authlete_ruby_sdk 0.0.2.beta → 0.0.5.pre.beta

data/lib/authlete/models/components/service.rb

@@ -7,7 +7,6 @@
 module Authlete
   module Models
     module Components
-    
 
       class Service
         extend T::Sig
@@ -18,12 +17,12 @@ module Authlete
         # The name of this service.
         field :service_name, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('serviceName') } }
         # The issuer identifier of the service.
-        # 
+        #
         # A URL that starts with  https:// and has no query or fragment component.
-        # 
+        #
         # The value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
         # and `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :issuer, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('issuer') } }
         # The description about the service.
         field :description, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('description') } }
@@ -31,1227 +30,876 @@ module Authlete
         field :api_key, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('apiKey') } }
         # The API secret of this service. This value is assigned by Authlete and 
         # is used for service authentication in API calls.
-        # 
+        #
         field :api_secret, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('apiSecret') } }
         # The endpoint for batch token notifications. This endpoint is called when 
         # multiple tokens are issued or revoked in a batch operation.
-        # 
+        #
         field :token_batch_notification_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenBatchNotificationEndpoint') } }
         # The flag indicating whether the audience of client assertion JWTs must 
         # match the issuer identifier of this service.
-        # 
+        #
         field :client_assertion_aud_restricted_to_issuer, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientAssertionAudRestrictedToIssuer') } }
         # The number of the organization that owns this service. This value is 
         # assigned by Authlete.
-        # 
+        #
         field :service_owner_number, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('serviceOwnerNumber') } }
         # The maximum number of client applications that a developer can have.
-        # 
+        #
         field :clients_per_developer, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientsPerDeveloper') } }
         # The endpoint for developer authentication callbacks. This is used when 
         # developers log into the developer portal.
-        # 
+        #
         field :developer_authentication_callback_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('developerAuthenticationCallbackEndpoint') } }
         # The API key for basic authentication at the developer authentication 
         # callback endpoint.
-        # 
+        #
         field :developer_authentication_callback_api_key, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('developerAuthenticationCallbackApiKey') } }
         # The API secret for basic authentication at the developer authentication 
         # callback endpoint.
-        # 
+        #
         field :developer_authentication_callback_api_secret, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('developerAuthenticationCallbackApiSecret') } }
         # Social login services (SNS) that this service supports for end-user 
         # authentication.
-        # 
+        #
         field :supported_snses, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::SupportedSnse)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedSnses') } }
         # The credentials for social login services (SNS) that are used for 
         # end-user authentication.
-        # 
+        #
         field :sns_credentials, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::SnsCredentials)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('snsCredentials') } }
         # Deprecated. Always `true`.
         field :client_id_alias_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientIdAliasEnabled') } }
         # The `metadata` of the service. The content of the returned array depends on contexts.
         # The predefined service metadata is listed in the following table.
-        # 
+        #
         #   | Key | Description |
         #   | --- | --- |
         #   | `clientCount` | The number of client applications which belong to this service.  |
-        # 
+        #
         field :metadata, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Pair)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('metadata') } }
         # The time at which this service was created. The value is represented as milliseconds since the
         # UNIX epoch (`1970-01-01`).
-        # 
+        #
         field :created_at, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('createdAt') } }
         # The time at which this service was last modified. The value is represented as milliseconds since
         # the UNIX epoch (1970-01-01).
-        # 
+        #
         field :modified_at, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('modifiedAt') } }
         # A Web API endpoint for user authentication which is to be prepared on the service side.
-        # 
+        #
         # The endpoint must be implemented if you do not implement the UI at the authorization endpoint
         # but use the one provided by Authlete.
-        # 
+        #
         # The user authentication at the authorization endpoint provided by Authlete is performed by making
         # a `POST` request to this endpoint.
-        # 
+        #
         field :authentication_callback_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authenticationCallbackEndpoint') } }
         # API key for basic authentication at the authentication callback endpoint.
-        # 
+        #
         # If the value is not empty, Authlete generates Authorization header for Basic authentication when
         # making a request to the authentication callback endpoint.
-        # 
+        #
         field :authentication_callback_api_key, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authenticationCallbackApiKey') } }
         # API secret for `basic` authentication at the authentication callback endpoint.
         field :authentication_callback_api_secret, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authenticationCallbackApiSecret') } }
         # Values of acrs (authentication context class references) that the service supports.
-        # 
+        #
         # The value of this property is used as `acr_values_supported`
         # property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_acrs, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedAcrs') } }
         # Values of `grant_type` request parameter that the service supports.
-        # 
+        #
         # The value of this property is used as `grant_types_supported property` in the
         # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_grant_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::GrantType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedGrantTypes') } }
         # Values of `response_type` request parameter that
         # the service supports. Valid values are listed in Response Type.
-        # 
+        #
         # The value of this property is used as `response_types_supported` property in the
         # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_response_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ResponseType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedResponseTypes') } }
         # The supported data types that can be used as values of the type field in `authorization_details`.
-        # 
+        #
         # This property corresponds to the `authorization_details_types_supported` metadata. See "OAuth 2.0
         # Rich Authorization Requests" (RAR) for details.
-        # 
+        #
         field :supported_authorization_details_types, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedAuthorizationDetailsTypes') } }
         # The profiles that this service supports.
-        # 
+        #
         field :supported_service_profiles, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ServiceProfile)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedServiceProfiles') } }
         # The flag to indicate whether the `error_description` response parameter is omitted.
-        # 
+        #
         # According to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include
         # the `error_description` response parameter in error responses.
-        # 
+        #
         # If `true`, Authlete does not embed the `error_description` response parameter in error responses.
-        # 
+        #
         field :error_description_omitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('errorDescriptionOmitted') } }
         # The flag to indicate whether the `error_uri` response parameter is omitted.
-        # 
+        #
         # According to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.
-        # 
+        #
         # If `true`, Authlete does not embed the
         # `error_uri` response parameter in error responses.
-        # 
+        #
         field :error_uri_omitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('errorUriOmitted') } }
         # The authorization endpoint of the service.
-        # 
+        #
         # A URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.
-        # 
+        #
         # The value of this property is used as `authorization_endpoint` property in the [OpenID Provider
         # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :authorization_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationEndpoint') } }
         # The flag to indicate whether the direct authorization endpoint is enabled or not.
-        # 
+        #
         # The path of the endpoint is `/api/auth/authorization/direct/service-api-key`.
-        # 
+        #
         field :direct_authorization_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directAuthorizationEndpointEnabled') } }
         # UI locales that the service supports.
-        # 
+        #
         # Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.
-        # 
+        #
         # The value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_ui_locales, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedUiLocales') } }
         # Values of `display` request parameter that service supports.
-        # 
+        #
         # The value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_displays, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Display)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDisplays') } }
         # The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.
-        # 
+        #
         # If `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.
-        # 
+        #
         # See [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.
-        # 
+        #
         field :pkce_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pkceRequired') } }
         # The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.
-        # 
+        #
         # If this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request
         # whenever it includes the `code_challenge` request parameter.
         # Neither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.
-        # 
+        #
         field :pkce_s256_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pkceS256Required') } }
         # The duration of authorization response JWTs in seconds.
-        # 
+        #
         # [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
         # defines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,
         # `form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters
         # from the authorization endpoint will be packed into a JWT. This property is used to compute the
         # value of the `exp` claim of the JWT.
-        # 
+        #
         field :authorization_response_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationResponseDuration') } }
         # The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.
-        # 
+        #
         # A URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.
-        # 
+        #
         # The value of this property is used as `token_endpoint` property in the
         # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :token_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenEndpoint') } }
         # The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint
         # is `/api/auth/token/direct/service-api-key`.
-        # 
+        #
         field :direct_token_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directTokenEndpointEnabled') } }
         # Client authentication methods supported by the token endpoint of the service.
-        # 
+        #
         # The value of this property is used as `token_endpoint_auth_methods_supports` property in the
         # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_token_auth_methods, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientAuthMethod)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedTokenAuthMethods') } }
         # The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.
-        # 
+        #
         # This flag should not be set unless you have special reasons.
-        # 
+        #
         field :missing_client_id_allowed, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('missingClientIdAllowed') } }
         # The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.
-        # 
+        #
         # A URL that starts with `https://`. For example, `https://example.com/auth/revocation`.
-        # 
+        #
         field :revocation_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('revocationEndpoint') } }
         # The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. 
         field :direct_revocation_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directRevocationEndpointEnabled') } }
         # Client authentication methods supported at the revocation endpoint.
-        # 
+        #
         field :supported_revocation_auth_methods, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientAuthMethod)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedRevocationAuthMethods') } }
         # The URI of the introspection endpoint.
         field :introspection_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('introspectionEndpoint') } }
         # The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. 
         field :direct_introspection_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directIntrospectionEndpointEnabled') } }
         # Client authentication methods supported at the introspection endpoint.
-        # 
+        #
         field :supported_introspection_auth_methods, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientAuthMethod)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedIntrospectionAuthMethods') } }
         # The URI of the pushed authorization request endpoint.
-        # 
+        #
         # This property corresponds to the `pushed_authorization_request_endpoint` metadata defined in "[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)" of OAuth 2.0 Pushed Authorization Requests.
