authlete_ruby_test 0.0.1.beta

data/lib/authlete/models/components/service_input.rb

@@ -0,0 +1,1594 @@
+# Code generated by Speakeasy (https://speakeasy.com). DO NOT EDIT.
+
+# typed: true
+# frozen_string_literal: true
+
+
+module Authlete
+  module Models
+    module Components
+    
+
+      class ServiceInput
+        extend T::Sig
+        include Crystalline::MetadataFields
+
+        # The name of this service.
+        field :service_name, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('serviceName') }, 'form': { 'field_name': 'serviceName' } }
+        # The issuer identifier of the service.
+        # 
+        # A URL that starts with  https:// and has no query or fragment component.
+        # 
+        # The value of this property is used as `iss` claim in an [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
+        # and `issuer` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :issuer, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('issuer') }, 'form': { 'field_name': 'issuer' } }
+        # The description about the service.
+        field :description, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('description') }, 'form': { 'field_name': 'description' } }
+        # The endpoint for batch token notifications. This endpoint is called when 
+        # multiple tokens are issued or revoked in a batch operation.
+        # 
+        field :token_batch_notification_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenBatchNotificationEndpoint') }, 'form': { 'field_name': 'tokenBatchNotificationEndpoint' } }
+        # The flag indicating whether the audience of client assertion JWTs must 
+        # match the issuer identifier of this service.
+        # 
+        field :client_assertion_aud_restricted_to_issuer, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientAssertionAudRestrictedToIssuer') }, 'form': { 'field_name': 'clientAssertionAudRestrictedToIssuer' } }
+        # The maximum number of client applications that a developer can have.
+        # 
+        field :clients_per_developer, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientsPerDeveloper') }, 'form': { 'field_name': 'clientsPerDeveloper' } }
+        # The endpoint for developer authentication callbacks. This is used when 
+        # developers log into the developer portal.
+        # 
+        field :developer_authentication_callback_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('developerAuthenticationCallbackEndpoint') }, 'form': { 'field_name': 'developerAuthenticationCallbackEndpoint' } }
+        # The API key for basic authentication at the developer authentication 
+        # callback endpoint.
+        # 
+        field :developer_authentication_callback_api_key, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('developerAuthenticationCallbackApiKey') }, 'form': { 'field_name': 'developerAuthenticationCallbackApiKey' } }
+        # The API secret for basic authentication at the developer authentication 
+        # callback endpoint.
+        # 
+        field :developer_authentication_callback_api_secret, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('developerAuthenticationCallbackApiSecret') }, 'form': { 'field_name': 'developerAuthenticationCallbackApiSecret' } }
+        # Social login services (SNS) that this service supports for end-user 
+        # authentication.
+        # 
+        field :supported_snses, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::SupportedSnse)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedSnses') }, 'form': { 'field_name': 'supportedSnses' } }
+        # The credentials for social login services (SNS) that are used for 
+        # end-user authentication.
+        # 
+        field :sns_credentials, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::SnsCredentials)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('snsCredentials') }, 'form': { 'field_name': 'snsCredentials', 'json': true } }
+        # Deprecated. Always `true`.
+        field :client_id_alias_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientIdAliasEnabled') }, 'form': { 'field_name': 'clientIdAliasEnabled' } }
+        # The `metadata` of the service. The content of the returned array depends on contexts.
+        # The predefined service metadata is listed in the following table.
+        # 
+        #   | Key | Description |
+        #   | --- | --- |
+        #   | `clientCount` | The number of client applications which belong to this service.  |
+        # 
+        field :metadata, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Pair)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('metadata') }, 'form': { 'field_name': 'metadata', 'json': true } }
+        # A Web API endpoint for user authentication which is to be prepared on the service side.
+        # 
+        # The endpoint must be implemented if you do not implement the UI at the authorization endpoint
+        # but use the one provided by Authlete.
+        # 
+        # The user authentication at the authorization endpoint provided by Authlete is performed by making
+        # a `POST` request to this endpoint.
+        # 
+        field :authentication_callback_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authenticationCallbackEndpoint') }, 'form': { 'field_name': 'authenticationCallbackEndpoint' } }
+        # API key for basic authentication at the authentication callback endpoint.
+        # 
+        # If the value is not empty, Authlete generates Authorization header for Basic authentication when
+        # making a request to the authentication callback endpoint.
+        # 
+        field :authentication_callback_api_key, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authenticationCallbackApiKey') }, 'form': { 'field_name': 'authenticationCallbackApiKey' } }
+        # API secret for `basic` authentication at the authentication callback endpoint.
+        field :authentication_callback_api_secret, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authenticationCallbackApiSecret') }, 'form': { 'field_name': 'authenticationCallbackApiSecret' } }
+        # Values of `grant_type` request parameter that the service supports.
+        # 
+        # The value of this property is used as `grant_types_supported property` in the
+        # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_grant_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::GrantType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedGrantTypes') }, 'form': { 'field_name': 'supportedGrantTypes' } }
+        # Values of `response_type` request parameter that
+        # the service supports. Valid values are listed in Response Type.
+        # 
+        # The value of this property is used as `response_types_supported` property in the
+        # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_response_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ResponseType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedResponseTypes') }, 'form': { 'field_name': 'supportedResponseTypes' } }
+        # The supported data types that can be used as values of the type field in `authorization_details`.
+        # 
+        # This property corresponds to the `authorization_details_types_supported` metadata. See "OAuth 2.0
+        # Rich Authorization Requests" (RAR) for details.
+        # 
+        field :supported_authorization_details_types, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedAuthorizationDetailsTypes') }, 'form': { 'field_name': 'supportedAuthorizationDetailsTypes' } }
+        # The profiles that this service supports.
+        # 
+        field :supported_service_profiles, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ServiceProfile)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedServiceProfiles') }, 'form': { 'field_name': 'supportedServiceProfiles' } }
+        # The flag to indicate whether the `error_description` response parameter is omitted.
+        # 
+        # According to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include
+        # the `error_description` response parameter in error responses.
+        # 
+        # If `true`, Authlete does not embed the `error_description` response parameter in error responses.
+        # 
+        field :error_description_omitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('errorDescriptionOmitted') }, 'form': { 'field_name': 'errorDescriptionOmitted' } }
+        # The flag to indicate whether the `error_uri` response parameter is omitted.
+        # 
+        # According to [RFC 6749](https://tools.ietf.org/html/rfc6749), an authorization server may include the `error_uri` response parameter in error responses.
+        # 
+        # If `true`, Authlete does not embed the
+        # `error_uri` response parameter in error responses.
+        # 
+        field :error_uri_omitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('errorUriOmitted') }, 'form': { 'field_name': 'errorUriOmitted' } }
+        # The authorization endpoint of the service.
+        # 
+        # A URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/authorization`.
+        # 
+        # The value of this property is used as `authorization_endpoint` property in the [OpenID Provider
+        # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :authorization_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationEndpoint') }, 'form': { 'field_name': 'authorizationEndpoint' } }
+        # The flag to indicate whether the direct authorization endpoint is enabled or not.
+        # 
+        # The path of the endpoint is `/api/auth/authorization/direct/service-api-key`.
+        # 
+        field :direct_authorization_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directAuthorizationEndpointEnabled') }, 'form': { 'field_name': 'directAuthorizationEndpointEnabled' } }
+        # UI locales that the service supports.
+        # 
+        # Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646). For example, `en-US` and `ja-JP`.
+        # 
+        # The value of this property is used as `ui_locales_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_ui_locales, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedUiLocales') }, 'form': { 'field_name': 'supportedUiLocales' } }
+        # Values of `display` request parameter that service supports.
+        # 
+        # The value of this property is used as `display_values_supported` property in the Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_displays, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Display)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDisplays') }, 'form': { 'field_name': 'supportedDisplays' } }
+        # The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.
+        # 
+        # If `true`, `code_challenge` request parameter is always required for authorization requests using Authorization Code Flow.
+        # 
+        # See [RFC 7636](https://tools.ietf.org/html/rfc7636) (Proof Key for Code Exchange by OAuth Public Clients) for details about `code_challenge` request parameter.
+        # 
+        field :pkce_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pkceRequired') }, 'form': { 'field_name': 'pkceRequired' } }
+        # The flag to indicate whether `S256` is always required as the code challenge method whenever [PKCE (RFC 7636)](https://tools.ietf.org/html/rfc7636) is used.
+        # 
+        # If this flag is set to `true`, `code_challenge_method=S256` must be included in the authorization request
+        # whenever it includes the `code_challenge` request parameter.
+        # Neither omission of the `code_challenge_method` request parameter nor use of plain (`code_challenge_method=plain`) is allowed.
+        # 
+        field :pkce_s256_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pkceS256Required') }, 'form': { 'field_name': 'pkceS256Required' } }
+        # The duration of authorization response JWTs in seconds.
+        # 
+        # [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
+        # defines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,
+        # `form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters
+        # from the authorization endpoint will be packed into a JWT. This property is used to compute the
+        # value of the `exp` claim of the JWT.
+        # 
+        field :authorization_response_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationResponseDuration') }, 'form': { 'field_name': 'authorizationResponseDuration' } }
+        # The [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2) of the service.
+        # 
+        # A URL that starts with `https://` and has not fragment component. For example, `https://example.com/auth/token`.
+        # 
+        # The value of this property is used as `token_endpoint` property in the
+        # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :token_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenEndpoint') }, 'form': { 'field_name': 'tokenEndpoint' } }
+        # The flag to indicate whether the direct token endpoint is enabled or not. The path of the endpoint
+        # is `/api/auth/token/direct/service-api-key`.
+        # 
+        field :direct_token_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directTokenEndpointEnabled') }, 'form': { 'field_name': 'directTokenEndpointEnabled' } }
+        # Client authentication methods supported by the token endpoint of the service.
+        # 
+        # The value of this property is used as `token_endpoint_auth_methods_supports` property in the
+        # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_token_auth_methods, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientAuthMethod)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedTokenAuthMethods') }, 'form': { 'field_name': 'supportedTokenAuthMethods' } }
+        # The flag to indicate token requests from public clients without the `client_id` request parameter are allowed when the client can be guessed from `authorization_code` or `refresh_token`.
+        # 
+        # This flag should not be set unless you have special reasons.
+        # 
+        field :missing_client_id_allowed, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('missingClientIdAllowed') }, 'form': { 'field_name': 'missingClientIdAllowed' } }
+        # The [revocation endpoint](https://tools.ietf.org/html/rfc7009) of the service.
+        # 
+        # A URL that starts with `https://`. For example, `https://example.com/auth/revocation`.
+        # 
+        field :revocation_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('revocationEndpoint') }, 'form': { 'field_name': 'revocationEndpoint' } }
+        # The flag to indicate whether the direct revocation endpoint is enabled or not. The URL of the endpoint is `/api/auth/revocation/direct/service-api-key`. 
+        field :direct_revocation_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directRevocationEndpointEnabled') }, 'form': { 'field_name': 'directRevocationEndpointEnabled' } }
+        # Client authentication methods supported at the revocation endpoint.
+        # 
+        field :supported_revocation_auth_methods, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientAuthMethod)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedRevocationAuthMethods') }, 'form': { 'field_name': 'supportedRevocationAuthMethods' } }
+        # The URI of the introspection endpoint.
+        field :introspection_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('introspectionEndpoint') }, 'form': { 'field_name': 'introspectionEndpoint' } }
+        # The flag to indicate whether the direct userinfo endpoint is enabled or not. The path of the endpoint is `/api/auth/userinfo/direct/{serviceApiKey}`. 
+        field :direct_introspection_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directIntrospectionEndpointEnabled') }, 'form': { 'field_name': 'directIntrospectionEndpointEnabled' } }
+        # Client authentication methods supported at the introspection endpoint.
+        # 
+        field :supported_introspection_auth_methods, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientAuthMethod)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedIntrospectionAuthMethods') }, 'form': { 'field_name': 'supportedIntrospectionAuthMethods' } }
+        # The URI of the pushed authorization request endpoint.
+        # 
+        # This property corresponds to the `pushed_authorization_request_endpoint` metadata defined in "[5. Authorization Server Metadata](https://tools.ietf.org/html/draft-lodderstedt-oauth-par#section-5)" of OAuth 2.0 Pushed Authorization Requests.
