == other.automatically_registered
+          return false unless @explicitly_registered == other.explicitly_registered
+          return false unless @rs_request_signed == other.rs_request_signed
+          return false unless @rs_signed_request_key_id == other.rs_signed_request_key_id
+          return false unless @client_registration_types == other.client_registration_types
+          return false unless @organization_name == other.organization_name
+          return false unless @signed_jwks_uri == other.signed_jwks_uri
+          return false unless @entity_id == other.entity_id
+          return false unless @trust_anchor_id == other.trust_anchor_id
+          return false unless @trust_chain == other.trust_chain
+          return false unless @trust_chain_expires_at == other.trust_chain_expires_at
+          return false unless @trust_chain_updated_at == other.trust_chain_updated_at
+          return false unless @locked == other.locked
+          return false unless @credential_offer_endpoint == other.credential_offer_endpoint
+          return false unless @fapi_modes == other.fapi_modes
+          return false unless @response_modes == other.response_modes
+          return false unless @credential_response_encryption_required == other.credential_response_encryption_required
+          return false unless @mtls_endpoint_aliases_used == other.mtls_endpoint_aliases_used
+          return false unless @in_scope_for_token_migration == other.in_scope_for_token_migration
+          return false unless @metadata_document_location == other.metadata_document_location
+          return false unless @metadata_document_expires_at == other.metadata_document_expires_at
+          return false unless @metadata_document_updated_at == other.metadata_document_updated_at
+          return false unless @discovered_by_metadata_document == other.discovered_by_metadata_document
+          return false unless @client_source == other.client_source
+          return false unless @additional_properties == other.additional_properties
+          return false unless @authorization_sign_alg == other.authorization_sign_alg
+          return false unless @authorization_encryption_alg == other.authorization_encryption_alg
+          return false unless @authorization_encryption_enc == other.authorization_encryption_enc
+          return false unless @token_auth_sign_alg == other.token_auth_sign_alg
+          return false unless @request_sign_alg == other.request_sign_alg
+          return false unless @request_encryption_alg == other.request_encryption_alg
+          return false unless @request_encryption_enc == other.request_encryption_enc
+          return false unless @id_token_sign_alg == other.id_token_sign_alg
+          return false unless @id_token_encryption_alg == other.id_token_encryption_alg
+          return false unless @id_token_encryption_enc == other.id_token_encryption_enc
+          return false unless @user_info_sign_alg == other.user_info_sign_alg
+          return false unless @user_info_encryption_alg == other.user_info_encryption_alg
+          return false unless @user_info_encryption_enc == other.user_info_encryption_enc
+          return false unless @bc_request_sign_alg == other.bc_request_sign_alg
+          true
+        end
+      end
+    end
+  end
+end