-        # 
+        #
         field :pushed_auth_req_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pushedAuthReqEndpoint') } }
         # The duration of pushed authorization requests in seconds.
-        # 
-        # [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par)
-        # defines an endpoint (called "pushed authorization request endpoint") which client applications
-        # can register authorization requests into and get corresponding URIs (called "request URIs") from.
-        # The issued URIs represent the registered authorization requests. The client applications can use
-        # the URIs as the value of the `request_uri` request parameter in an authorization request.
-        # 
-        # The property represents the duration of registered authorization requests and is used as the value
-        # of the `expires_in` parameter in responses from the pushed authorization request endpoint.
-        # 
+        #
         field :pushed_auth_req_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pushedAuthReqDuration') } }
         # The flag to indicate whether this service requires that clients use the pushed authorization
         # request endpoint.
-        # 
+        #
         # This property corresponds to the `require_pushed_authorization_requests` server metadata defined
         # in [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).
-        # 
+        #
         field :par_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('parRequired') } }
         # The flag to indicate whether this service requires that authorization requests always utilize
         # a request object by using either request or `request_uri` request parameter.
-        # 
+        #
         # If this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is
         # `false`, the value of `require_signed_request_object` server metadata of this service is reported
         # as `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).
         # That `require_signed_request_object` is `true` means that authorization requests which don't
         # conform to the JAR specification are rejected.
-        # 
+        #
         field :request_object_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectRequired') } }
         # The flag to indicate whether a request object is processed based on rules defined in
         # [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT
         # Secured Authorization Request).
-        # 
-        # Differences between rules in OpenID Connect Core 1.0 and ones in JAR are as follows.
-        #   - JAR requires that a request object be always -signed.
-        #   - JAR does not allow request parameters outside a request object to be referred to.
-        #   - OIDC Core 1.0 requires that response_type request parameter exist outside a request object even if the request object includes the request parameter.
-        #   - OIDC Core 1.0 requires that scope request parameter exist outside a request object if the authorization request is an
-        #   - OIDC request even if the request object includes the request parameter.
-        # 
-        # If this flag is set to `false` and the value of `requestObjectRequired` is `true`, the value of
-        # `require_signed_request_object` server metadata of this service
-        # is reported as `true` in the discovery document. The metadata is defined in JAR (JWT Secured
-        # Authorization Request). That `require_signed_request_object` is `true` means that authorization
-        # requests which don't conform to the JAR specification are rejected.
-        # 
+        #
         field :traditional_request_object_processing_applied, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('traditionalRequestObjectProcessingApplied') } }
         # The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.
-        # 
+        #
         field :mutual_tls_validate_pki_cert_chain, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('mutualTlsValidatePkiCertChain') } }
         # The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.
-        # 
+        #
         field :trusted_root_certificates, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustedRootCertificates') } }
         # The MTLS endpoint aliases.
-        # 
-        # This property corresponds to the mtls_endpoint_aliases metadata defined in "5. Metadata for Mutual TLS Endpoint Aliases" of [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens](https://datatracker.ietf.org/doc/rfc8705/).
-        # 
-        # The aliases will be embedded in the response from the discovery endpoint like the following.
-        # 
-        # ```json
-        # {
-        #   ......,
-        #   "mtls_endpoint_aliases": {
-        #     "token_endpoint":         "https://mtls.example.com/token",
-        #     "revocation_endpoint":    "https://mtls.example.com/revo",
-        #     "introspection_endpoint": "https://mtls.example.com/introspect"
-        #   }
-        # }
-        # ```
-        # 
+        #
         field :mtls_endpoint_aliases, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::NamedUri)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('mtlsEndpointAliases') } }
         # The access token type.
-        # 
+        #
         # This value is used as the value of `token_type` property in access token responses. If this service
         # complies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should
         # be `Bearer`.
-        # 
+        #
         # See [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.
-        # 
+        #
         field :access_token_type, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenType') } }
         # The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.
-        # 
+        #
         field :tls_client_certificate_bound_access_tokens, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientCertificateBoundAccessTokens') } }
         # The duration of access tokens in seconds. This value is used as the value of `expires_in` property
         # in access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).
-        # 
+        #
         field :access_token_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenDuration') } }
         # The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.
-        # 
+        #
         # If `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.
-        # 
+        #
         # Note that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.
-        # 
+        #
         field :single_access_token_per_subject, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('singleAccessTokenPerSubject') } }
         # The key ID to identify a JWK used for signing access tokens.
-        # 
+        #
         # A JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.
         # Authlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based
         # access token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions
         # for access token signature. If the number of JWK candidates which satisfy the conditions is 1,
         # there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed
         # to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
-        # 
+        #
         field :access_token_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenSignatureKeyId') } }
         # The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.
         field :refresh_token_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenDuration') } }
         # The flag to indicate whether the remaining duration of the used refresh token is taken over to
         # the newly issued refresh token.
-        # 
+        #
         field :refresh_token_duration_kept, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenDurationKept') } }
         # The flag which indicates whether duration of refresh tokens are reset when they are used even
         # if the `refreshTokenKept` property of this service set to is `true` (= even if "Refresh Token
         # Continuous Use" is "Kept").
-        # 
+        #
         # This flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,
         # if this service issues a new refresh token on every refresh token request, the refresh token
         # will have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this
         # `refreshTokenDurationReset` property is not referenced.
-        # 
+        #
         field :refresh_token_duration_reset, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenDurationReset') } }
         # The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.
-        # 
+        #
         # If `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.
-        # 
+        #
         # See [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.
-        # 
+        #
         field :refresh_token_kept, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenKept') } }
         # Scopes supported by the service.
-        # 
-        # Authlete strongly recommends that the service register at least the following scopes.
-        # 
-        # | Name | Description |
-        # | --- | --- |
-        # | openid | A permission to get an ID token of an end-user. The `openid` scope appears in [OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, scope](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). Without this scope, Authlete does not allow `response_type` request parameter to have values other than code and token. |
-        # | profile | A permission to get information about `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale` and `updated_at` from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details. |
-        # | email | A permission to get information about `email` and `email_verified` from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details. |
-        # | address | A permission to get information about address from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) and [5.1.1. Address Claim](https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim) for details. |
-        # | phone | A permission to get information about `phone_number` and `phone_number_verified` from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details. |
-        # | offline_access | A permission to get information from the user info endpoint even when the end-user is not present. See [OpenID Connect Core 1.0, 11. Offline Access](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) for details. |
-        # 
-        # The value of this property is used as `scopes_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_scopes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Scope)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedScopes') } }
         # The flag to indicate whether requests that request no scope are rejected or not.
-        # 
-        # When a request has no explicit `scope` parameter and the service's pre-defined default scope set is empty,
-        # the authorization server regards the request requests no scope. When this flag is set to `true`,
-        # requests that request no scope are rejected.
-        # 
-        # The requirement below excerpted from [RFC 6749 Section 3.3](https://tools.ietf.org/html/rfc6749#section-3.3)
-        # does not explicitly mention the case where the default scope set is empty.
-        # 
-        # > If the client omits the scope parameter when requesting authorization, the authorization server
-        # MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
-        # 
-        # However, if you interpret *"the default scope set exists but is empty"* as *"the default scope set does not exist"*
-        # and want to strictly conform to the requirement above, this flag has to be `true`.
-        # 
+        #
         field :scope_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('scopeRequired') } }
         # 'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s
         # in seconds. This value is used to calculate the value of `exp` claim in an ID token.'
-        # 
+        #
         field :id_token_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenDuration') } }
         # The allowable clock skew between the server and clients in seconds.
-        # 
+        #
         # The clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.
-        # 
+        #
         field :allowable_clock_skew, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('allowableClockSkew') } }
         # Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete
         # currently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.
-        # 
+        #
         # The value of this property is used as `claim_types_supported` property in the [OpenID Provider
         # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_claim_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClaimType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClaimTypes') } }
         # Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).
         # For example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)
         # for details.
-        # 
+        #
         # The value of this property is used as `claims_locales_supported` property in the
         # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :supported_claim_locales, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClaimLocales') } }
         # Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,
         # 5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should
         # be supported. The following is the list of standard claims.
-        # 
-        # - `sub`
-        # - `name`
-        # - `given_name`
-        # - `family_name`
-        # - `middle_name`
-        # - `nickname`
-        # - `preferred_username`
-        # - `profile`
-        # - `picture`
-        # - `website`
-        # - `email`
-        # - `email_verified`
-        # - `gender`
-        # - `birthdate`
-        # - `zoneinfo`
-        # - `locale`
-        # - `phone_number`
-        # - `phone_number_verified`
-        # - `address`
-        # - `updated_at`
-        # 
-        # The value of this property is used as `claims_supported` property in the [OpenID Provider
-        # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
-        # The service may support its original claim names. See [OpenID Connect Core 1.0, 5.1.2. Additional
-        # Claims](https://openid.net/specs/openid-connect-core-1_0.html#AdditionalClaims).
-        # 
+        #
         field :supported_claims, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClaims') } }
         # The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included
         # in the issued ID token only when no access token is issued.
-        # 
-        # To strictly conform to the description below excerpted from [OpenID Connect Core 1.0 Section
-        # 5.4](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims), this flag has to be `true`.