+        # 
+        field :pushed_auth_req_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pushedAuthReqEndpoint') }, 'form': { 'field_name': 'pushedAuthReqEndpoint' } }
+        # The duration of pushed authorization requests in seconds.
+        # 
+        # [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par)
+        # defines an endpoint (called "pushed authorization request endpoint") which client applications
+        # can register authorization requests into and get corresponding URIs (called "request URIs") from.
+        # The issued URIs represent the registered authorization requests. The client applications can use
+        # the URIs as the value of the `request_uri` request parameter in an authorization request.
+        # 
+        # The property represents the duration of registered authorization requests and is used as the value
+        # of the `expires_in` parameter in responses from the pushed authorization request endpoint.
+        # 
+        field :pushed_auth_req_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('pushedAuthReqDuration') }, 'form': { 'field_name': 'pushedAuthReqDuration' } }
+        # The flag to indicate whether this service requires that clients use the pushed authorization
+        # request endpoint.
+        # 
+        # This property corresponds to the `require_pushed_authorization_requests` server metadata defined
+        # in [OAuth 2.0 Pushed Authorization Requests](https://tools.ietf.org/html/draft-lodderstedt-oauth-par).
+        # 
+        field :par_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('parRequired') }, 'form': { 'field_name': 'parRequired' } }
+        # The flag to indicate whether this service requires that authorization requests always utilize
+        # a request object by using either request or `request_uri` request parameter.
+        # 
+        # If this flag is set to `true` and the value of `traditionalRequestObjectProcessingApplied` is
+        # `false`, the value of `require_signed_request_object` server metadata of this service is reported
+        # as `true` in the discovery document. The metadata is defined in JAR (JWT Secured Authorization Request).
+        # That `require_signed_request_object` is `true` means that authorization requests which don't
+        # conform to the JAR specification are rejected.
+        # 
+        field :request_object_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectRequired') }, 'form': { 'field_name': 'requestObjectRequired' } }
+        # The flag to indicate whether a request object is processed based on rules defined in
+        # [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) or JAR (JWT
+        # Secured Authorization Request).
+        # 
+        # Differences between rules in OpenID Connect Core 1.0 and ones in JAR are as follows.
+        #   - JAR requires that a request object be always -signed.
+        #   - JAR does not allow request parameters outside a request object to be referred to.
+        #   - OIDC Core 1.0 requires that response_type request parameter exist outside a request object even if the request object includes the request parameter.
+        #   - OIDC Core 1.0 requires that scope request parameter exist outside a request object if the authorization request is an
+        #   - OIDC request even if the request object includes the request parameter.
+        # 
+        # If this flag is set to `false` and the value of `requestObjectRequired` is `true`, the value of
+        # `require_signed_request_object` server metadata of this service
+        # is reported as `true` in the discovery document. The metadata is defined in JAR (JWT Secured
+        # Authorization Request). That `require_signed_request_object` is `true` means that authorization
+        # requests which don't conform to the JAR specification are rejected.
+        # 
+        field :traditional_request_object_processing_applied, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('traditionalRequestObjectProcessingApplied') }, 'form': { 'field_name': 'traditionalRequestObjectProcessingApplied' } }
+        # The flag to indicate whether this service validates certificate chains during PKI-based client mutual TLS authentication.
+        # 
+        field :mutual_tls_validate_pki_cert_chain, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('mutualTlsValidatePkiCertChain') }, 'form': { 'field_name': 'mutualTlsValidatePkiCertChain' } }
+        # The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.
+        # 
+        field :trusted_root_certificates, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustedRootCertificates') }, 'form': { 'field_name': 'trustedRootCertificates' } }
+        # The MTLS endpoint aliases.
+        # 
+        # This property corresponds to the mtls_endpoint_aliases metadata defined in "5. Metadata for Mutual TLS Endpoint Aliases" of [OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens](https://datatracker.ietf.org/doc/rfc8705/).
+        # 
+        # The aliases will be embedded in the response from the discovery endpoint like the following.
+        # 
+        # ```json
+        # {
+        #   ......,
+        #   "mtls_endpoint_aliases": {
+        #     "token_endpoint":         "https://mtls.example.com/token",
+        #     "revocation_endpoint":    "https://mtls.example.com/revo",
+        #     "introspection_endpoint": "https://mtls.example.com/introspect"
+        #   }
+        # }
+        # ```
+        # 
+        field :mtls_endpoint_aliases, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::NamedUri)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('mtlsEndpointAliases') }, 'form': { 'field_name': 'mtlsEndpointAliases', 'json': true } }
+        # The access token type.
+        # 
+        # This value is used as the value of `token_type` property in access token responses. If this service
+        # complies with [RFC 6750](https://tools.ietf.org/html/rfc6750), the value of this property should
+        # be `Bearer`.
+        # 
+        # See [RFC 6749 (OAuth 2.0), 7.1. Access Token Types](https://tools.ietf.org/html/rfc6749#section-7.1) for details.
+        # 
+        field :access_token_type, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenType') }, 'form': { 'field_name': 'accessTokenType' } }
+        # The flag to indicate whether this service supports issuing TLS client certificate bound access tokens.
+        # 
+        field :tls_client_certificate_bound_access_tokens, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tlsClientCertificateBoundAccessTokens') }, 'form': { 'field_name': 'tlsClientCertificateBoundAccessTokens' } }
+        # The duration of access tokens in seconds. This value is used as the value of `expires_in` property
+        # in access token responses. `expires_in` is defined [RFC 6749, 5.1. Successful Response](https://tools.ietf.org/html/rfc6749#section-5.1).
+        # 
+        field :access_token_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenDuration') }, 'form': { 'field_name': 'accessTokenDuration' } }
+        # The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.
+        # 
+        # If `true`, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.
+        # 
+        # Note that, however, attempts by [Client Credentials Flow](https://tools.ietf.org/html/rfc6749#section-4.4) do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by [Refresh Token Flow](https://tools.ietf.org/html/rfc6749#section-6) invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is `true` or `false`.
+        # 
+        field :single_access_token_per_subject, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('singleAccessTokenPerSubject') }, 'form': { 'field_name': 'singleAccessTokenPerSubject' } }
+        # The key ID to identify a JWK used for signing access tokens.
+        # 
+        # A JWK Set can be registered as a property of a service. A JWK Set can contain 0 or more JWKs.
+        # Authlete Server has to pick up one JWK for signing from the JWK Set when it generates a JWT-based
+        # access token. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions
+        # for access token signature. If the number of JWK candidates which satisfy the conditions is 1,
+        # there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed
+        # to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
+        # 
+        field :access_token_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenSignatureKeyId') }, 'form': { 'field_name': 'accessTokenSignatureKeyId' } }
+        # The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.
+        field :refresh_token_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenDuration') }, 'form': { 'field_name': 'refreshTokenDuration' } }
+        # The flag to indicate whether the remaining duration of the used refresh token is taken over to
+        # the newly issued refresh token.
+        # 
+        field :refresh_token_duration_kept, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenDurationKept') }, 'form': { 'field_name': 'refreshTokenDurationKept' } }
+        # The flag which indicates whether duration of refresh tokens are reset when they are used even
+        # if the `refreshTokenKept` property of this service set to is `true` (= even if "Refresh Token
+        # Continuous Use" is "Kept").
+        # 
+        # This flag has no effect when the `refreshTokenKept` property is set to `false`. In other words,
+        # if this service issues a new refresh token on every refresh token request, the refresh token
+        # will have fresh duration (unless `refreshTokenDurationKept` is set to `true`) and this
+        # `refreshTokenDurationReset` property is not referenced.
+        # 
+        field :refresh_token_duration_reset, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenDurationReset') }, 'form': { 'field_name': 'refreshTokenDurationReset' } }
+        # The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.
+        # 
+        # If `true`, a refresh token used to get a new access token remains valid after its use. Otherwise, if `false`, a refresh token is invalidated after its use and a new refresh token is issued.
+        # 
+        # See [RFC 6749 6. Refreshing an Access Token](https://tools.ietf.org/html/rfc6749#section-6), as to how to get a new access token using a refresh token.
+        # 
+        field :refresh_token_kept, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenKept') }, 'form': { 'field_name': 'refreshTokenKept' } }
+        # Scopes supported by the service.
+        # 
+        # Authlete strongly recommends that the service register at least the following scopes.
+        # 
+        # | Name | Description |
+        # | --- | --- |
+        # | openid | A permission to get an ID token of an end-user. The `openid` scope appears in [OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, scope](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest). Without this scope, Authlete does not allow `response_type` request parameter to have values other than code and token. |
+        # | profile | A permission to get information about `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale` and `updated_at` from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details. |
+        # | email | A permission to get information about `email` and `email_verified` from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details. |
+        # | address | A permission to get information about address from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) and [5.1.1. Address Claim](https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim) for details. |
+        # | phone | A permission to get information about `phone_number` and `phone_number_verified` from the user info endpoint. See [OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for details. |
+        # | offline_access | A permission to get information from the user info endpoint even when the end-user is not present. See [OpenID Connect Core 1.0, 11. Offline Access](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) for details. |
+        # 
+        # The value of this property is used as `scopes_supported` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_scopes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Scope)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedScopes') }, 'form': { 'field_name': 'supportedScopes', 'json': true } }
+        # The flag to indicate whether requests that request no scope are rejected or not.
+        # 
+        # When a request has no explicit `scope` parameter and the service's pre-defined default scope set is empty,
+        # the authorization server regards the request requests no scope. When this flag is set to `true`,
+        # requests that request no scope are rejected.
+        # 
+        # The requirement below excerpted from [RFC 6749 Section 3.3](https://tools.ietf.org/html/rfc6749#section-3.3)
+        # does not explicitly mention the case where the default scope set is empty.
+        # 
+        # > If the client omits the scope parameter when requesting authorization, the authorization server
+        # MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
+        # 
+        # However, if you interpret *"the default scope set exists but is empty"* as *"the default scope set does not exist"*
+        # and want to strictly conform to the requirement above, this flag has to be `true`.
+        # 
+        field :scope_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('scopeRequired') }, 'form': { 'field_name': 'scopeRequired' } }
+        # 'The duration of [ID token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)s
+        # in seconds. This value is used to calculate the value of `exp` claim in an ID token.'
+        # 
+        field :id_token_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenDuration') }, 'form': { 'field_name': 'idTokenDuration' } }
+        # The allowable clock skew between the server and clients in seconds.
+        # 
+        # The clock skew is taken into consideration when time-related claims in a JWT (e.g. `exp`, `iat`, `nbf`) are verified.
+        # 
+        field :allowable_clock_skew, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('allowableClockSkew') }, 'form': { 'field_name': 'allowableClockSkew' } }
+        # Claim types supported by the service. Valid values are listed in Claim Type. Note that Authlete
+        # currently doesn't provide any API to help implementations for `AGGREGATED` and `DISTRIBUTED`.
+        # 
+        # The value of this property is used as `claim_types_supported` property in the [OpenID Provider
+        # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_claim_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClaimType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClaimTypes') }, 'form': { 'field_name': 'supportedClaimTypes' } }
+        # Claim locales that the service supports. Each element is a language tag defined in [RFC 5646](https://tools.ietf.org/html/rfc5646).
+        # For example, `en-US` and `ja-JP`. See [OpenID Connect Core 1.0, 5.2. Languages and Scripts](https://openid.net/specs/openid-connect-core-1_0.html#ClaimsLanguagesAndScripts)
+        # for details.
+        # 
+        # The value of this property is used as `claims_locales_supported` property in the
+        # [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :supported_claim_locales, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClaimLocales') }, 'form': { 'field_name': 'supportedClaimLocales' } }
+        # Claim names that the service supports. The standard claim names listed in [OpenID Connect Core 1.0,
+        # 5.1. Standard Claim](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) should
+        # be supported. The following is the list of standard claims.
+        # 
+        # - `sub`
+        # - `name`
+        # - `given_name`
+        # - `family_name`
+        # - `middle_name`
+        # - `nickname`
+        # - `preferred_username`
+        # - `profile`
+        # - `picture`
+        # - `website`
+        # - `email`
+        # - `email_verified`
+        # - `gender`
+        # - `birthdate`
+        # - `zoneinfo`
+        # - `locale`
+        # - `phone_number`
+        # - `phone_number_verified`
+        # - `address`
+        # - `updated_at`
+        # 
+        # The value of this property is used as `claims_supported` property in the [OpenID Provider
+        # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        # The service may support its original claim names. See [OpenID Connect Core 1.0, 5.1.2. Additional
+        # Claims](https://openid.net/specs/openid-connect-core-1_0.html#AdditionalClaims).