-        # 
-        # > The Claims requested by the profile, email, address, and phone scope values are returned from
-        # the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that
-        # results in an Access Token being issued. However, when no Access Token is issued (which is the
-        # case for the response_type value id_token), the resulting Claims are returned in the ID Token.
-        # 
+        #
         field :claim_shortcut_restrictive, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('claimShortcutRestrictive') } }
         # The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For
         # example, `http://example.com/auth/jwks`.
-        # 
+        #
         # Client applications accesses this URL (1) to get the public key of the service to validate the
         # signature of an ID token issued by the service and (2) to get the public key of the service to
         # encrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures
         # and Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.
-        # 
+        #
         # The value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwksUri') } }
         # 'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint
         # is `/api/service/jwks/get/direct/service-api-key`. '
-        # 
+        #
         field :direct_jwks_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directJwksEndpointEnabled') } }
         # The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.
-        # 
+        #
         # If this property is not `null` in a `/service/create` request or a `/service/update` request,
         # Authlete hosts the content in the database. This property must not be `null` and must contain
         # pairs of public/private keys if the service wants to support asymmetric signatures for ID tokens
         # and asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and
         # Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.
-        # 
+        #
         field :jwks, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwks') } }
         # The key ID to identify a JWK used for ID token signature using an asymmetric key.
-        # 
-        # A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs
-        # (See [RFC 7517](https://tools.ietf.org/html/rfc7517) for details about JWK). Authlete Server has
-        # to pick up one JWK for signature from the JWK Set when it generates an ID token and signature
-        # using an asymmetric key is required. Authlete Server searches the registered JWK Set for a JWK
-        # which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy
-        # the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates,
-        # a [Key ID](https://tools.ietf.org/html/rfc7517#section-4.5) is needed to be specified so that
-        # Authlete Server can pick up one JWK from among the JWK candidates.
-        # 
-        # This `idTokenSignatureKeyId` property exists for the purpose described above. For key rotation
-        # (OpenID Connect Core 1.0, [10.1.1. Rotation of Asymmetric Signing Keys](http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys)),
-        # this mechanism is needed.
-        # 
+        #
         field :id_token_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenSignatureKeyId') } }
         # The key ID to identify a JWK used for user info signature using an asymmetric key.
-        # 
-        # A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs
-        # (See [RFC 7517](https://tools.ietf.org/html/rfc7517) for details about JWK). Authlete Server has
-        # to pick up one JWK for signature from the JWK Set when it is required to sign user info (which
-        # is returned from [userinfo endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo))
-        # using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies
-        # conditions for user info signature. If the number of JWK candidates which satisfy the conditions
-        # is 1, there is no problem. On the other hand, if there exist multiple candidates, a [Key ID](https://tools.ietf.org/html/rfc7517#section-4.5)
-        # is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
-        # 
-        # This `userInfoSignatureKeyId` property exists for the purpose described above. For key rotation
-        # (OpenID Connect Core 1.0, [10.1.1. Rotation of Asymmetric Signing Keys](http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys)),
-        # this mechanism is needed.
-        # 
+        #
         field :user_info_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userInfoSignatureKeyId') } }
         # The key ID to identify a JWK used for signing authorization responses using an asymmetric key.
-        # 
-        # [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
-        # defines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,
-        # `form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters
-        # from the authorization endpoint will be packed into a JWT. This property is used to compute the
-        # value of the `exp` claim of the JWT.
-        # 
-        # Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response
-        # signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem.
-        # On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that
-        # Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify
-        # the key ID.
-        # 
+        #
         field :authorization_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationSignatureKeyId') } }
         # The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the
         # service. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.
-        # 
+        #
         # The value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :user_info_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userInfoEndpoint') } }
         # The flag to indicate whether the direct userinfo endpoint is enabled or not. The path
         # of the endpoint is `/api/auth/userinfo/direct/service-api-key`.
-        # 
+        #
         field :direct_user_info_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directUserInfoEndpointEnabled') } }
         # The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)
         # is supported.
-        # 
+        #
         field :dynamic_registration_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dynamicRegistrationSupported') } }
         # The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)
         # of the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.
-        # 
+        #
         # The value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :registration_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('registrationEndpoint') } }
         # The URI of the registration management endpoint. If dynamic client registration is supported,
         # and this is set, this URI will be used as the basis of the client's management endpoint by appending
-        # `/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will
+        # `/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will
         # be used as the URI base instead.
-        # 
+        #
         field :registration_management_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('registrationManagementEndpoint') } }
         # The URL of the "Policy" of the service.
-        # 
+        #
         # The value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :policy_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('policyUri') } }
         # The URL of the "Terms Of Service" of the service.
-        # 
+        #
         # The value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :tos_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tosUri') } }
         # The URL of a page where documents for developers can be found.
-        # 
+        #
         # The value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :service_documentation, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('serviceDocumentation') } }
         # The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA
         # (Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).
-        # 
+        #
         field :backchannel_authentication_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelAuthenticationEndpoint') } }
         # The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`
         # metadata.
-        # 
+        #
         # Backchannel token delivery modes are defined in the specification of [CIBA (Client Initiated
         # Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).
-        # 
+        #
         field :supported_backchannel_token_delivery_modes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::DeliveryMode)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedBackchannelTokenDeliveryModes') } }
         # The duration of backchannel authentication request IDs issued from the backchannel authentication
         # endpoint in seconds. This is used as the value of the `expires_in` property in responses from
         # the backchannel authentication endpoint.
-        # 
+        #
         field :backchannel_auth_req_id_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelAuthReqIdDuration') } }
         # The minimum interval between polling requests to the token endpoint from client applications in
         # seconds. This is used as the value of the `interval` property in responses from the backchannel
         # authentication endpoint.
-        # 
+        #
         field :backchannel_polling_interval, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelPollingInterval') } }
         # The boolean flag which indicates whether the `user_code` request parameter is supported at the
         # backchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`
         # metadata.
-        # 
+        #
         field :backchannel_user_code_parameter_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelUserCodeParameterSupported') } }
         # The flag to indicate whether the `binding_message` request parameter is always required whenever
         # a backchannel authentication request is judged as a request for Financial-grade API.
-        # 
-        # The FAPI-CIBA profile requires that the authorization server _"shall ensure unique authorization
-        # context exists in the authorization request or require a `binding_message` in the authorization
-        # request"_ (FAPI-CIBA, 5.2.2, 2). The simplest way to fulfill this requirement is to set this property
-        # to `true`.
-        # 
-        # If this property is set to `false`, the `binding_message` request parameter remains optional
-        # even in FAPI context, but in exchange, your authorization server must implement a custom mechanism
-        # that ensures each backchannel authentication request has unique context.
-        # 
+        #
         field :backchannel_binding_message_required_in_fapi, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelBindingMessageRequiredInFapi') } }
         # The URI of the device authorization endpoint.
-        # 
+        #
         # Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
-        # 
+        #
         field :device_authorization_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceAuthorizationEndpoint') } }
         # The verification URI for the device flow. This URI is used as the value of the `verification_uri`
         # parameter in responses from the device authorization endpoint.
-        # 
+        #
         field :device_verification_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceVerificationUri') } }
         # The verification URI for the device flow with a placeholder for a user code. This URI is used
         # to build the value of the `verification_uri_complete` parameter in responses from the device
         # authorization endpoint.
-        # 
-        # It is expected that the URI contains a fixed string `USER_CODE` somewhere as a placeholder for
-        # a user code. For example, like the following.
-        # 
-        # `https://example.com/device?user\_code=USER\_CODE`
-        # 
-        # The fixed string is replaced with an actual user code when Authlete builds a verification URI
-        # with a user code for the `verification_uri_complete` parameter.
-        # 
-        # If this URI is not set, the `verification_uri_complete` parameter won't appear in device authorization
-        # responses.
-        # 
+        #
         field :device_verification_uri_complete, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceVerificationUriComplete') } }
         # The duration of device verification codes and end-user verification codes issued from the device
         # authorization endpoint in seconds. This is used as the value of the `expires_in` property in responses
         # from the device authorization endpoint.
-        # 
+        #
         field :device_flow_code_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceFlowCodeDuration') } }
         # The minimum interval between polling requests to the token endpoint from client applications in
         # seconds in device flow. This is used as the value of the `interval` property in responses from
         # the device authorization endpoint.
-        # 
+        #
         field :device_flow_polling_interval, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceFlowPollingInterval') } }
         # The character set for end-user verification codes (`user_code`) for Device Flow.
-        # 
-        field :user_code_charset, Crystalline::Nilable.new(Models::Components::UserCodeCharset), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userCodeCharset'), 'decoder': Utils.enum_from_string(Models::Components::UserCodeCharset, true) } }
+        #
+        field :user_code_charset, Crystalline::Nilable.new(Models::Components::UserCodeCharset), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userCodeCharset'), 'decoder': ::Authlete::Utils.enum_from_string(Models::Components::UserCodeCharset, true) } }
         # The length of end-user verification codes (`user_code`) for Device Flow.
-        # 
+        #
         field :user_code_length, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userCodeLength') } }
         # Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`
         # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
-        # 
+        #
         field :supported_trust_frameworks, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedTrustFrameworks') } }
         # Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
-        # 
+        #
         field :supported_evidence, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedEvidence') } }
         # Identity documents supported by this service. This corresponds to the `id_documents_supported`
         # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
-        # 
+        #
         field :supported_identity_documents, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedIdentityDocuments') } }
         # Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`
         # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
-        # 
+        #
         field :supported_verification_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedVerificationMethods') } }
         # Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`
         # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
-        # 
+        #
         field :supported_verified_claims, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedVerifiedClaims') } }
         # The verified claims validation schema set.
-        # 
-        field :verified_claims_validation_schema_set, Crystalline::Nilable.new(Models::Components::VerifiedClaimsValidationSchema), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('verifiedClaimsValidationSchemaSet'), 'decoder': Utils.enum_from_string(Models::Components::VerifiedClaimsValidationSchema, true) } }
+        #
+        field :verified_claims_validation_schema_set, Crystalline::Nilable.new(Models::Components::VerifiedClaimsValidationSchema), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('verifiedClaimsValidationSchemaSet'), 'decoder': ::Authlete::Utils.enum_from_string(Models::Components::VerifiedClaimsValidationSchema, true) } }
         # The attributes of this service.
-        # 
+        #
         field :attributes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Pair)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('attributes') } }
         # The flag indicating whether the nbf claim in the request object is optional even when the authorization
         # request is regarded as a FAPI-Part2 request.
-        # 
-        # The final version of Financial-grade API was approved in January, 2021. The Part 2 of the final
-        # version has new requirements on lifetime of request objects. They require that request objects
-        # contain an `nbf` claim and the lifetime computed by `exp` - `nbf` be no longer than 60 minutes.
-        # 
-        # Therefore, when an authorization request is regarded as a FAPI-Part2 request, the request object
-        # used in the authorization request must contain an nbf claim. Otherwise, the authorization server
-        # rejects the authorization request.
-        # 
-        # When this flag is `true`, the `nbf` claim is treated as an optional claim even when the authorization
-        # request is regarded as a FAPI-Part2 request. That is, the authorization server does not perform
-        # the validation on lifetime of the request object.
-        # 
-        # Skipping the validation is a violation of the FAPI specification. The reason why this flag has
-        # been prepared nevertheless is that the new requirements (which do not exist in the Implementer's
-        # Draft 2 released in October, 2018) have big impacts on deployed implementations of client
-        # applications and Authlete thinks there should be a mechanism whereby to make the migration
-        # from ID2 to Final smooth without breaking live systems.
-        # 
+        #
         field :nbf_optional, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('nbfOptional') } }
         # The flag indicating whether generation of the iss response parameter is suppressed.
-        # 
-        # "OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response" has defined a new
-        # authorization response parameter, `iss`, as a countermeasure for a certain type of mix-up attacks.
-        # 
-        # The specification requires that the `iss` response parameter always be included in authorization
-        # responses unless JARM (JWT Secured Authorization Response Mode) is used.
-        # 
-        # When this flag is `true`, the authorization server does not include the `iss` response parameter
-        # in authorization responses. By turning this flag on and off, developers of client applications
-        # can experiment the mix-up attack and the effect of the `iss` response parameter.
-        # 
-        # Note that this flag should not be `true` in production environment unless there are special
-        # reasons for it.
-        # 
+        #
         field :iss_suppressed, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('issSuppressed') } }
         # custom client metadata supported by this service.
-        # 
-        # Standard specifications define client metadata as necessary. The following are such examples.
-        # 
-        # * [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
-        # * [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol](https://www.rfc-editor.org/rfc/rfc7591.html)
-        # * [RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html)
-        # * [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)
-        # * [The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/)
-        # * [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
-        # * [OAuth 2.0 Pushed Authorization Requests (PAR)](https://datatracker.ietf.org/doc/rfc9126/)
-        # * [OAuth 2.0 Rich Authorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/)
-        # 
-        # Standard client metadata included in Client Registration Request and Client Update Request (cf.
-        # [OIDC DynReg](https://openid.net/specs/openid-connect-registration-1_0.html), [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591.html)
-        # and [RFC 7592](https://www.rfc-editor.org/rfc/rfc7592.html)) are, if supported by Authlete, stored
-        # into Authlete database. On the other hand, unrecognized client metadata are discarded.
-        # 
-        # By listing up custom client metadata in advance by using this property (`supportedCustomClientMetadata`),
-        # Authlete can recognize them and stores their values into the database. The stored custom client
-        # metadata values can be referenced by `customMetadata`.
-        # 
+        #
         field :supported_custom_client_metadata, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedCustomClientMetadata') } }
         # The flag indicating whether the expiration date of an access token never exceeds that of the
         # corresponding refresh token.
-        # 
-        # When a new access token is issued by a refresh token request (= a token request with `grant_type=refresh_token`),
-        # the expiration date of the access token may exceed the expiration date of the corresponding
-        # refresh token. This behavior itself is not wrong and may happen when `refreshTokenKept` is
-        # `true` and/or when `refreshTokenDurationKept` is `true`.
-        # 
-        # When this flag is `true`, the expiration date of an access token never exceeds that of the corresponding
-        # refresh token regardless of the calculated duration based on other settings such as `accessTokenDuration`,
-        # `accessTokenDuration` in `extension` and `access_token.duration` scope attribute.
-        # 
-        # It is technically possible to set a value which is bigger than the duration of refresh tokens
-        # as the duration of access tokens although it is strange. In the case, the duration of an access
-        # token becomes longer than the duration of the refresh token which is issued together with the
-        # access token. Even if the duration values are configured so, if this flag is `true`, the expiration
-        # date of the access token does not exceed that of the refresh token. That is, the duration of
-        # the access token will be shortened, and as a result, the access token and the refresh token
-        # will have the same expiration date.
-        # 
+        #
         field :token_expiration_linked, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExpirationLinked') } }
         # The flag indicating whether encryption of request object is required when the request object
         # is passed through the front channel.
-        # 
-        # This flag does not affect the processing of request objects at the Pushed Authorization Request
-        # Endpoint, which is defined in [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/rfc9126/).
-        # Unecrypted request objects are accepted at the endpoint even if this flag is `true`.
-        # 
-        # This flag does not indicate whether a request object is always required. There is a different
-        # flag, `requestObjectRequired`, for the purpose. See the description of `requestObjectRequired`
-        # for details.
-        # 
-        # Even if this flag is `false`, encryption of request object is required if the `frontChannelRequestObjectEncryptionRequired`
-        # flag of the client is `true`.
-        # 
+        #
         field :front_channel_request_object_encryption_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('frontChannelRequestObjectEncryptionRequired') } }
         # The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`
         # client metadata of the client that has sent the request object.
-        # 
-        # The request_object_encryption_alg client metadata itself is defined in [OpenID Connect Dynamic
-        # Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) as follows.
-        # 
-        # > request_object_encryption_alg
-        # >
-        # > OPTIONAL. JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting
-        # Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption
-        # will be used, since this signals to the OP that a client_secret value needs to be returned
-        # from which the symmetric key will be derived, that might not otherwise be returned. The RP
-        # MAY still use other supported encryption algorithms or send unencrypted Request Objects, even
-        # when this parameter is present. If both signing and encryption are requested, the Request Object
-        # will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The
-        # default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
-        # 
-        # The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted
-        # Request Objects, even when this parameter is present."
-        # 
-        # The Client's property that represents the client metadata is `requestEncryptionAlg`. See the
-        # description of `requestEncryptionAlg` for details.
-        # 
-        # Even if this flag is `false`, the match is required if the `requestObjectEncryptionAlgMatchRequired`
-        # flag of the client is `true`.
-        # 
+        #
         field :request_object_encryption_alg_match_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectEncryptionAlgMatchRequired') } }
         # The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`
         # client metadata of the client that has sent the request object.
-        # 
-        # The `request_object_encryption_enc` client metadata itself is defined in [OpenID Connect Dynamic
-        # Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) as follows.
-        # 
-        # > request_object_encryption_enc
-        # >
-        # > OPTIONAL. JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request
-        # Objects sent to the OP. If request_object_encryption_alg is specified, the default for this
-        # value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg
-        # MUST also be provided.
-        # 
-        # The Client's property that represents the client metadata is `requestEncryptionEnc`. See the
-        # description of `requestEncryptionEnc` for details.
-        # 
-        # Even if this flag is false, the match is required if the `requestObjectEncryptionEncMatchRequired`
-        # flag is `true`.
-        # 
+        #
         field :request_object_encryption_enc_match_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectEncryptionEncMatchRequired') } }
         # The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.
-        # 
+        #
         # When this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,
         # `/api/hsk/*` APIs reject all requests.
-        # 
+        #
         # Even if this flag is `true`, HSM-related features do not work if the configuration of the Authlete
         # server you are using does not support HSM.
-        # 
+        #
         field :hsm_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('hsmEnabled') } }
         # The information about keys managed on HSMs (Hardware Security Modules).
-        # 
+        #
         # This `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`
         # API and `/api/service/update` API do not have any effect. The contents of this property is controlled
         # only by `/api/hsk/*` APIs.
-        # 
+        #
         field :hsks, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Hsk)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('hsks') } }
         # The URL of the grant management endpoint.
-        # 
+        #
         field :grant_management_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('grantManagementEndpoint') } }
         # The flag indicating whether every authorization request (and any request serving as an authorization
         # request such as CIBA backchannel authentication request and device authorization request) must
         # include the `grant_management_action` request parameter.
-        # 
-        # This property corresponds to the `grant_management_action_required` server metadata defined
-        # in [Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).