+        # 
+        field :supported_claims, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClaims') }, 'form': { 'field_name': 'supportedClaims' } }
+        # The flag indicating whether claims specified by shortcut scopes (e.g. `profile`) are included
+        # in the issued ID token only when no access token is issued.
+        # 
+        # To strictly conform to the description below excerpted from [OpenID Connect Core 1.0 Section
+        # 5.4](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims), this flag has to be `true`.
+        # 
+        # > The Claims requested by the profile, email, address, and phone scope values are returned from
+        # the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that
+        # results in an Access Token being issued. However, when no Access Token is issued (which is the
+        # case for the response_type value id_token), the resulting Claims are returned in the ID Token.
+        # 
+        field :claim_shortcut_restrictive, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('claimShortcutRestrictive') }, 'form': { 'field_name': 'claimShortcutRestrictive' } }
+        # The URL of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document. For
+        # example, `http://example.com/auth/jwks`.
+        # 
+        # Client applications accesses this URL (1) to get the public key of the service to validate the
+        # signature of an ID token issued by the service and (2) to get the public key of the service to
+        # encrypt an request object of the client application. See [OpenID Connect Core 1.0, 10. Signatures
+        # and Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.
+        # 
+        # The value of this property is used as `jwks_uri` property in the [OpenID Provider Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwksUri') }, 'form': { 'field_name': 'jwksUri' } }
+        # 'The flag to indicate whether the direct jwks endpoint is enabled or not. The path of the endpoint
+        # is `/api/service/jwks/get/direct/service-api-key`. '
+        # 
+        field :direct_jwks_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directJwksEndpointEnabled') }, 'form': { 'field_name': 'directJwksEndpointEnabled' } }
+        # The content of the service's [JSON Web Key Set](https://tools.ietf.org/html/rfc7517) document.
+        # 
+        # If this property is not `null` in a `/service/create` request or a `/service/update` request,
+        # Authlete hosts the content in the database. This property must not be `null` and must contain
+        # pairs of public/private keys if the service wants to support asymmetric signatures for ID tokens
+        # and asymmetric encryption for request objects. See [OpenID Connect Core 1.0, 10. Signatures and
+        # Encryption](https://openid.net/specs/openid-connect-core-1_0.html#SigEnc) for details.
+        # 
+        field :jwks, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwks') }, 'form': { 'field_name': 'jwks' } }
+        # The key ID to identify a JWK used for ID token signature using an asymmetric key.
+        # 
+        # A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs
+        # (See [RFC 7517](https://tools.ietf.org/html/rfc7517) for details about JWK). Authlete Server has
+        # to pick up one JWK for signature from the JWK Set when it generates an ID token and signature
+        # using an asymmetric key is required. Authlete Server searches the registered JWK Set for a JWK
+        # which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy
+        # the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates,
+        # a [Key ID](https://tools.ietf.org/html/rfc7517#section-4.5) is needed to be specified so that
+        # Authlete Server can pick up one JWK from among the JWK candidates.
+        # 
+        # This `idTokenSignatureKeyId` property exists for the purpose described above. For key rotation
+        # (OpenID Connect Core 1.0, [10.1.1. Rotation of Asymmetric Signing Keys](http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys)),
+        # this mechanism is needed.
+        # 
+        field :id_token_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenSignatureKeyId') }, 'form': { 'field_name': 'idTokenSignatureKeyId' } }
+        # The key ID to identify a JWK used for user info signature using an asymmetric key.
+        # 
+        # A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs
+        # (See [RFC 7517](https://tools.ietf.org/html/rfc7517) for details about JWK). Authlete Server has
+        # to pick up one JWK for signature from the JWK Set when it is required to sign user info (which
+        # is returned from [userinfo endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo))
+        # using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies
+        # conditions for user info signature. If the number of JWK candidates which satisfy the conditions
+        # is 1, there is no problem. On the other hand, if there exist multiple candidates, a [Key ID](https://tools.ietf.org/html/rfc7517#section-4.5)
+        # is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.
+        # 
+        # This `userInfoSignatureKeyId` property exists for the purpose described above. For key rotation
+        # (OpenID Connect Core 1.0, [10.1.1. Rotation of Asymmetric Signing Keys](http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys)),
+        # this mechanism is needed.
+        # 
+        field :user_info_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userInfoSignatureKeyId') }, 'form': { 'field_name': 'userInfoSignatureKeyId' } }
+        # The key ID to identify a JWK used for signing authorization responses using an asymmetric key.
+        # 
+        # [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
+        # defines new values for the `response_mode` request parameter. They are `query.jwt`, `fragment.jwt`,
+        # `form_post.jwt` and `jwt`. If one of them is specified as the response mode, response parameters
+        # from the authorization endpoint will be packed into a JWT. This property is used to compute the
+        # value of the `exp` claim of the JWT.
+        # 
+        # Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response
+        # signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem.
+        # On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that
+        # Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify
+        # the key ID.
+        # 
+        field :authorization_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorizationSignatureKeyId') }, 'form': { 'field_name': 'authorizationSignatureKeyId' } }
+        # The [user info endpoint](http://openid.net/specs/openid-connect-core-1_0.html#UserInfo) of the
+        # service. A URL that starts with `https://`. For example, `https://example.com/auth/userinfo`.
+        # 
+        # The value of this property is used as `userinfo_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :user_info_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userInfoEndpoint') }, 'form': { 'field_name': 'userInfoEndpoint' } }
+        # The flag to indicate whether the direct userinfo endpoint is enabled or not. The path
+        # of the endpoint is `/api/auth/userinfo/direct/service-api-key`.
+        # 
+        field :direct_user_info_endpoint_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('directUserInfoEndpointEnabled') }, 'form': { 'field_name': 'directUserInfoEndpointEnabled' } }
+        # The boolean flag which indicates whether the [OAuth 2.0 Dynamic Client Registration Protocol](https://tools.ietf.org/html/rfc7591)
+        # is supported.
+        # 
+        field :dynamic_registration_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dynamicRegistrationSupported') }, 'form': { 'field_name': 'dynamicRegistrationSupported' } }
+        # The [registration endpoint](http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration)
+        # of the service. A URL that starts with `https://`. For example, `https://example.com/auth/registration`.
+        # 
+        # The value of this property is used as `registration_endpoint` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :registration_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('registrationEndpoint') }, 'form': { 'field_name': 'registrationEndpoint' } }
+        # The URI of the registration management endpoint. If dynamic client registration is supported,
+        # and this is set, this URI will be used as the basis of the client's management endpoint by appending
+        # `/clientid}/` to it as a path element. If this is unset, the value of `registrationEndpoint` will
+        # be used as the URI base instead.
+        # 
+        field :registration_management_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('registrationManagementEndpoint') }, 'form': { 'field_name': 'registrationManagementEndpoint' } }
+        # The URL of the "Policy" of the service.
+        # 
+        # The value of this property is used as `op_policy_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :policy_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('policyUri') }, 'form': { 'field_name': 'policyUri' } }
+        # The URL of the "Terms Of Service" of the service.
+        # 
+        # The value of this property is used as `op_tos_uri` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :tos_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tosUri') }, 'form': { 'field_name': 'tosUri' } }
+        # The URL of a page where documents for developers can be found.
+        # 
+        # The value of this property is used as `service_documentation` property in the [OpenID Provider Metadata](http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :service_documentation, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('serviceDocumentation') }, 'form': { 'field_name': 'serviceDocumentation' } }
+        # The URI of backchannel authentication endpoint, which is defined in the specification of [CIBA
+        # (Client Initiated Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).
+        # 
+        field :backchannel_authentication_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelAuthenticationEndpoint') }, 'form': { 'field_name': 'backchannelAuthenticationEndpoint' } }
+        # The supported backchannel token delivery modes. This property corresponds to the `backchannel_token_delivery_modes_supported`
+        # metadata.
+        # 
+        # Backchannel token delivery modes are defined in the specification of [CIBA (Client Initiated
+        # Backchannel Authentication)](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html).
+        # 
+        field :supported_backchannel_token_delivery_modes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::DeliveryMode)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedBackchannelTokenDeliveryModes') }, 'form': { 'field_name': 'supportedBackchannelTokenDeliveryModes' } }
+        # The duration of backchannel authentication request IDs issued from the backchannel authentication
+        # endpoint in seconds. This is used as the value of the `expires_in` property in responses from
+        # the backchannel authentication endpoint.
+        # 
+        field :backchannel_auth_req_id_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelAuthReqIdDuration') }, 'form': { 'field_name': 'backchannelAuthReqIdDuration' } }
+        # The minimum interval between polling requests to the token endpoint from client applications in
+        # seconds. This is used as the value of the `interval` property in responses from the backchannel
+        # authentication endpoint.
+        # 
+        field :backchannel_polling_interval, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelPollingInterval') }, 'form': { 'field_name': 'backchannelPollingInterval' } }
+        # The boolean flag which indicates whether the `user_code` request parameter is supported at the
+        # backchannel authentication endpoint. This property corresponds to the `backchannel_user_code_parameter_supported`
+        # metadata.
+        # 
+        field :backchannel_user_code_parameter_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelUserCodeParameterSupported') }, 'form': { 'field_name': 'backchannelUserCodeParameterSupported' } }
+        # The flag to indicate whether the `binding_message` request parameter is always required whenever
+        # a backchannel authentication request is judged as a request for Financial-grade API.
+        # 
+        # The FAPI-CIBA profile requires that the authorization server _"shall ensure unique authorization
+        # context exists in the authorization request or require a `binding_message` in the authorization
+        # request"_ (FAPI-CIBA, 5.2.2, 2). The simplest way to fulfill this requirement is to set this property
+        # to `true`.
+        # 
+        # If this property is set to `false`, the `binding_message` request parameter remains optional
+        # even in FAPI context, but in exchange, your authorization server must implement a custom mechanism
+        # that ensures each backchannel authentication request has unique context.
+        # 
+        field :backchannel_binding_message_required_in_fapi, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('backchannelBindingMessageRequiredInFapi') }, 'form': { 'field_name': 'backchannelBindingMessageRequiredInFapi' } }
+        # The URI of the device authorization endpoint.
+        # 
+        # Device authorization endpoint is defined in the specification of OAuth 2.0 Device Authorization Grant.
+        # 
+        field :device_authorization_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceAuthorizationEndpoint') }, 'form': { 'field_name': 'deviceAuthorizationEndpoint' } }
+        # The verification URI for the device flow. This URI is used as the value of the `verification_uri`
+        # parameter in responses from the device authorization endpoint.
+        # 
+        field :device_verification_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceVerificationUri') }, 'form': { 'field_name': 'deviceVerificationUri' } }
+        # The verification URI for the device flow with a placeholder for a user code. This URI is used
+        # to build the value of the `verification_uri_complete` parameter in responses from the device
+        # authorization endpoint.
+        # 
+        # It is expected that the URI contains a fixed string `USER_CODE` somewhere as a placeholder for
+        # a user code. For example, like the following.
+        # 
+        # `https://example.com/device?user\_code=USER\_CODE`
+        # 
+        # The fixed string is replaced with an actual user code when Authlete builds a verification URI
+        # with a user code for the `verification_uri_complete` parameter.
+        # 
+        # If this URI is not set, the `verification_uri_complete` parameter won't appear in device authorization
+        # responses.
+        # 
+        field :device_verification_uri_complete, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceVerificationUriComplete') }, 'form': { 'field_name': 'deviceVerificationUriComplete' } }
+        # The duration of device verification codes and end-user verification codes issued from the device
+        # authorization endpoint in seconds. This is used as the value of the `expires_in` property in responses
+        # from the device authorization endpoint.
+        # 
+        field :device_flow_code_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceFlowCodeDuration') }, 'form': { 'field_name': 'deviceFlowCodeDuration' } }
+        # The minimum interval between polling requests to the token endpoint from client applications in
+        # seconds in device flow. This is used as the value of the `interval` property in responses from
+        # the device authorization endpoint.