-        # 
-        # Note that setting true to this property will result in blocking all public clients because
-        # the specification requires that grant management be usable only by confidential clients for
-        # security reasons.
-        # 
+        #
         field :grant_management_action_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('grantManagementActionRequired') } }
         # The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as
         # a value of the `action` response parameter when appropriate.
-        # 
-        # The `UNAUTHORIZED` enum value was initially not defined as a possible value of the `action`
-        # parameter in an `/api/client/registration` API response. This means that implementations of
-        # client `configuration` endpoint were not able to conform to [RFC 7592](https://www.rfc-editor.org/rfc/rfc7592.html)
-        # strictly.
-        # 
-        # For backward compatibility (to avoid breaking running systems), Authlete's `/api/client/registration`
-        # API does not return the `UNAUTHORIZED` enum value if this flag is not turned on.
-        # 
-        # The steps an existing implementation of client configuration endpoint has to do in order to
-        # conform to the requirement related to "401 Unauthorized" are as follows.
-        # 
-        # 1. Update the Authlete library (e.g. authlete-java-common) your system is using.
-        # 2. Update your implementation of client configuration endpoint so that it can handle the
-        # `UNAUTHORIZED` action.
-        # 3. Turn on this `unauthorizedOnClientConfigSupported` flag.
-        # 
+        #
         field :unauthorized_on_client_config_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('unauthorizedOnClientConfigSupported') } }
         # The flag indicating whether the `scope` request parameter in dynamic client registration and
         # update requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.
-        # 
+        #
         # Limiting the range of scopes that a client can request is achieved by listing scopes in the
         # `client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`
         # property to `true`. This feature is called "requestable scopes".
-        # 
+        #
         # This property affects behaviors of `/api/client/registration` and other family APIs.
-        # 
+        #
         field :dcr_scope_used_as_requestable, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dcrScopeUsedAsRequestable') } }
         # The endpoint for clients ending the sessions.
-        # 
+        #
         # A URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.
-        # 
+        #
         # The value of this property is used as `end_session_endpoint` property in the [OpenID Provider
         # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-        # 
+        #
         field :end_session_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('endSessionEndpoint') } }
         # The flag indicating whether the port number component of redirection URIs can be variable when
         # the host component indicates loopback.
-        # 
-        # When this flag is `true`, if the host component of a redirection URI specified in an authorization
-        # request indicates loopback (to be precise, when the host component is localhost, `127.0.0.1`
-        # or `::1`), the port number component is ignored when the specified redirection URI is compared
-        # to pre-registered ones. This behavior is described in [7.3. Loopback Interface Redirection](
-        # https://www.rfc-editor.org/rfc/rfc8252.html#section-7.3) of [RFC 8252 OAuth 2.0](https://www.rfc-editor.org/rfc/rfc8252.html)
-        # for Native Apps.
-        # 
-        # [3.1.2.3. Dynamic Configuration](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1.2.3)
-        # of [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749.html) states _"If the client registration
-        # included the full redirection URI, the authorization server MUST compare the two URIs using
-        # simple string comparison as defined in [RFC3986] Section 6.2.1."_ Also, the description of
-        # `redirect_uri` in [3.1.2.1. Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
-        # of [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) states
-        # _"This URI MUST exactly match one of the Redirection URI values for the Client pre-registered
-        # at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986]
-        # (**Simple String Comparison**)."_ These "Simple String Comparison" requirements are preceded
-        # by this flag. That is, even when the conditions described in RFC 6749 and OpenID Connect Core 1.0
-        # are satisfied, the port number component of loopback redirection URIs can be variable when this
-        # flag is `true`.
-        # 
-        # [8.3. Loopback Redirect Considerations](https://www.rfc-editor.org/rfc/rfc8252.html#section-8.3)
-        # of [RFC 8252](https://www.rfc-editor.org/rfc/rfc8252.html) states as follows.
-        # 
-        # > While redirect URIs using localhost (i.e., `"http://localhost:{port}/{path}"`) function
-        # similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED.
-        # Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently
-        # listening on network interfaces other than the loopback interface. It is also less susceptible
-        # to client-side firewalls and misconfigured host name resolution on the user's device.
-        # 
-        # However, Authlete allows the port number component to be variable in the case of `localhost`,
-        # too. It is left to client applications whether they use `localhost` or a literal loopback IP
-        # address (`127.0.0.1` for IPv4 or `::1` for IPv6).
-        # 
-        # Section 7.3 and Section 8.3 of [RFC 8252](https://www.rfc-editor.org/rfc/rfc8252.html) state
-        # that loopback redirection URIs use the `"http"` scheme, but Authlete allows the port number
-        # component to be variable in other cases (e.g. in the case of the `"https"` scheme), too.
-        # 
+        #
         field :loopback_redirection_uri_variable, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('loopbackRedirectionUriVariable') } }
         # The flag indicating whether Authlete checks whether the `aud` claim of request objects matches
         # the issuer identifier of this service.
-        # 
-        # [Section 6.1. Passing a Request Object by Value](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
-        # of [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) has the following
-        # statement.
-        # 
-        # > The `aud` value SHOULD be or include the OP's Issuer Identifier URL.
-        # 
-        # Likewise, [Section 4. Request Object](https://www.rfc-editor.org/rfc/rfc9101.html#section-4) of
-        # [RFC 9101](https://www.rfc-editor.org/rfc/rfc9101.html) (The OAuth 2.0 Authorization Framework:
-        # JWT-Secured Authorization Request (JAR)) has the following statement.
-        # 
-        # > The value of aud should be the value of the authorization server (AS) issuer, as defined in
-        # [RFC 8414](https://www.rfc-editor.org/rfc/rfc8414.html).
-        # 
-        # As excerpted above, validation on the `aud` claim of request objects is optional. However, if
-        # this flag is turned on, Authlete checks whether the `aud` claim of request objects matches the issuer
-        # identifier of this service and raises an error if they are different.
-        # 
+        #
         field :request_object_audience_checked, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectAudienceChecked') } }
         # The flag indicating whether Authlete generates access tokens for
         # external attachments and embeds them in ID tokens and userinfo
         # responses.
-        # 
+        #
         field :access_token_for_external_attachment_embedded, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenForExternalAttachmentEmbedded') } }
         # Identifiers of entities that can issue entity statements for this
         # service. This property corresponds to the `authority_hints`
         # property that appears in a self-signed entity statement that is
         # defined in OpenID Connect Federation 1.0.
-        # 
+        #
         field :authority_hints, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorityHints') } }
         # flag indicating whether this service supports OpenID Connect Federation 1
-        # 
+        #
         field :federation_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationEnabled') } }
         # JWK Set document containing keys that are used to sign (1) self-signed
         # entity statement of this service and (2) the response from
         # `signed_jwks_uri`.
-        # 
+        #
         field :federation_jwks, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationJwks') } }
         # A key ID to identify a JWK used to sign the entity configuration and
         # the signed JWK Set.
-        # 
+        #
         field :federation_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationSignatureKeyId') } }
         # The duration of the entity configuration in seconds.
-        # 
+        #
         field :federation_configuration_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationConfigurationDuration') } }
         # The URI of the federation registration endpoint. This property corresponds
         # to the `federation_registration_endpoint` server metadata that is
         # defined in OpenID Connect Federation 1.0.
-        # 
+        #
         field :federation_registration_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationRegistrationEndpoint') } }
         # The human-readable name representing the organization that operates
         # this service. This property corresponds to the `organization_name`
         # server metadata that is defined in OpenID Connect Federation 1.0.
-        # 
+        #
         field :organization_name, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('organizationName') } }
         # The transformed claims predefined by this service in JSON format.
         # This property corresponds to the `transformed_claims_predefined`
         # server metadata.
-        # 
+        #
         field :predefined_transformed_claims, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('predefinedTransformedClaims') } }
         # flag indicating whether refresh token requests with the same
         # refresh token can be made multiple times in quick succession and
         # they can obtain the same renewed refresh token within the short
         # period.
-        # 
+        #
         field :refresh_token_idempotent, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenIdempotent') } }
         # The URI of the endpoint that returns this service's JWK Set document in
         # the JWT format. This property corresponds to the `signed_jwks_uri`
         # server metadata defined in OpenID Connect Federation 1.0.
-        # 
+        #
         field :signed_jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('signedJwksUri') } }