+        # 
+        field :device_flow_polling_interval, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('deviceFlowPollingInterval') }, 'form': { 'field_name': 'deviceFlowPollingInterval' } }
+        # The character set for end-user verification codes (`user_code`) for Device Flow.
+        # 
+        field :user_code_charset, Crystalline::Nilable.new(Models::Components::UserCodeCharset), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userCodeCharset'), 'decoder': Utils.enum_from_string(Models::Components::UserCodeCharset, true) }, 'form': { 'field_name': 'userCodeCharset' } }
+        # The length of end-user verification codes (`user_code`) for Device Flow.
+        # 
+        field :user_code_length, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userCodeLength') }, 'form': { 'field_name': 'userCodeLength' } }
+        # Trust frameworks supported by this service. This corresponds to the `trust_frameworks_supported`
+        # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
+        # 
+        field :supported_trust_frameworks, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedTrustFrameworks') }, 'form': { 'field_name': 'supportedTrustFrameworks' } }
+        # Evidence supported by this service. This corresponds to the `evidence_supported` [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
+        # 
+        field :supported_evidence, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedEvidence') }, 'form': { 'field_name': 'supportedEvidence' } }
+        # Identity documents supported by this service. This corresponds to the `id_documents_supported`
+        # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
+        # 
+        field :supported_identity_documents, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedIdentityDocuments') }, 'form': { 'field_name': 'supportedIdentityDocuments' } }
+        # Verification methods supported by this service. This corresponds to the `id_documents_verification_methods_supported`
+        # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
+        # 
+        field :supported_verification_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedVerificationMethods') }, 'form': { 'field_name': 'supportedVerificationMethods' } }
+        # Verified claims supported by this service. This corresponds to the `claims_in_verified_claims_supported`
+        # [metadata](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.7).
+        # 
+        field :supported_verified_claims, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedVerifiedClaims') }, 'form': { 'field_name': 'supportedVerifiedClaims' } }
+        # The verified claims validation schema set.
+        # 
+        field :verified_claims_validation_schema_set, Crystalline::Nilable.new(Models::Components::VerifiedClaimsValidationSchema), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('verifiedClaimsValidationSchemaSet'), 'decoder': Utils.enum_from_string(Models::Components::VerifiedClaimsValidationSchema, true) }, 'form': { 'field_name': 'verifiedClaimsValidationSchemaSet' } }
+        # The attributes of this service.
+        # 
+        field :attributes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Pair)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('attributes') }, 'form': { 'field_name': 'attributes', 'json': true } }
+        # The flag indicating whether the nbf claim in the request object is optional even when the authorization
+        # request is regarded as a FAPI-Part2 request.
+        # 
+        # The final version of Financial-grade API was approved in January, 2021. The Part 2 of the final
+        # version has new requirements on lifetime of request objects. They require that request objects
+        # contain an `nbf` claim and the lifetime computed by `exp` - `nbf` be no longer than 60 minutes.
+        # 
+        # Therefore, when an authorization request is regarded as a FAPI-Part2 request, the request object
+        # used in the authorization request must contain an nbf claim. Otherwise, the authorization server
+        # rejects the authorization request.
+        # 
+        # When this flag is `true`, the `nbf` claim is treated as an optional claim even when the authorization
+        # request is regarded as a FAPI-Part2 request. That is, the authorization server does not perform
+        # the validation on lifetime of the request object.
+        # 
+        # Skipping the validation is a violation of the FAPI specification. The reason why this flag has
+        # been prepared nevertheless is that the new requirements (which do not exist in the Implementer's
+        # Draft 2 released in October, 2018) have big impacts on deployed implementations of client
+        # applications and Authlete thinks there should be a mechanism whereby to make the migration
+        # from ID2 to Final smooth without breaking live systems.
+        # 
+        field :nbf_optional, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('nbfOptional') }, 'form': { 'field_name': 'nbfOptional' } }
+        # The flag indicating whether generation of the iss response parameter is suppressed.
+        # 
+        # "OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response" has defined a new
+        # authorization response parameter, `iss`, as a countermeasure for a certain type of mix-up attacks.
+        # 
+        # The specification requires that the `iss` response parameter always be included in authorization
+        # responses unless JARM (JWT Secured Authorization Response Mode) is used.
+        # 
+        # When this flag is `true`, the authorization server does not include the `iss` response parameter
+        # in authorization responses. By turning this flag on and off, developers of client applications
+        # can experiment the mix-up attack and the effect of the `iss` response parameter.
+        # 
+        # Note that this flag should not be `true` in production environment unless there are special
+        # reasons for it.
+        # 
+        field :iss_suppressed, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('issSuppressed') }, 'form': { 'field_name': 'issSuppressed' } }
+        # custom client metadata supported by this service.
+        # 
+        # Standard specifications define client metadata as necessary. The following are such examples.
+        # 
+        # * [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html)
+        # * [RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol](https://www.rfc-editor.org/rfc/rfc7591.html)
+        # * [RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html)
+        # * [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html)
+        # * [The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/)
+        # * [Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
+        # * [OAuth 2.0 Pushed Authorization Requests (PAR)](https://datatracker.ietf.org/doc/rfc9126/)
+        # * [OAuth 2.0 Rich Authorization Requests (RAR)](https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/)
+        # 
+        # Standard client metadata included in Client Registration Request and Client Update Request (cf.
+        # [OIDC DynReg](https://openid.net/specs/openid-connect-registration-1_0.html), [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591.html)
+        # and [RFC 7592](https://www.rfc-editor.org/rfc/rfc7592.html)) are, if supported by Authlete, stored
+        # into Authlete database. On the other hand, unrecognized client metadata are discarded.
+        # 
+        # By listing up custom client metadata in advance by using this property (`supportedCustomClientMetadata`),
+        # Authlete can recognize them and stores their values into the database. The stored custom client
+        # metadata values can be referenced by `customMetadata`.
+        # 
+        field :supported_custom_client_metadata, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedCustomClientMetadata') }, 'form': { 'field_name': 'supportedCustomClientMetadata' } }
+        # The flag indicating whether the expiration date of an access token never exceeds that of the
+        # corresponding refresh token.
+        # 
+        # When a new access token is issued by a refresh token request (= a token request with `grant_type=refresh_token`),
+        # the expiration date of the access token may exceed the expiration date of the corresponding
+        # refresh token. This behavior itself is not wrong and may happen when `refreshTokenKept` is
+        # `true` and/or when `refreshTokenDurationKept` is `true`.
+        # 
+        # When this flag is `true`, the expiration date of an access token never exceeds that of the corresponding
+        # refresh token regardless of the calculated duration based on other settings such as `accessTokenDuration`,
+        # `accessTokenDuration` in `extension` and `access_token.duration` scope attribute.
+        # 
+        # It is technically possible to set a value which is bigger than the duration of refresh tokens
+        # as the duration of access tokens although it is strange. In the case, the duration of an access
+        # token becomes longer than the duration of the refresh token which is issued together with the
+        # access token. Even if the duration values are configured so, if this flag is `true`, the expiration
+        # date of the access token does not exceed that of the refresh token. That is, the duration of
+        # the access token will be shortened, and as a result, the access token and the refresh token
+        # will have the same expiration date.
+        # 
+        field :token_expiration_linked, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExpirationLinked') }, 'form': { 'field_name': 'tokenExpirationLinked' } }
+        # The flag indicating whether encryption of request object is required when the request object
+        # is passed through the front channel.
+        # 
+        # This flag does not affect the processing of request objects at the Pushed Authorization Request
+        # Endpoint, which is defined in [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/rfc9126/).
+        # Unecrypted request objects are accepted at the endpoint even if this flag is `true`.
+        # 
+        # This flag does not indicate whether a request object is always required. There is a different
+        # flag, `requestObjectRequired`, for the purpose. See the description of `requestObjectRequired`
+        # for details.
+        # 
+        # Even if this flag is `false`, encryption of request object is required if the `frontChannelRequestObjectEncryptionRequired`
+        # flag of the client is `true`.
+        # 
+        field :front_channel_request_object_encryption_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('frontChannelRequestObjectEncryptionRequired') }, 'form': { 'field_name': 'frontChannelRequestObjectEncryptionRequired' } }
+        # The flag indicating whether the JWE alg of encrypted request object must match the `request_object_encryption_alg`
+        # client metadata of the client that has sent the request object.
+        # 
+        # The request_object_encryption_alg client metadata itself is defined in [OpenID Connect Dynamic
+        # Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) as follows.
+        # 
+        # > request_object_encryption_alg
+        # >
+        # > OPTIONAL. JWE [JWE] alg algorithm [JWA] the RP is declaring that it may use for encrypting
+        # Request Objects sent to the OP. This parameter SHOULD be included when symmetric encryption
+        # will be used, since this signals to the OP that a client_secret value needs to be returned
+        # from which the symmetric key will be derived, that might not otherwise be returned. The RP
+        # MAY still use other supported encryption algorithms or send unencrypted Request Objects, even
+        # when this parameter is present. If both signing and encryption are requested, the Request Object
+        # will be signed then encrypted, with the result being a Nested JWT, as defined in [JWT]. The
+        # default, if omitted, is that the RP is not declaring whether it might encrypt any Request Objects.
+        # 
+        # The point here is "The RP MAY still use other supported encryption algorithms or send unencrypted
+        # Request Objects, even when this parameter is present."
+        # 
+        # The Client's property that represents the client metadata is `requestEncryptionAlg`. See the
+        # description of `requestEncryptionAlg` for details.
+        # 
+        # Even if this flag is `false`, the match is required if the `requestObjectEncryptionAlgMatchRequired`
+        # flag of the client is `true`.
+        # 
+        field :request_object_encryption_alg_match_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectEncryptionAlgMatchRequired') }, 'form': { 'field_name': 'requestObjectEncryptionAlgMatchRequired' } }
+        # The flag indicating whether the JWE `enc` of encrypted request object must match the `request_object_encryption_enc`
+        # client metadata of the client that has sent the request object.
+        # 
+        # The `request_object_encryption_enc` client metadata itself is defined in [OpenID Connect Dynamic
+        # Client Registration 1.0](https://openid.net/specs/openid-connect-registration-1_0.html) as follows.
+        # 
+        # > request_object_encryption_enc
+        # >
+        # > OPTIONAL. JWE enc algorithm [JWA] the RP is declaring that it may use for encrypting Request
+        # Objects sent to the OP. If request_object_encryption_alg is specified, the default for this
+        # value is A128CBC-HS256. When request_object_encryption_enc is included, request_object_encryption_alg
+        # MUST also be provided.
+        # 
+        # The Client's property that represents the client metadata is `requestEncryptionEnc`. See the
+        # description of `requestEncryptionEnc` for details.
+        # 
+        # Even if this flag is false, the match is required if the `requestObjectEncryptionEncMatchRequired`
+        # flag is `true`.
+        # 
+        field :request_object_encryption_enc_match_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectEncryptionEncMatchRequired') }, 'form': { 'field_name': 'requestObjectEncryptionEncMatchRequired' } }
+        # The flag indicating whether HSM (Hardware Security Module) support is enabled for this service.
+        # 
+        # When this flag is `false`, keys managed in HSMs are not used even if they exist. In addition,
+        # `/api/hsk/*` APIs reject all requests.
+        # 
+        # Even if this flag is `true`, HSM-related features do not work if the configuration of the Authlete
+        # server you are using does not support HSM.
+        # 
+        field :hsm_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('hsmEnabled') }, 'form': { 'field_name': 'hsmEnabled' } }
+        # The information about keys managed on HSMs (Hardware Security Modules).
+        # 
+        # This `hsks` property is output only, meaning that `hsks` in requests to `/api/service/create`
+        # API and `/api/service/update` API do not have any effect. The contents of this property is controlled
+        # only by `/api/hsk/*` APIs.
+        # 
+        field :hsks, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Hsk)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('hsks') }, 'form': { 'field_name': 'hsks', 'json': true } }
+        # The URL of the grant management endpoint.
+        # 
+        field :grant_management_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('grantManagementEndpoint') }, 'form': { 'field_name': 'grantManagementEndpoint' } }
+        # The flag indicating whether every authorization request (and any request serving as an authorization
+        # request such as CIBA backchannel authentication request and device authorization request) must
+        # include the `grant_management_action` request parameter.
+        # 
+        # This property corresponds to the `grant_management_action_required` server metadata defined
+        # in [Grant Management for OAuth 2.0](https://openid.net/specs/fapi-grant-management.html).
+        # 
+        # Note that setting true to this property will result in blocking all public clients because
+        # the specification requires that grant management be usable only by confidential clients for
+        # security reasons.
+        # 
+        field :grant_management_action_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('grantManagementActionRequired') }, 'form': { 'field_name': 'grantManagementActionRequired' } }
+        # The flag indicating whether Authlete's `/api/client/registration` API uses `UNAUTHORIZED` as
+        # a value of the `action` response parameter when appropriate.
+        # 
+        # The `UNAUTHORIZED` enum value was initially not defined as a possible value of the `action`
+        # parameter in an `/api/client/registration` API response. This means that implementations of
+        # client `configuration` endpoint were not able to conform to [RFC 7592](https://www.rfc-editor.org/rfc/rfc7592.html)
+        # strictly.
+        # 
+        # For backward compatibility (to avoid breaking running systems), Authlete's `/api/client/registration`
+        # API does not return the `UNAUTHORIZED` enum value if this flag is not turned on.
+        # 
+        # The steps an existing implementation of client configuration endpoint has to do in order to
+        # conform to the requirement related to "401 Unauthorized" are as follows.
+        # 
+        # 1. Update the Authlete library (e.g. authlete-java-common) your system is using.
+        # 2. Update your implementation of client configuration endpoint so that it can handle the
+        # `UNAUTHORIZED` action.
+        # 3. Turn on this `unauthorizedOnClientConfigSupported` flag.
+        # 
+        field :unauthorized_on_client_config_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('unauthorizedOnClientConfigSupported') }, 'form': { 'field_name': 'unauthorizedOnClientConfigSupported' } }
+        # The flag indicating whether the `scope` request parameter in dynamic client registration and
+        # update requests (RFC 7591 and RFC 7592) is used as scopes that the client can request.
+        # 
+        # Limiting the range of scopes that a client can request is achieved by listing scopes in the
+        # `client.extension.requestableScopes` property and setting the `client.extension.requestableScopesEnabled`
+        # property to `true`. This feature is called "requestable scopes".
+        # 
+        # This property affects behaviors of `/api/client/registration` and other family APIs.
+        # 
+        field :dcr_scope_used_as_requestable, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dcrScopeUsedAsRequestable') }, 'form': { 'field_name': 'dcrScopeUsedAsRequestable' } }
+        # The endpoint for clients ending the sessions.
+        # 
+        # A URL that starts with `https://` and has no fragment component. For example, `https://example.com/auth/endSession`.
+        # 
+        # The value of this property is used as `end_session_endpoint` property in the [OpenID Provider
+        # Metadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
+        # 
+        field :end_session_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('endSessionEndpoint') }, 'form': { 'field_name': 'endSessionEndpoint' } }
+        # The flag indicating whether the port number component of redirection URIs can be variable when
+        # the host component indicates loopback.
+        # 
+        # When this flag is `true`, if the host component of a redirection URI specified in an authorization
+        # request indicates loopback (to be precise, when the host component is localhost, `127.0.0.1`
+        # or `::1`), the port number component is ignored when the specified redirection URI is compared
+        # to pre-registered ones. This behavior is described in [7.3. Loopback Interface Redirection](
+        # https://www.rfc-editor.org/rfc/rfc8252.html#section-7.3) of [RFC 8252 OAuth 2.0](https://www.rfc-editor.org/rfc/rfc8252.html)
+        # for Native Apps.
+        # 
+        # [3.1.2.3. Dynamic Configuration](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1.2.3)
+        # of [RFC 6749](https://www.rfc-editor.org/rfc/rfc6749.html) states _"If the client registration
+        # included the full redirection URI, the authorization server MUST compare the two URIs using
+        # simple string comparison as defined in [RFC3986] Section 6.2.1."_ Also, the description of
+        # `redirect_uri` in [3.1.2.1. Authentication Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest)
+        # of [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) states
+        # _"This URI MUST exactly match one of the Redirection URI values for the Client pre-registered
+        # at the OpenID Provider, with the matching performed as described in Section 6.2.1 of [RFC3986]
+        # (**Simple String Comparison**)."_ These "Simple String Comparison" requirements are preceded
+        # by this flag. That is, even when the conditions described in RFC 6749 and OpenID Connect Core 1.0
+        # are satisfied, the port number component of loopback redirection URIs can be variable when this
+        # flag is `true`.
+        # 
+        # [8.3. Loopback Redirect Considerations](https://www.rfc-editor.org/rfc/rfc8252.html#section-8.3)
+        # of [RFC 8252](https://www.rfc-editor.org/rfc/rfc8252.html) states as follows.
+        # 
+        # > While redirect URIs using localhost (i.e., `"http://localhost:{port}/{path}"`) function
+        # similarly to loopback IP redirects described in Section 7.3, the use of localhost is NOT RECOMMENDED.
+        # Specifying a redirect URI with the loopback IP literal rather than localhost avoids inadvertently
+        # listening on network interfaces other than the loopback interface. It is also less susceptible
+        # to client-side firewalls and misconfigured host name resolution on the user's device.
+        # 
+        # However, Authlete allows the port number component to be variable in the case of `localhost`,
+        # too. It is left to client applications whether they use `localhost` or a literal loopback IP
+        # address (`127.0.0.1` for IPv4 or `::1` for IPv6).
+        # 
+        # Section 7.3 and Section 8.3 of [RFC 8252](https://www.rfc-editor.org/rfc/rfc8252.html) state
+        # that loopback redirection URIs use the `"http"` scheme, but Authlete allows the port number
+        # component to be variable in other cases (e.g. in the case of the `"https"` scheme), too.
+        # 
+        field :loopback_redirection_uri_variable, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('loopbackRedirectionUriVariable') }, 'form': { 'field_name': 'loopbackRedirectionUriVariable' } }
+        # The flag indicating whether Authlete checks whether the `aud` claim of request objects matches
+        # the issuer identifier of this service.
+        # 
+        # [Section 6.1. Passing a Request Object by Value](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests)
+        # of [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) has the following
+        # statement.
+        # 
+        # > The `aud` value SHOULD be or include the OP's Issuer Identifier URL.
+        # 
+        # Likewise, [Section 4. Request Object](https://www.rfc-editor.org/rfc/rfc9101.html#section-4) of
+        # [RFC 9101](https://www.rfc-editor.org/rfc/rfc9101.html) (The OAuth 2.0 Authorization Framework:
+        # JWT-Secured Authorization Request (JAR)) has the following statement.
+        # 
+        # > The value of aud should be the value of the authorization server (AS) issuer, as defined in
+        # [RFC 8414](https://www.rfc-editor.org/rfc/rfc8414.html).
+        # 
+        # As excerpted above, validation on the `aud` claim of request objects is optional. However, if
+        # this flag is turned on, Authlete checks whether the `aud` claim of request objects matches the issuer
+        # identifier of this service and raises an error if they are different.
+        # 
+        field :request_object_audience_checked, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('requestObjectAudienceChecked') }, 'form': { 'field_name': 'requestObjectAudienceChecked' } }
+        # The flag indicating whether Authlete generates access tokens for
+        # external attachments and embeds them in ID tokens and userinfo
+        # responses.
+        # 
+        field :access_token_for_external_attachment_embedded, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenForExternalAttachmentEmbedded') }, 'form': { 'field_name': 'accessTokenForExternalAttachmentEmbedded' } }
+        # Identifiers of entities that can issue entity statements for this
+        # service. This property corresponds to the `authority_hints`
+        # property that appears in a self-signed entity statement that is
+        # defined in OpenID Connect Federation 1.0.
+        # 
+        field :authority_hints, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('authorityHints') }, 'form': { 'field_name': 'authorityHints' } }
+        # flag indicating whether this service supports OpenID Connect Federation 1
+        # 
+        field :federation_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationEnabled') }, 'form': { 'field_name': 'federationEnabled' } }
+        # JWK Set document containing keys that are used to sign (1) self-signed
+        # entity statement of this service and (2) the response from
+        # `signed_jwks_uri`.
+        # 
+        field :federation_jwks, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationJwks') }, 'form': { 'field_name': 'federationJwks' } }
+        # A key ID to identify a JWK used to sign the entity configuration and
+        # the signed JWK Set.
+        # 
+        field :federation_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationSignatureKeyId') }, 'form': { 'field_name': 'federationSignatureKeyId' } }
+        # The duration of the entity configuration in seconds.
+        # 
+        field :federation_configuration_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationConfigurationDuration') }, 'form': { 'field_name': 'federationConfigurationDuration' } }
+        # The URI of the federation registration endpoint. This property corresponds
+        # to the `federation_registration_endpoint` server metadata that is
+        # defined in OpenID Connect Federation 1.0.
+        # 
+        field :federation_registration_endpoint, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('federationRegistrationEndpoint') }, 'form': { 'field_name': 'federationRegistrationEndpoint' } }
+        # The human-readable name representing the organization that operates
+        # this service. This property corresponds to the `organization_name`
+        # server metadata that is defined in OpenID Connect Federation 1.0.
+        # 
+        field :organization_name, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('organizationName') }, 'form': { 'field_name': 'organizationName' } }
+        # The transformed claims predefined by this service in JSON format.
+        # This property corresponds to the `transformed_claims_predefined`
+        # server metadata.
+        # 
+        field :predefined_transformed_claims, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('predefinedTransformedClaims') }, 'form': { 'field_name': 'predefinedTransformedClaims' } }
+        # flag indicating whether refresh token requests with the same
+        # refresh token can be made multiple times in quick succession and
+        # they can obtain the same renewed refresh token within the short
+        # period.
+        # 
+        field :refresh_token_idempotent, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('refreshTokenIdempotent') }, 'form': { 'field_name': 'refreshTokenIdempotent' } }
+        # The URI of the endpoint that returns this service's JWK Set document in
+        # the JWT format. This property corresponds to the `signed_jwks_uri`
+        # server metadata defined in OpenID Connect Federation 1.0.
+        # 
+        field :signed_jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('signedJwksUri') }, 'form': { 'field_name': 'signedJwksUri' } }
+        # Supported attachment types. This property corresponds to the {@code
+        # attachments_supported} server metadata which was added by the third
+        # implementer's draft of OpenID Connect for Identity Assurance 1.0.
+        # 
+        field :supported_attachments, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::AttachmentType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedAttachments') }, 'form': { 'field_name': 'supportedAttachments' } }
+        # Supported algorithms used to compute digest values of external
+        # attachments. This property corresponds to the
+        # `digest_algorithms_supported` server metadata which was added
+        # by the third implementer's draft of OpenID Connect for Identity
+        # Assurance 1.0.
+        # 
+        field :supported_digest_algorithms, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDigestAlgorithms') }, 'form': { 'field_name': 'supportedDigestAlgorithms' } }
+        # Document types supported by this service. This property corresponds
+        # to the `documents_supported` server metadata.
+        # 
+        field :supported_documents, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocuments') }, 'form': { 'field_name': 'supportedDocuments' } }
+        # validation and verification processes supported by this service.
+        # This property corresponds to the `documents_methods_supported`
+        # server metadata.
+        # 
+        # The third implementer's draft of [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)
+        # renamed the
+        # `id_documents_verification_methods_supported` server metadata to
+        # `documents_methods_supported`.
+        # 
+        field :supported_documents_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsMethods') }, 'form': { 'field_name': 'supportedDocumentsMethods' } }
+        # Document validation methods supported by this service. This property
+        # corresponds to the `documents\_validation\_methods\_supported` server
+        # metadata which was added by the third implementer's draft of
+        # 
+        field :supported_documents_validation_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsValidationMethods') }, 'form': { 'field_name': 'supportedDocumentsValidationMethods' } }
+        # Document verification methods supported by this service. This property
+        # corresponds to the `documents_verification_methods_supported` server
+        # metadata which was added by the third implementer's draft of
+        # [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)
+        # 
+        field :supported_documents_verification_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsVerificationMethods') }, 'form': { 'field_name': 'supportedDocumentsVerificationMethods' } }
+        # Electronic record types supported by this service. This property
+        # corresponds to the `electronic_records_supported` server metadata
+        # which was added by the third implementer's draft of
+        # [OpenID Connect for Identity Assurance 1.0](https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html)
+        # 
+        field :supported_electronic_records, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedElectronicRecords') }, 'form': { 'field_name': 'supportedElectronicRecords' } }
+
+        field :supported_client_registration_types, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::ClientRegistrationType)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedClientRegistrationTypes') }, 'form': { 'field_name': 'supportedClientRegistrationTypes' } }
+        # The flag indicating whether to prohibit unidentifiable clients from
+        # making token exchange requests.