-        # Supported attachment types. This property corresponds to the {@code
-        # attachments_supported} server metadata which was added by the third
+        # Supported attachment types. This property corresponds to the {@code
+        # attachments_supported} server metadata which was added by the third
         # implementer's draft of OpenID Connect for Identity Assurance 1.0.
-        # 
+        #
         field :supported_attachments, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::AttachmentType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedAttachments') } }
         # Supported algorithms used to compute digest values of external
         # attachments. This property corresponds to the
         # `digest_algorithms_supported` server metadata which was added
         # by the third implementer's draft of OpenID Connect for Identity
         # Assurance 1.0.
-        # 
+        #
         field :supported_digest_algorithms, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDigestAlgorithms') } }
         # Document types supported by this service. This property corresponds
         # to the `documents_supported` server metadata.
-        # 
+        #
         field :supported_documents, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocuments') } }
         # validation and verification processes supported by this service.
         # This property corresponds to the `documents_methods_supported`
         # server metadata.
-        # 
+        #
         # The third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)
         # renamed the
         # `id_documents_verification_methods_supported` server metadata to
         # `documents_methods_supported`.
-        # 
+        #
         field :supported_documents_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsMethods') } }
         # Document validation methods supported by this service. This property
-        # corresponds to the `documents\_validation\_methods\_supported` server
+        # corresponds to the `documents_validation_methods_supported` server
         # metadata which was added by the third implementer's draft of
-        # 
+        #
         field :supported_documents_validation_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsValidationMethods') } }
         # Document verification methods supported by this service. This property
         # corresponds to the `documents_verification_methods_supported` server
         # metadata which was added by the third implementer's draft of
         # [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)
-        # 
+        #
         field :supported_documents_verification_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsVerificationMethods') } }
         # Electronic record types supported by this service. This property
         # corresponds to the `electronic_records_supported` server metadata
         # which was added by the third implementer's draft of
         # [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)
-        # 
+        #
         field :supported_electronic_records, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedElectronicRecords') } }
 
         field :supported_client_registration_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientRegistrationType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClientRegistrationTypes') } }
         # The flag indicating whether to prohibit unidentifiable clients from
         # making token exchange requests.
-        # 
+        #
         field :token_exchange_by_identifiable_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeByIdentifiableClientsOnly') } }
         # The flag indicating whether to prohibit public clients from making
         # token exchange requests.
-        # 
+        #
         field :token_exchange_by_confidential_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeByConfidentialClientsOnly') } }
         # The flag indicating whether to prohibit clients that have no explicit
         # permission from making token exchange requests.
-        # 
+        #
         field :token_exchange_by_permitted_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeByPermittedClientsOnly') } }
         # The flag indicating whether to reject token exchange requests which
         # use encrypted JWTs as input tokens.
-        # 
+        #
         field :token_exchange_encrypted_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeEncryptedJwtRejected') } }
         # The flag indicating whether to reject token exchange requests which
         # use unsigned JWTs as input tokens.
-        # 
+        #
         field :token_exchange_unsigned_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeUnsignedJwtRejected') } }
         # The flag indicating whether to prohibit unidentifiable clients from
         # using the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".
-        # 
+        #
         field :jwt_grant_by_identifiable_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwtGrantByIdentifiableClientsOnly') } }
         # The flag indicating whether to reject token requests that use an
         # encrypted JWT as an authorization grant with the grant type
         # "urn:ietf:params:oauth:grant-type:jwt-bearer".
-        # 
+        #
         field :jwt_grant_encrypted_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwtGrantEncryptedJwtRejected') } }
         # The flag indicating whether to reject token requests that use an
         # unsigned JWT as an authorization grant with the grant type
         # "urn:ietf:params:oauth:grant-type:jwt-bearer".
-        # 
+        #
         field :jwt_grant_unsigned_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwtGrantUnsignedJwtRejected') } }
         # The flag indicating whether to block DCR (Dynamic Client Registration)
         # requests whose "software_id" has already been used previously.
-        # 
+        #
         field :dcr_duplicate_software_id_blocked, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dcrDuplicateSoftwareIdBlocked') } }
         # The trust anchors that are referenced when this service resolves
         # trust chains of relying parties.
-        # 
+        #
         # If this property is empty, client registration fails regardless of
         # whether its type is `automatic` or `explicit`. It means
         # that OpenID Connect Federation 1.0 does not work.
-        # 
+        #
         field :trust_anchors, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TrustAnchor)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustAnchors') } }
         # The flag indicating whether the openid scope should be dropped from
         # scopes list assigned to access token issued when a refresh token grant
         # is used.
-        # 
+        #
         field :openid_dropped_on_refresh_without_offline_access, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('openidDroppedOnRefreshWithoutOfflineAccess') } }
         # Supported document check methods. This property corresponds to the `documents_check_methods_supported`
         # server metadata which was added by the fourth implementer's draft of OpenID Connect for Identity
         # Assurance 1.0.
-        # 
+        #
         field :supported_documents_check_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsCheckMethods') } }
         # The flag indicating whether this service signs responses from the resource server.
-        # 
+        #
         field :rs_response_signed, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('rsResponseSigned') } }
         # The duration of `c_nonce`.
-        # 
+        #
         field :cnonce_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cnonceDuration') } }
         # Whether to require DPoP proof JWTs to include the `nonce` claim
         # whenever they are presented.
-        # 
+        #
         field :dpop_nonce_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dpopNonceRequired') } }
         # Get the flag indicating whether the feature of Verifiable Credentials
         # for this service is enabled or not.
-        # 
+        #
         field :verifiable_credentials_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('verifiableCredentialsEnabled') } }
         # The URL at which the JWK Set document of the credential issuer is
         # exposed.
-        # 
+        #
         field :credential_jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialJwksUri') } }
         # The default duration of credential offers in seconds.
-        # 
+        #
         field :credential_offer_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialOfferDuration') } }
         # The duration of nonce values for DPoP proof JWTs in seconds.
-        # 
+        #
         field :dpop_nonce_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dpopNonceDuration') } }
         # The flag indicating whether token requests using the pre-authorized
         # code grant flow by unidentifiable clients are allowed.
-        # 
+        #
         field :pre_authorized_grant_anonymous_access_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('preAuthorizedGrantAnonymousAccessSupported') } }
         # The duration of transaction ID in seconds that may be issued as a
         # result of a credential request or a batch credential request.
-        # 
+        #
         field :credential_transaction_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialTransactionDuration') } }
         # The key ID of the key for signing introspection responses.
-        # 
+        #
         field :introspection_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('introspectionSignatureKeyId') } }
         # The key ID of the key for signing introspection responses.
-        # 
+        #
         field :resource_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('resourceSignatureKeyId') } }
         # The default length of user PINs.
-        # 
+        #
         field :user_pin_length, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userPinLength') } }
         # The supported `prompt` values.
-        # 
+        #
         field :supported_prompt_values, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Prompt)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedPromptValues') } }
         # The flag indicating whether to enable the feature of ID token
         # reissuance in the refresh token flow.
-        # 
+        #
         field :id_token_reissuable, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenReissuable') } }
         # The JWK Set document containing private keys that are used to sign
         # verifiable credentials.
-        # 
+        #
         field :credential_jwks, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialJwks') } }
         # FAPI modes for this service.
-        # 
+        #
         # When the value of this property is not `null`, Authlete always processes requests to this service based
         # on the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported
         # by this service.
-        # 
+        #
         # For instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always
         # processes requests to this service based on "Financial-grade API Security Profile 1.0 - Part 2:
         # Advanced" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.
-        # 
+        #
         field :fapi_modes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::FapiMode)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('fapiModes') } }
         # The default duration of verifiable credentials in seconds.
-        # 
+        #
         field :credential_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialDuration') } }
 
         field :credential_issuer_metadata, Crystalline::Nilable.new(Models::Components::CredentialIssuerMetadata), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialIssuerMetadata') } }
         # The type of the `aud` claim in ID tokens.
-        # 
+        #
         field :id_token_aud_type, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenAudType') } }
         # Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)
         # specification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.
         # For example:
-        # 
+        #
         # * The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).
         # * The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.
-        # 
+        #
         # When set to `true`, the server metadata advertises `"native_sso_supported": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
         # and [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.
-        # 
+        #
         field :native_sso_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('nativeSsoSupported') } }
         # Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.