+        # 
+        field :token_exchange_by_identifiable_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeByIdentifiableClientsOnly') }, 'form': { 'field_name': 'tokenExchangeByIdentifiableClientsOnly' } }
+        # The flag indicating whether to prohibit public clients from making
+        # token exchange requests.
+        # 
+        field :token_exchange_by_confidential_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeByConfidentialClientsOnly') }, 'form': { 'field_name': 'tokenExchangeByConfidentialClientsOnly' } }
+        # The flag indicating whether to prohibit clients that have no explicit
+        # permission from making token exchange requests.
+        # 
+        field :token_exchange_by_permitted_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeByPermittedClientsOnly') }, 'form': { 'field_name': 'tokenExchangeByPermittedClientsOnly' } }
+        # The flag indicating whether to reject token exchange requests which
+        # use encrypted JWTs as input tokens.
+        # 
+        field :token_exchange_encrypted_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeEncryptedJwtRejected') }, 'form': { 'field_name': 'tokenExchangeEncryptedJwtRejected' } }
+        # The flag indicating whether to reject token exchange requests which
+        # use unsigned JWTs as input tokens.
+        # 
+        field :token_exchange_unsigned_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('tokenExchangeUnsignedJwtRejected') }, 'form': { 'field_name': 'tokenExchangeUnsignedJwtRejected' } }
+        # The flag indicating whether to prohibit unidentifiable clients from
+        # using the grant type "urn:ietf:params:oauth:grant-type:jwt-bearer".
+        # 
+        field :jwt_grant_by_identifiable_clients_only, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwtGrantByIdentifiableClientsOnly') }, 'form': { 'field_name': 'jwtGrantByIdentifiableClientsOnly' } }
+        # The flag indicating whether to reject token requests that use an
+        # encrypted JWT as an authorization grant with the grant type
+        # "urn:ietf:params:oauth:grant-type:jwt-bearer".
+        # 
+        field :jwt_grant_encrypted_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwtGrantEncryptedJwtRejected') }, 'form': { 'field_name': 'jwtGrantEncryptedJwtRejected' } }
+        # The flag indicating whether to reject token requests that use an
+        # unsigned JWT as an authorization grant with the grant type
+        # "urn:ietf:params:oauth:grant-type:jwt-bearer".
+        # 
+        field :jwt_grant_unsigned_jwt_rejected, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('jwtGrantUnsignedJwtRejected') }, 'form': { 'field_name': 'jwtGrantUnsignedJwtRejected' } }
+        # The flag indicating whether to block DCR (Dynamic Client Registration)
+        # requests whose "software_id" has already been used previously.
+        # 
+        field :dcr_duplicate_software_id_blocked, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dcrDuplicateSoftwareIdBlocked') }, 'form': { 'field_name': 'dcrDuplicateSoftwareIdBlocked' } }
+        # The trust anchors that are referenced when this service resolves
+        # trust chains of relying parties.
+        # 
+        # If this property is empty, client registration fails regardless of
+        # whether its type is `automatic` or `explicit`. It means
+        # that OpenID Connect Federation 1.0 does not work.
+        # 
+        field :trust_anchors, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::TrustAnchor)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('trustAnchors') }, 'form': { 'field_name': 'trustAnchors', 'json': true } }
+        # The flag indicating whether the openid scope should be dropped from
+        # scopes list assigned to access token issued when a refresh token grant
+        # is used.
+        # 
+        field :openid_dropped_on_refresh_without_offline_access, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('openidDroppedOnRefreshWithoutOfflineAccess') }, 'form': { 'field_name': 'openidDroppedOnRefreshWithoutOfflineAccess' } }
+        # Supported document check methods. This property corresponds to the `documents_check_methods_supported`
+        # server metadata which was added by the fourth implementer's draft of OpenID Connect for Identity
+        # Assurance 1.0.
+        # 
+        field :supported_documents_check_methods, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedDocumentsCheckMethods') }, 'form': { 'field_name': 'supportedDocumentsCheckMethods' } }
+        # The flag indicating whether this service signs responses from the resource server.
+        # 
+        field :rs_response_signed, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('rsResponseSigned') }, 'form': { 'field_name': 'rsResponseSigned' } }
+        # The duration of `c_nonce`.
+        # 
+        field :cnonce_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cnonceDuration') }, 'form': { 'field_name': 'cnonceDuration' } }
+        # Whether to require DPoP proof JWTs to include the `nonce` claim
+        # whenever they are presented.
+        # 
+        field :dpop_nonce_required, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dpopNonceRequired') }, 'form': { 'field_name': 'dpopNonceRequired' } }
+        # Get the flag indicating whether the feature of Verifiable Credentials
+        # for this service is enabled or not.
+        # 
+        field :verifiable_credentials_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('verifiableCredentialsEnabled') }, 'form': { 'field_name': 'verifiableCredentialsEnabled' } }
+        # The URL at which the JWK Set document of the credential issuer is
+        # exposed.
+        # 
+        field :credential_jwks_uri, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialJwksUri') }, 'form': { 'field_name': 'credentialJwksUri' } }
+        # The default duration of credential offers in seconds.
+        # 
+        field :credential_offer_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialOfferDuration') }, 'form': { 'field_name': 'credentialOfferDuration' } }
+        # The duration of nonce values for DPoP proof JWTs in seconds.
+        # 
+        field :dpop_nonce_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('dpopNonceDuration') }, 'form': { 'field_name': 'dpopNonceDuration' } }
+        # The flag indicating whether token requests using the pre-authorized
+        # code grant flow by unidentifiable clients are allowed.
+        # 
+        field :pre_authorized_grant_anonymous_access_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('preAuthorizedGrantAnonymousAccessSupported') }, 'form': { 'field_name': 'preAuthorizedGrantAnonymousAccessSupported' } }
+        # The duration of transaction ID in seconds that may be issued as a
+        # result of a credential request or a batch credential request.
+        # 
+        field :credential_transaction_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialTransactionDuration') }, 'form': { 'field_name': 'credentialTransactionDuration' } }
+        # The key ID of the key for signing introspection responses.
+        # 
+        field :introspection_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('introspectionSignatureKeyId') }, 'form': { 'field_name': 'introspectionSignatureKeyId' } }
+        # The key ID of the key for signing introspection responses.
+        # 
+        field :resource_signature_key_id, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('resourceSignatureKeyId') }, 'form': { 'field_name': 'resourceSignatureKeyId' } }
+        # The default length of user PINs.
+        # 
+        field :user_pin_length, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('userPinLength') }, 'form': { 'field_name': 'userPinLength' } }
+        # The supported `prompt` values.
+        # 
+        field :supported_prompt_values, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::Prompt)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('supportedPromptValues') }, 'form': { 'field_name': 'supportedPromptValues' } }
+        # The flag indicating whether to enable the feature of ID token
+        # reissuance in the refresh token flow.
+        # 
+        field :id_token_reissuable, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenReissuable') }, 'form': { 'field_name': 'idTokenReissuable' } }
+        # The JWK Set document containing private keys that are used to sign
+        # verifiable credentials.
+        # 
+        field :credential_jwks, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialJwks') }, 'form': { 'field_name': 'credentialJwks' } }
+        # FAPI modes for this service.
+        # 
+        # When the value of this property is not `null`, Authlete always processes requests to this service based
+        # on the specified FAPI modes if the FAPI feature is enabled in Authlete and the FAPI profile is supported
+        # by this service.
+        # 
+        # For instance, when this property is set to an array containing `FAPI1_ADVANCED` only, Authlete always
+        # processes requests to this service based on "Financial-grade API Security Profile 1.0 - Part 2:
+        # Advanced" if the FAPI feature is enabled in Authlete and the FAPI profile is supported by this service.
+        # 
+        field :fapi_modes, Crystalline::Nilable.new(Crystalline::Array.new(Models::Components::FapiMode)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('fapiModes') }, 'form': { 'field_name': 'fapiModes' } }
+        # The default duration of verifiable credentials in seconds.
+        # 
+        field :credential_duration, Crystalline::Nilable.new(::Integer), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialDuration') }, 'form': { 'field_name': 'credentialDuration' } }
+
+        field :credential_issuer_metadata, Crystalline::Nilable.new(Models::Components::CredentialIssuerMetadata), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('credentialIssuerMetadata') }, 'form': { 'field_name': 'credentialIssuerMetadata', 'json': true } }
+        # The type of the `aud` claim in ID tokens.
+        # 
+        field :id_token_aud_type, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('idTokenAudType') }, 'form': { 'field_name': 'idTokenAudType' } }
+        # Flag that enables the [OpenID Connect Native SSO for Mobile Apps 1.0](https://openid.net/specs/openid-connect-native-sso-1_0.html)
+        # specification (“Native SSO”). When this property is **not** `true`, Native SSO specific parameters are ignored or treated as errors.
+        # For example:
+        # 
+        # * The `device_sso` scope has no special meaning (Authlete does not embed the `sid` claim in ID tokens).
+        # * The `urn:openid:params:token-type:device-secret` token type is treated as unknown and results in an error.
+        # 
+        # When set to `true`, the server metadata advertises `"native_sso_supported": true`. See [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata)
+        # and [RFC 8414 §2](https://www.rfc-editor.org/rfc/rfc8414.html#section-2) for background. Native SSO is available in Authlete 3.0 and later.
+        # 
+        field :native_sso_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('nativeSsoSupported') }, 'form': { 'field_name': 'nativeSsoSupported' } }
+        # Version of the [OpenID for Verifiable Credential Issuance](https://www.authlete.com/developers/oid4vci/) (OID4VCI) specification to support.
+        # 
+        # Accepted values are:
+        # 
+        # * `null` or `"1.0-ID1"` → Implementer’s Draft 1.
+        # * `"1.0"` or `"1.0-Final"` → Final 1.0 specification.
+        # 
+        # Choose the value that matches the OID4VCI behaviour your service should expose. See the OID4VCI documentation for details.
+        # 
+        field :oid4vci_version, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('oid4vciVersion') }, 'form': { 'field_name': 'oid4vciVersion' } }
+        # Flag that controls whether the CIMD metadata policy is applied to client
+        # metadata obtained through the Client ID Metadata Document (CIMD)
+        # mechanism.
+        # 
+        field :cimd_metadata_policy_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdMetadataPolicyEnabled') }, 'form': { 'field_name': 'cimdMetadataPolicyEnabled' } }
+        # Indicates whether the Client ID Metadata Document (CIMD) mechanism is
+        # supported. When `true`, the service will attempt to retrieve client
+        # metadata via CIMD where applicable.
+        # 
+        field :client_id_metadata_document_supported, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('clientIdMetadataDocumentSupported') }, 'form': { 'field_name': 'clientIdMetadataDocumentSupported' } }
+        # Enables the allowlist for CIMD. When `true`, only CIMD endpoints that are
+        # on the allowlist are used.
+        # 
+        field :cimd_allowlist_enabled, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdAllowlistEnabled') }, 'form': { 'field_name': 'cimdAllowlistEnabled' } }
+        # The allowlist of CIMD endpoints (hosts/URIs) that may be used when
+        # retrieving client metadata via Client ID Metadata Documents.
+        # 
+        field :cimd_allowlist, Crystalline::Nilable.new(Crystalline::Array.new(::String)), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdAllowlist') }, 'form': { 'field_name': 'cimdAllowlist' } }
+        # If `true`, CIMD retrieval is always attempted for clients, regardless of
+        # other conditions.
+        # 
+        field :cimd_always_retrieved, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdAlwaysRetrieved') }, 'form': { 'field_name': 'cimdAlwaysRetrieved' } }
+        # Allows CIMD retrieval over plain HTTP. When `false`, only HTTPS CIMD
+        # endpoints are allowed.
+        # 
+        field :cimd_http_permitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdHttpPermitted') }, 'form': { 'field_name': 'cimdHttpPermitted' } }
+        # Allows the use of query parameters when retrieving CIMD metadata. When
+        # `false`, query parameters are disallowed for CIMD requests.
+        # 
+        field :cimd_query_permitted, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdQueryPermitted') }, 'form': { 'field_name': 'cimdQueryPermitted' } }
+        # The metadata policy applied to client metadata obtained through the CIMD
+        # mechanism. The value must follow the metadata policy grammar defined in
+        # [OpenID Federation 1.0 §6.1 Metadata Policy](https://openid.net/specs/openid-federation-1_0.html#name-metadata-policy).
+        # 
+        field :cimd_metadata_policy, Crystalline::Nilable.new(::String), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('cimdMetadataPolicy') }, 'form': { 'field_name': 'cimdMetadataPolicy' } }
+        # When `true`, client ID aliases starting with `https://` or `http://` are
+        # prohibited.
+        # 
+        field :http_alias_prohibited, Crystalline::Nilable.new(Crystalline::Boolean.new), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('httpAliasProhibited') }, 'form': { 'field_name': 'httpAliasProhibited' } }
+        # The signature algorithm for JWT. This value is represented on 'alg' attribute
+        # of the header of JWT.
+        # 
+        # it's semantics depends upon where is this defined, for instance:
+        #   - as service accessTokenSignAlg value, it defines that access token are JWT and the algorithm used to sign it. Check your [KB article](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/jwt-based-access-token).
+        #   - as client authorizationSignAlg value, it represents the signature algorithm used when [creating a JARM response](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/enabling-jarm).
+        #   - or as client requestSignAlg value, it specifies which is the expected signature used by [client on a Request Object](https://kb.authlete.com/en/s/oauth-and-openid-connect/a/request-objects).
+        # 
+        field :access_token_sign_alg, Crystalline::Nilable.new(Models::Components::JwsAlg), { 'format_json': { 'letter_case': ::Authlete::Utils.field_name('accessTokenSignAlg'), 'decoder': Utils.enum_from_string(Models::Components::JwsAlg, true) }, 'form': { 'field_name': 'accessTokenSignAlg' } }
+
+        sig { params(service_name: T.nilable(::String), issuer: T.nilable(::String), description: T.nilable(::String), token_batch_notification_endpoint: T.nilable(::String), client_assertion_aud_restricted_to_issuer: T.nilable(T::Boolean), clients_per_developer: T.nilable(::Integer), developer_authentication_callback_endpoint: T.nilable(::String), developer_authentication_callback_api_key: T.nilable(::String), developer_authentication_callback_api_secret: T.nilable(::String), supported_snses: T.nilable(T::Array[Models::Components::SupportedSnse]), sns_credentials: T.nilable(T::Array[Models::Components::SnsCredentials]), client_id_alias_enabled: T.nilable(T::Boolean), metadata: T.nilable(T::Array[Models::Components::Pair]), authentication_callback_endpoint: T.nilable(::String), authentication_callback_api_key: T.nilable(::String), authentication_callback_api_secret: T.nilable(::String), supported_grant_types: T.nilable(T::Array[Models::Components::GrantType]), supported_response_types: T.nilable(T::Array[Models::Components::ResponseType]), supported_authorization_details_types: T.nilable(T::Array[::String]), supported_service_profiles: T.nilable(T::Array[Models::Components::ServiceProfile]), error_description_omitted: T.nilable(T::Boolean), error_uri_omitted: T.nilable(T::Boolean), authorization_endpoint: T.nilable(::String), direct_authorization_endpoint_enabled: T.nilable(T::Boolean), supported_ui_locales: T.nilable(T::Array[::String]), supported_displays: T.nilable(T::Array[Models::Components::Display]), pkce_required: T.nilable(T::Boolean), pkce_s256_required: T.nilable(T::Boolean), authorization_response_duration: T.nilable(::Integer), token_endpoint: T.nilable(::String), direct_token_endpoint_enabled: T.nilable(T::Boolean), supported_token_auth_methods: T.nilable(T::Array[Models::Components::ClientAuthMethod]), missing_client_id_allowed: T.nilable(T::Boolean), revocation_endpoint: T.nilable(::String), direct_revocation_endpoint_enabled: T.nilable(T::Boolean), supported_revocation_auth_methods: T.nilable(T::Array[Models::Components::ClientAuthMethod]), introspection_endpoint: T.nilable(::String), direct_introspection_endpoint_enabled: T.nilable(T::Boolean), supported_introspection_auth_methods: T.nilable(T::Array[Models::Components::ClientAuthMethod]), pushed_auth_req_endpoint: T.nilable(::String), pushed_auth_req_duration: T.nilable(::Integer), par_required: T.nilable(T::Boolean), request_object_required: T.nilable(T::Boolean), traditional_request_object_processing_applied: T.nilable(T::Boolean), mutual_tls_validate_pki_cert_chain: T.nilable(T::Boolean), trusted_root_certificates: T.nilable(T::Array[::String]), mtls_endpoint_aliases: T.nilable(T::Array[Models::Components::NamedUri]), access_token_type: T.nilable(::String), tls_client_certificate_bound_access_tokens: T.nilable(T::Boolean), access_token_duration: T.nilable(::Integer), single_access_token_per_subject: T.nilable(T::Boolean), access_token_signature_key_id: T.nilable(::String), refresh_token_duration: T.nilable(::Integer), refresh_token_duration_kept: T.nilable(T::Boolean), refresh_token_duration_reset: T.nilable(T::Boolean), refresh_token_kept: T.nilable(T::Boolean), supported_scopes: T.nilable(T::Array[Models::Components::Scope]), scope_required: T.nilable(T::Boolean), id_token_duration: T.nilable(::Integer), allowable_clock_skew: T.nilable(::Integer), supported_claim_types: T.nilable(T::Array[Models::Components::ClaimType]), supported_claim_locales: T.nilable(T::Array[::String]), supported_claims: T.nilable(T::Array[::String]), claim_shortcut_restrictive: T.nilable(T::Boolean), jwks_uri: T.nilable(::String), direct_jwks_endpoint_enabled: T.nilable(T::Boolean), jwks: T.nilable(::String), id_token_signature_key_id: T.nilable(::String), user_info_signature_key_id: T.nilable(::String), authorization_signature_key_id: T.nilable(::String), user_info_endpoint: T.nilable(::String), direct_user_info_endpoint_enabled: T.nilable(T::Boolean), dynamic_registration_supported: T.nilable(T::Boolean), registration_endpoint: T.nilable(::String), registration_management_endpoint: T.nilable(::String), policy_uri: T.nilable(::String), tos_uri: T.nilable(::String), service_documentation: T.nilable(::String), backchannel_authentication_endpoint: T.nilable(::String), supported_backchannel_token_delivery_modes: T.nilable(T::Array[Models::Components::DeliveryMode]), backchannel_auth_req_id_duration: T.nilable(::Integer), backchannel_polling_interval: T.nilable(::Integer), backchannel_user_code_parameter_supported: T.nilable(T::Boolean), backchannel_binding_message_required_in_fapi: T.nilable(T::Boolean), device_authorization_endpoint: T.nilable(::String), device_verification_uri: T.nilable(::String), device_verification_uri_complete: T.nilable(::String), device_flow_code_duration: T.nilable(::Integer), device_flow_polling_interval: T.nilable(::Integer), user_code_charset: T.nilable(Models::Components::UserCodeCharset), user_code_length: T.nilable(::Integer), supported_trust_frameworks: T.nilable(T::Array[::String]), supported_evidence: T.nilable(T::Array[::String]), supported_identity_documents: T.nilable(T::Array[::String]), supported_verification_methods: T.nilable(T::Array[::String]), supported_verified_claims: T.nilable(T::Array[::String]), verified_claims_validation_schema_set: T.nilable(Models::Components::VerifiedClaimsValidationSchema), attributes: T.nilable(T::Array[Models::Components::Pair]), nbf_optional: T.nilable(T::Boolean), iss_suppressed: T.nilable(T::Boolean), supported_custom_client_metadata: T.nilable(T::Array[::String]), token_expiration_linked: T.nilable(T::Boolean), front_channel_request_object_encryption_required: T.nilable(T::Boolean), request_object_encryption_alg_match_required: T.nilable(T::Boolean), request_object_encryption_enc_match_required: T.nilable(T::Boolean), hsm_enabled: T.nilable(T::Boolean), hsks: T.nilable(T::Array[Models::Components::Hsk]), grant_management_endpoint: T.nilable(::String), grant_management_action_required: T.nilable(T::Boolean), unauthorized_on_client_config_supported: T.nilable(T::Boolean), dcr_scope_used_as_requestable: T.nilable(T::Boolean), end_session_endpoint: T.nilable(::String), loopback_redirection_uri_variable: T.nilable(T::Boolean), request_object_audience_checked: T.nilable(T::Boolean), access_token_for_external_attachment_embedded: T.nilable(T::Boolean), authority_hints: T.nilable(T::Array[::String]), federation_enabled: T.nilable(T::Boolean), federation_jwks: T.nilable(::String), federation_signature_key_id: T.nilable(::String), federation_configuration_duration: T.nilable(::Integer), federation_registration_endpoint: T.nilable(::String), organization_name: T.nilable(::String), predefined_transformed_claims: T.nilable(::String), refresh_token_idempotent: T.nilable(T::Boolean), signed_jwks_uri: T.nilable(::String), supported_attachments: T.nilable(T::Array[Models::Components::AttachmentType]), supported_digest_algorithms: T.nilable(T::Array[::String]), supported_documents: T.nilable(T::Array[::String]), supported_documents_methods: T.nilable(T::Array[::String]), supported_documents_validation_methods: T.nilable(T::Array[::String]), supported_documents_verification_methods: T.nilable(T::Array[::String]), supported_electronic_records: T.nilable(T::Array[::String]), supported_client_registration_types: T.nilable(T::Array[Models::Components::ClientRegistrationType]), token_exchange_by_identifiable_clients_only: T.nilable(T::Boolean), token_exchange_by_confidential_clients_only: T.nilable(T::Boolean), token_exchange_by_permitted_clients_only: T.nilable(T::Boolean), token_exchange_encrypted_jwt_rejected: T.nilable(T::Boolean), token_exchange_unsigned_jwt_rejected: T.nilable(T::Boolean), jwt_grant_by_identifiable_clients_only: T.nilable(T::Boolean), jwt_grant_encrypted_jwt_rejected: T.nilable(T::Boolean), jwt_grant_unsigned_jwt_rejected: T.nilable(T::Boolean), dcr_duplicate_software_id_blocked: T.nilable(T::Boolean), trust_anchors: T.nilable(T::Array[Models::Components::TrustAnchor]), openid_dropped_on_refresh_without_offline_access: T.nilable(T::Boolean), supported_documents_check_methods: T.nilable(T::Array[::String]), rs_response_signed: T.nilable(T::Boolean), cnonce_duration: T.nilable(::Integer), dpop_nonce_required: T.nilable(T::Boolean), verifiable_credentials_enabled: T.nilable(T::Boolean), credential_jwks_uri: T.nilable(::String), credential_offer_duration: T.nilable(::Integer), dpop_nonce_duration: T.nilable(::Integer), pre_authorized_grant_anonymous_access_supported: T.nilable(T::Boolean), credential_transaction_duration: T.nilable(::Integer), introspection_signature_key_id: T.nilable(::String), resource_signature_key_id: T.nilable(::String), user_pin_length: T.nilable(::Integer), supported_prompt_values: T.nilable(T::Array[Models::Components::Prompt]), id_token_reissuable: T.nilable(T::Boolean), credential_jwks: T.nilable(::String), fapi_modes: T.nilable(T::Array[Models::Components::FapiMode]), credential_duration: T.nilable(::Integer), credential_issuer_metadata: T.nilable(Models::Components::CredentialIssuerMetadata), id_token_aud_type: T.nilable(::String), native_sso_supported: T.nilable(T::Boolean), oid4vci_version: T.nilable(::String), cimd_metadata_policy_enabled: T.nilable(T::Boolean), client_id_metadata_document_supported: T.nilable(T::Boolean), cimd_allowlist_enabled: T.nilable(T::Boolean), cimd_allowlist: T.nilable(T::Array[::String]), cimd_always_retrieved: T.nilable(T::Boolean), cimd_http_permitted: T.nilable(T::Boolean), cimd_query_permitted: T.nilable(T::Boolean), cimd_metadata_policy: T.nilable(::String), http_alias_prohibited: T.nilable(T::Boolean), access_token_sign_alg: T.nilable(Models::Components::JwsAlg)).void }