-        # 
+        #
         # Accepted values are:
-        # 
+        #
         # * `null` or `"1.0-ID1"` → Implementer’s Draft 1.
         # * `"1.0"` or `"1.0-Final"` → Final 1.0 specification.
-        # 
+        #
         # Choose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.
-        # 
+        #
         field :oid4vci_version, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('oid4vciVersion') } }
         # Flag that controls whether the CIMD metadata policy is applied to client
         # metadata obtained through the Client ID Metadata Document (CIMD)
         # mechanism.
-        # 
+        #
         field :cimd_metadata_policy_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdMetadataPolicyEnabled') } }
         # Indicates whether the Client ID Metadata Document (CIMD) mechanism is
         # supported. When `true`, the service will attempt to retrieve client
         # metadata via CIMD where applicable.
-        # 
+        #
         field :client_id_metadata_document_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientIdMetadataDocumentSupported') } }
         # Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are
         # on the allowlist are used.
-        # 
+        #
         field :cimd_allowlist_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdAllowlistEnabled') } }
         # The allowlist of CIMD endpoints (hosts/URIs) that may be used when
         # retrieving client metadata via Client ID Metadata Documents.
-        # 
+        #
         field :cimd_allowlist, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdAllowlist') } }
         # If `true`, CIMD retrieval is always attempted for clients, regardless of
         # other conditions.
-        # 
+        #
         field :cimd_always_retrieved, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdAlwaysRetrieved') } }
         # Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD
         # endpoints are allowed.
-        # 
+        #
         field :cimd_http_permitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdHttpPermitted') } }
         # Allows the use of query parameters when retrieving CIMD metadata. When
         # `false`, query parameters are disallowed for CIMD requests.
-        # 
+        #
         field :cimd_query_permitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdQueryPermitted') } }
         # The metadata policy applied to client metadata obtained through the CIMD
         # mechanism. The value must follow the metadata policy grammar defined in
         # [OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).
-        # 
+        #
         field :cimd_metadata_policy, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdMetadataPolicy') } }
         # When `true`, client ID aliases starting with `https://` or `http://` are
         # prohibited.
-        # 
+        #
         field :http_alias_prohibited, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('httpAliasProhibited') } }
         # The signature algorithm for JWT. This value is represented on 'alg' attribute
         # of the header of JWT.
-        # 
+        #
         # it's semantics depends upon where is this defined, for instance:
         #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
         #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
         #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
-        # 
-        field :access_token_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) } }
+        #
+        field :access_token_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenSignAlg'), 'decoder': ::Authlete::Utils.enum_from_string(Models::Components::JwsAlg, true) } }
 
         sig { params(number: T.nilable(::Integer), service_name: T.nilable(::String), issuer: T.nilable(::String), description: T.nilable(::String), api_key: T.nilable(::Integer), api_secret: T.nilable(::String), token_batch_notification_endpoint: T.nilable(::String), client_assertion_aud_restricted_to_issuer: T.nilable(T::Boolean), service_owner_number: T.nilable(::Integer), clients_per_developer: T.nilable(::Integer), developer_authentication_callback_endpoint: T.nilable(::String), developer_authentication_callback_api_key: T.nilable(::String), developer_authentication_callback_api_secret: T.nilable(::String), supported_snses: T.nilable(T::Array[Models::Components::SupportedSnse]), sns_credentials: T.nilable(T::Array[Models::Components::SnsCredentials]), client_id_alias_enabled: T.nilable(T::Boolean), metadata: T.nilable(T::Array[Models::Components::Pair]), created_at: T.nilable(::Integer), modified_at: T.nilable(::Integer), authentication_callback_endpoint: T.nilable(::String), authentication_callback_api_key: T.nilable(::String), authentication_callback_api_secret: T.nilable(::String), supported_acrs: T.nilable(T::Array[::String]), supported_grant_types: T.nilable(T::Array[Models::Components::GrantType]), supported_response_types: T.nilable(T::Array[Models::Components::ResponseType]), supported_authorization_details_types: T.nilable(T::Array[::String]), supported_service_profiles: T.nilable(T::Array[Models::Components::ServiceProfile]), error_description_omitted: T.nilable(T::Boolean), error_uri_omitted: T.nilable(T::Boolean), authorization_endpoint: T.nilable(::String), direct_authorization_endpoint_enabled: T.nilable(T::Boolean), supported_ui_locales: T.nilable(T::Array[::String]), supported_displays: T.nilable(T::Array[Models::Components::Display]), pkce_required: T.nilable(T::Boolean), pkce_s256_required: T.nilable(T::Boolean), authorization_response_duration: T.nilable(::Integer), token_endpoint: T.nilable(::String), direct_token_endpoint_enabled: T.nilable(T::Boolean), supported_token_auth_methods: T.nilable(T::Array[Models::Components::ClientAuthMethod]), missing_client_id_allowed: T.nilable(T::Boolean), revocation_endpoint: T.nilable(::String), direct_revocation_endpoint_enabled: T.nilable(T::Boolean), supported_revocation_auth_methods: T.nilable(T::Array[Models::Components::ClientAuthMethod]), introspection_endpoint: T.nilable(::String), direct_introspection_endpoint_enabled: T.nilable(T::Boolean), supported_introspection_auth_methods: T.nilable(T::Array[Models::Components::ClientAuthMethod]), pushed_auth_req_endpoint: T.nilable(::String), pushed_auth_req_duration: T.nilable(::Integer), par_required: T.nilable(T::Boolean), request_object_required: T.nilable(T::Boolean), traditional_request_object_processing_applied: T.nilable(T::Boolean), mutual_tls_validate_pki_cert_chain: T.nilable(T::Boolean), trusted_root_certificates: T.nilable(T::Array[::String]), mtls_endpoint_aliases: T.nilable(T::Array[Models::Components::NamedUri]), access_token_type: T.nilable(::String), tls_client_certificate_bound_access_tokens: T.nilable(T::Boolean), access_token_duration: T.nilable(::Integer), single_access_token_per_subject: T.nilable(T::Boolean), access_token_signature_key_id: T.nilable(::String), refresh_token_duration: T.nilable(::Integer), refresh_token_duration_kept: T.nilable(T::Boolean), refresh_token_duration_reset: T.nilable(T::Boolean), refresh_token_kept: T.nilable(T::Boolean), supported_scopes: T.nilable(T::Array[Models::Components::Scope]), scope_required: T.nilable(T::Boolean), id_token_duration: T.nilable(::Integer), allowable_clock_skew: T.nilable(::Integer), supported_claim_types: T.nilable(T::Array[Models::Components::ClaimType]), supported_claim_locales: T.nilable(T::Array[::String]), supported_claims: T.nilable(T::Array[::String]), claim_shortcut_restrictive: T.nilable(T::Boolean), jwks_uri: T.nilable(::String), direct_jwks_endpoint_enabled: T.nilable(T::Boolean), jwks: T.nilable(::String), id_token_signature_key_id: T.nilable(::String), user_info_signature_key_id: T.nilable(::String), authorization_signature_key_id: T.nilable(::String), user_info_endpoint: T.nilable(::String), direct_user_info_endpoint_enabled: T.nilable(T::Boolean), dynamic_registration_supported: T.nilable(T::Boolean), registration_endpoint: T.nilable(::String), registration_management_endpoint: T.nilable(::String), policy_uri: T.nilable(::String), tos_uri: T.nilable(::String), service_documentation: T.nilable(::String), backchannel_authentication_endpoint: T.nilable(::String), supported_backchannel_token_delivery_modes: T.nilable(T::Array[Models::Components::DeliveryMode]), backchannel_auth_req_id_duration: T.nilable(::Integer), backchannel_polling_interval: T.nilable(::Integer), backchannel_user_code_parameter_supported: T.nilable(T::Boolean), backchannel_binding_message_required_in_fapi: T.nilable(T::Boolean), device_authorization_endpoint: T.nilable(::String), device_verification_uri: T.nilable(::String), device_verification_uri_complete: T.nilable(::String), device_flow_code_duration: T.nilable(::Integer), device_flow_polling_interval: T.nilable(::Integer), user_code_charset: T.nilable(Models::Components::UserCodeCharset), user_code_length: T.nilable(::Integer), supported_trust_frameworks: T.nilable(T::Array[::String]), supported_evidence: T.nilable(T::Array[::String]), supported_identity_documents: T.nilable(T::Array[::String]), supported_verification_methods: T.nilable(T::Array[::String]), supported_verified_claims: T.nilable(T::Array[::String]), verified_claims_validation_schema_set: T.nilable(Models::Components::VerifiedClaimsValidationSchema), attributes: T.nilable(T::Array[Models::Components::Pair]), nbf_optional: T.nilable(T::Boolean), iss_suppressed: T.nilable(T::Boolean), supported_custom_client_metadata: T.nilable(T::Array[::String]), token_expiration_linked: T.nilable(T::Boolean), front_channel_request_object_encryption_required: T.nilable(T::Boolean), request_object_encryption_alg_match_required: T.nilable(T::Boolean), request_object_encryption_enc_match_required: T.nilable(T::Boolean), hsm_enabled: T.nilable(T::Boolean), hsks: T.nilable(T::Array[Models::Components::Hsk]), grant_management_endpoint: T.nilable(::String), grant_management_action_required: T.nilable(T::Boolean), unauthorized_on_client_config_supported: T.nilable(T::Boolean), dcr_scope_used_as_requestable: T.nilable(T::Boolean), end_session_endpoint: T.nilable(::String), loopback_redirection_uri_variable: T.nilable(T::Boolean), request_object_audience_checked: T.nilable(T::Boolean), access_token_for_external_attachment_embedded: T.nilable(T::Boolean), authority_hints: T.nilable(T::Array[::String]), federation_enabled: T.nilable(T::Boolean), federation_jwks: T.nilable(::String), federation_signature_key_id: T.nilable(::String), federation_configuration_duration: T.nilable(::Integer), federation_registration_endpoint: T.nilable(::String), organization_name: T.nilable(::String), predefined_transformed_claims: T.nilable(::String), refresh_token_idempotent: T.nilable(T::Boolean), signed_jwks_uri: T.nilable(::String), supported_attachments: T.nilable(T::Array[Models::Components::AttachmentType]), supported_digest_algorithms: T.nilable(T::Array[::String]), supported_documents: T.nilable(T::Array[::String]), supported_documents_methods: T.nilable(T::Array[::String]), supported_documents_validation_methods: T.nilable(T::Array[::String]), supported_documents_verification_methods: T.nilable(T::Array[::String]), supported_electronic_records: T.nilable(T::Array[::String]), supported_client_registration_types: T.nilable(T::Array[Models::Components::ClientRegistrationType]), token_exchange_by_identifiable_clients_only: T.nilable(T::Boolean), token_exchange_by_confidential_clients_only: T.nilable(T::Boolean), token_exchange_by_permitted_clients_only: T.nilable(T::Boolean), token_exchange_encrypted_jwt_rejected: T.nilable(T::Boolean), token_exchange_unsigned_jwt_rejected: T.nilable(T::Boolean), jwt_grant_by_identifiable_clients_only: T.nilable(T::Boolean), jwt_grant_encrypted_jwt_rejected: T.nilable(T::Boolean), jwt_grant_unsigned_jwt_rejected: T.nilable(T::Boolean), dcr_duplicate_software_id_blocked: T.nilable(T::Boolean), trust_anchors: T.nilable(T::Array[Models::Components::TrustAnchor]), openid_dropped_on_refresh_without_offline_access: T.nilable(T::Boolean), supported_documents_check_methods: T.nilable(T::Array[::String]), rs_response_signed: T.nilable(T::Boolean), cnonce_duration: T.nilable(::Integer), dpop_nonce_required: T.nilable(T::Boolean), verifiable_credentials_enabled: T.nilable(T::Boolean), credential_jwks_uri: T.nilable(::String), credential_offer_duration: T.nilable(::Integer), dpop_nonce_duration: T.nilable(::Integer), pre_authorized_grant_anonymous_access_supported: T.nilable(T::Boolean), credential_transaction_duration: T.nilable(::Integer), introspection_signature_key_id: T.nilable(::String), resource_signature_key_id: T.nilable(::String), user_pin_length: T.nilable(::Integer), supported_prompt_values: T.nilable(T::Array[Models::Components::Prompt]), id_token_reissuable: T.nilable(T::Boolean), credential_jwks: T.nilable(::String), fapi_modes: T.nilable(T::Array[Models::Components::FapiMode]), credential_duration: T.nilable(::Integer), credential_issuer_metadata: T.nilable(Models::Components::CredentialIssuerMetadata), id_token_aud_type: T.nilable(::String), native_sso_supported: T.nilable(T::Boolean), oid4vci_version: T.nilable(::String), cimd_metadata_policy_enabled: T.nilable(T::Boolean), client_id_metadata_document_supported: T.nilable(T::Boolean), cimd_allowlist_enabled: T.nilable(T::Boolean), cimd_allowlist: T.nilable(T::Array[::String]), cimd_always_retrieved: T.nilable(T::Boolean), cimd_http_permitted: T.nilable(T::Boolean), cimd_query_permitted: T.nilable(T::Boolean), cimd_metadata_policy: T.nilable(::String), http_alias_prohibited: T.nilable(T::Boolean), access_token_sign_alg: T.nilable(Models::Components::JwsAlg)).void }
         def initialize(number: nil, service_name: nil, issuer: nil, description: nil, api_key: nil, api_secret: nil, token_batch_notification_endpoint: nil, client_assertion_aud_restricted_to_issuer: nil, service_owner_number: nil, clients_per_developer: nil, developer_authentication_callback_endpoint: nil, developer_authentication_callback_api_key: nil, developer_authentication_callback_api_secret: nil, supported_snses: nil, sns_credentials: nil, client_id_alias_enabled: nil, metadata: nil, created_at: nil, modified_at: nil, authentication_callback_endpoint: nil, authentication_callback_api_key: nil, authentication_callback_api_secret: nil, supported_acrs: nil, supported_grant_types: nil, supported_response_types: nil, supported_authorization_details_types: nil, supported_service_profiles: nil, error_description_omitted: nil, error_uri_omitted: nil, authorization_endpoint: nil, direct_authorization_endpoint_enabled: nil, supported_ui_locales: nil, supported_displays: nil, pkce_required: nil, pkce_s256_required: nil, authorization_response_duration: nil, token_endpoint: nil, direct_token_endpoint_enabled: nil, supported_token_auth_methods: nil, missing_client_id_allowed: nil, revocation_endpoint: nil, direct_revocation_endpoint_enabled: nil, supported_revocation_auth_methods: nil, introspection_endpoint: nil, direct_introspection_endpoint_enabled: nil, supported_introspection_auth_methods: nil, pushed_auth_req_endpoint: nil, pushed_auth_req_duration: nil, par_required: nil, request_object_required: nil, traditional_request_object_processing_applied: nil, mutual_tls_validate_pki_cert_chain: nil, trusted_root_certificates: nil, mtls_endpoint_aliases: nil, access_token_type: nil, tls_client_certificate_bound_access_tokens: nil, access_token_duration: nil, single_access_token_per_subject: nil, access_token_signature_key_id: nil, refresh_token_duration: nil, refresh_token_duration_kept: nil, refresh_token_duration_reset: nil, refresh_token_kept: nil, supported_scopes: nil, scope_required: nil, id_token_duration: nil, allowable_clock_skew: nil, supported_claim_types: nil, supported_claim_locales: nil, supported_claims: nil, claim_shortcut_restrictive: nil, jwks_uri: nil, direct_jwks_endpoint_enabled: nil, jwks: nil, id_token_signature_key_id: nil, user_info_signature_key_id: nil, authorization_signature_key_id: nil, user_info_endpoint: nil, direct_user_info_endpoint_enabled: nil, dynamic_registration_supported: nil, registration_endpoint: nil, registration_management_endpoint: nil, policy_uri: nil, tos_uri: nil, service_documentation: nil, backchannel_authentication_endpoint: nil, supported_backchannel_token_delivery_modes: nil, backchannel_auth_req_id_duration: nil, backchannel_polling_interval: nil, backchannel_user_code_parameter_supported: nil, backchannel_binding_message_required_in_fapi: nil, device_authorization_endpoint: nil, device_verification_uri: nil, device_verification_uri_complete: nil, device_flow_code_duration: nil, device_flow_polling_interval: nil, user_code_charset: nil, user_code_length: nil, supported_trust_frameworks: nil, supported_evidence: nil, supported_identity_documents: nil, supported_verification_methods: nil, supported_verified_claims: nil, verified_claims_validation_schema_set: nil, attributes: nil, nbf_optional: nil, iss_suppressed: nil, supported_custom_client_metadata: nil, token_expiration_linked: nil, front_channel_request_object_encryption_required: nil, request_object_encryption_alg_match_required: nil, request_object_encryption_enc_match_required: nil, hsm_enabled: nil, hsks: nil, grant_management_endpoint: nil, grant_management_action_required: nil, unauthorized_on_client_config_supported: nil, dcr_scope_used_as_requestable: nil, end_session_endpoint: nil, loopback_redirection_uri_variable: nil, request_object_audience_checked: nil, access_token_for_external_attachment_embedded: nil, authority_hints: nil, federation_enabled: nil, federation_jwks: nil, federation_signature_key_id: nil, federation_configuration_duration: nil, federation_registration_endpoint: nil, organization_name: nil, predefined_transformed_claims: nil, refresh_token_idempotent: nil, signed_jwks_uri: nil, supported_attachments: nil, supported_digest_algorithms: nil, supported_documents: nil, supported_documents_methods: nil, supported_documents_validation_methods: nil, supported_documents_verification_methods: nil, supported_electronic_records: nil, supported_client_registration_types: nil, token_exchange_by_identifiable_clients_only: nil, token_exchange_by_confidential_clients_only: nil, token_exchange_by_permitted_clients_only: nil, token_exchange_encrypted_jwt_rejected: nil, token_exchange_unsigned_jwt_rejected: nil, jwt_grant_by_identifiable_clients_only: nil, jwt_grant_encrypted_jwt_rejected: nil, jwt_grant_unsigned_jwt_rejected: nil, dcr_duplicate_software_id_blocked: nil, trust_anchors: nil, openid_dropped_on_refresh_without_offline_access: nil, supported_documents_check_methods: nil, rs_response_signed: nil, cnonce_duration: nil, dpop_nonce_required: nil, verifiable_credentials_enabled: nil, credential_jwks_uri: nil, credential_offer_duration: nil, dpop_nonce_duration: nil, pre_authorized_grant_anonymous_access_supported: nil, credential_transaction_duration: nil, introspection_signature_key_id: nil, resource_signature_key_id: nil, user_pin_length: nil, supported_prompt_values: nil, id_token_reissuable: nil, credential_jwks: nil, fapi_modes: nil, credential_duration: nil, credential_issuer_metadata: nil, id_token_aud_type: nil, native_sso_supported: nil, oid4vci_version: nil, cimd_metadata_policy_enabled: nil, client_id_metadata_document_supported: nil, cimd_allowlist_enabled: nil, cimd_allowlist: nil, cimd_always_retrieved: nil, cimd_http_permitted: nil, cimd_query_permitted: nil, cimd_metadata_policy: nil, http_alias_prohibited: nil, access_token_sign_alg: nil)