+        def initialize(service_name: nil, issuer: nil, description: nil, token_batch_notification_endpoint: nil, client_assertion_aud_restricted_to_issuer: nil, clients_per_developer: nil, developer_authentication_callback_endpoint: nil, developer_authentication_callback_api_key: nil, developer_authentication_callback_api_secret: nil, supported_snses: nil, sns_credentials: nil, client_id_alias_enabled: nil, metadata: nil, authentication_callback_endpoint: nil, authentication_callback_api_key: nil, authentication_callback_api_secret: nil, supported_grant_types: nil, supported_response_types: nil, supported_authorization_details_types: nil, supported_service_profiles: nil, error_description_omitted: nil, error_uri_omitted: nil, authorization_endpoint: nil, direct_authorization_endpoint_enabled: nil, supported_ui_locales: nil, supported_displays: nil, pkce_required: nil, pkce_s256_required: nil, authorization_response_duration: nil, token_endpoint: nil, direct_token_endpoint_enabled: nil, supported_token_auth_methods: nil, missing_client_id_allowed: nil, revocation_endpoint: nil, direct_revocation_endpoint_enabled: nil, supported_revocation_auth_methods: nil, introspection_endpoint: nil, direct_introspection_endpoint_enabled: nil, supported_introspection_auth_methods: nil, pushed_auth_req_endpoint: nil, pushed_auth_req_duration: nil, par_required: nil, request_object_required: nil, traditional_request_object_processing_applied: nil, mutual_tls_validate_pki_cert_chain: nil, trusted_root_certificates: nil, mtls_endpoint_aliases: nil, access_token_type: nil, tls_client_certificate_bound_access_tokens: nil, access_token_duration: nil, single_access_token_per_subject: nil, access_token_signature_key_id: nil, refresh_token_duration: nil, refresh_token_duration_kept: nil, refresh_token_duration_reset: nil, refresh_token_kept: nil, supported_scopes: nil, scope_required: nil, id_token_duration: nil, allowable_clock_skew: nil, supported_claim_types: nil, supported_claim_locales: nil, supported_claims: nil, claim_shortcut_restrictive: nil, jwks_uri: nil, direct_jwks_endpoint_enabled: nil, jwks: nil, id_token_signature_key_id: nil, user_info_signature_key_id: nil, authorization_signature_key_id: nil, user_info_endpoint: nil, direct_user_info_endpoint_enabled: nil, dynamic_registration_supported: nil, registration_endpoint: nil, registration_management_endpoint: nil, policy_uri: nil, tos_uri: nil, service_documentation: nil, backchannel_authentication_endpoint: nil, supported_backchannel_token_delivery_modes: nil, backchannel_auth_req_id_duration: nil, backchannel_polling_interval: nil, backchannel_user_code_parameter_supported: nil, backchannel_binding_message_required_in_fapi: nil, device_authorization_endpoint: nil, device_verification_uri: nil, device_verification_uri_complete: nil, device_flow_code_duration: nil, device_flow_polling_interval: nil, user_code_charset: nil, user_code_length: nil, supported_trust_frameworks: nil, supported_evidence: nil, supported_identity_documents: nil, supported_verification_methods: nil, supported_verified_claims: nil, verified_claims_validation_schema_set: nil, attributes: nil, nbf_optional: nil, iss_suppressed: nil, supported_custom_client_metadata: nil, token_expiration_linked: nil, front_channel_request_object_encryption_required: nil, request_object_encryption_alg_match_required: nil, request_object_encryption_enc_match_required: nil, hsm_enabled: nil, hsks: nil, grant_management_endpoint: nil, grant_management_action_required: nil, unauthorized_on_client_config_supported: nil, dcr_scope_used_as_requestable: nil, end_session_endpoint: nil, loopback_redirection_uri_variable: nil, request_object_audience_checked: nil, access_token_for_external_attachment_embedded: nil, authority_hints: nil, federation_enabled: nil, federation_jwks: nil, federation_signature_key_id: nil, federation_configuration_duration: nil, federation_registration_endpoint: nil, organization_name: nil, predefined_transformed_claims: nil, refresh_token_idempotent: nil, signed_jwks_uri: nil, supported_attachments: nil, supported_digest_algorithms: nil, supported_documents: nil, supported_documents_methods: nil, supported_documents_validation_methods: nil, supported_documents_verification_methods: nil, supported_electronic_records: nil, supported_client_registration_types: nil, token_exchange_by_identifiable_clients_only: nil, token_exchange_by_confidential_clients_only: nil, token_exchange_by_permitted_clients_only: nil, token_exchange_encrypted_jwt_rejected: nil, token_exchange_unsigned_jwt_rejected: nil, jwt_grant_by_identifiable_clients_only: nil, jwt_grant_encrypted_jwt_rejected: nil, jwt_grant_unsigned_jwt_rejected: nil, dcr_duplicate_software_id_blocked: nil, trust_anchors: nil, openid_dropped_on_refresh_without_offline_access: nil, supported_documents_check_methods: nil, rs_response_signed: nil, cnonce_duration: nil, dpop_nonce_required: nil, verifiable_credentials_enabled: nil, credential_jwks_uri: nil, credential_offer_duration: nil, dpop_nonce_duration: nil, pre_authorized_grant_anonymous_access_supported: nil, credential_transaction_duration: nil, introspection_signature_key_id: nil, resource_signature_key_id: nil, user_pin_length: nil, supported_prompt_values: nil, id_token_reissuable: nil, credential_jwks: nil, fapi_modes: nil, credential_duration: nil, credential_issuer_metadata: nil, id_token_aud_type: nil, native_sso_supported: nil, oid4vci_version: nil, cimd_metadata_policy_enabled: nil, client_id_metadata_document_supported: nil, cimd_allowlist_enabled: nil, cimd_allowlist: nil, cimd_always_retrieved: nil, cimd_http_permitted: nil, cimd_query_permitted: nil, cimd_metadata_policy: nil, http_alias_prohibited: nil, access_token_sign_alg: nil)
+          @service_name = service_name
+          @issuer = issuer
+          @description = description
+          @token_batch_notification_endpoint = token_batch_notification_endpoint
+          @client_assertion_aud_restricted_to_issuer = client_assertion_aud_restricted_to_issuer
+          @clients_per_developer = clients_per_developer
+          @developer_authentication_callback_endpoint = developer_authentication_callback_endpoint
+          @developer_authentication_callback_api_key = developer_authentication_callback_api_key
+          @developer_authentication_callback_api_secret = developer_authentication_callback_api_secret
+          @supported_snses = supported_snses
+          @sns_credentials = sns_credentials
+          @client_id_alias_enabled = client_id_alias_enabled
+          @metadata = metadata
+          @authentication_callback_endpoint = authentication_callback_endpoint
+          @authentication_callback_api_key = authentication_callback_api_key
+          @authentication_callback_api_secret = authentication_callback_api_secret
+          @supported_grant_types = supported_grant_types
+          @supported_response_types = supported_response_types
+          @supported_authorization_details_types = supported_authorization_details_types
+          @supported_service_profiles = supported_service_profiles
+          @error_description_omitted = error_description_omitted
+          @error_uri_omitted = error_uri_omitted
+          @authorization_endpoint = authorization_endpoint
+          @direct_authorization_endpoint_enabled = direct_authorization_endpoint_enabled
+          @supported_ui_locales = supported_ui_locales
+          @supported_displays = supported_displays
+          @pkce_required = pkce_required
+          @pkce_s256_required = pkce_s256_required
+          @authorization_response_duration = authorization_response_duration
+          @token_endpoint = token_endpoint
+          @direct_token_endpoint_enabled = direct_token_endpoint_enabled
+          @supported_token_auth_methods = supported_token_auth_methods
+          @missing_client_id_allowed = missing_client_id_allowed
+          @revocation_endpoint = revocation_endpoint
+          @direct_revocation_endpoint_enabled = direct_revocation_endpoint_enabled
+          @supported_revocation_auth_methods = supported_revocation_auth_methods
+          @introspection_endpoint = introspection_endpoint
+          @direct_introspection_endpoint_enabled = direct_introspection_endpoint_enabled
+          @supported_introspection_auth_methods = supported_introspection_auth_methods
+          @pushed_auth_req_endpoint = pushed_auth_req_endpoint
+          @pushed_auth_req_duration = pushed_auth_req_duration
+          @par_required = par_required
+          @request_object_required = request_object_required
+          @traditional_request_object_processing_applied = traditional_request_object_processing_applied
+          @mutual_tls_validate_pki_cert_chain = mutual_tls_validate_pki_cert_chain
+          @trusted_root_certificates = trusted_root_certificates
+          @mtls_endpoint_aliases = mtls_endpoint_aliases
+          @access_token_type = access_token_type
+          @tls_client_certificate_bound_access_tokens = tls_client_certificate_bound_access_tokens
+          @access_token_duration = access_token_duration
+          @single_access_token_per_subject = single_access_token_per_subject
+          @access_token_signature_key_id = access_token_signature_key_id
+          @refresh_token_duration = refresh_token_duration
+          @refresh_token_duration_kept = refresh_token_duration_kept
+          @refresh_token_duration_reset = refresh_token_duration_reset
+          @refresh_token_kept = refresh_token_kept
+          @supported_scopes = supported_scopes
+          @scope_required = scope_required
+          @id_token_duration = id_token_duration
+          @allowable_clock_skew = allowable_clock_skew
+          @supported_claim_types = supported_claim_types
+          @supported_claim_locales = supported_claim_locales
+          @supported_claims = supported_claims
+          @claim_shortcut_restrictive = claim_shortcut_restrictive
+          @jwks_uri = jwks_uri
+          @direct_jwks_endpoint_enabled = direct_jwks_endpoint_enabled
+          @jwks = jwks
+          @id_token_signature_key_id = id_token_signature_key_id
+          @user_info_signature_key_id = user_info_signature_key_id
+          @authorization_signature_key_id = authorization_signature_key_id
+          @user_info_endpoint = user_info_endpoint
+          @direct_user_info_endpoint_enabled = direct_user_info_endpoint_enabled
+          @dynamic_registration_supported = dynamic_registration_supported
+          @registration_endpoint = registration_endpoint
+          @registration_management_endpoint = registration_management_endpoint
+          @policy_uri = policy_uri
+          @tos_uri = tos_uri
+          @service_documentation = service_documentation
+          @backchannel_authentication_endpoint = backchannel_authentication_endpoint
+          @supported_backchannel_token_delivery_modes = supported_backchannel_token_delivery_modes
+          @backchannel_auth_req_id_duration = backchannel_auth_req_id_duration
+          @backchannel_polling_interval = backchannel_polling_interval
+          @backchannel_user_code_parameter_supported = backchannel_user_code_parameter_supported
+          @backchannel_binding_message_required_in_fapi = backchannel_binding_message_required_in_fapi
+          @device_authorization_endpoint = device_authorization_endpoint
+          @device_verification_uri = device_verification_uri
+          @device_verification_uri_complete = device_verification_uri_complete
+          @device_flow_code_duration = device_flow_code_duration
+          @device_flow_polling_interval = device_flow_polling_interval
+          @user_code_charset = user_code_charset
+          @user_code_length = user_code_length
+          @supported_trust_frameworks = supported_trust_frameworks
+          @supported_evidence = supported_evidence
+          @supported_identity_documents = supported_identity_documents
+          @supported_verification_methods = supported_verification_methods
+          @supported_verified_claims = supported_verified_claims
+          @verified_claims_validation_schema_set = verified_claims_validation_schema_set
+          @attributes = attributes
+          @nbf_optional = nbf_optional
+          @iss_suppressed = iss_suppressed
+          @supported_custom_client_metadata = supported_custom_client_metadata
+          @token_expiration_linked = token_expiration_linked
+          @front_channel_request_object_encryption_required = front_channel_request_object_encryption_required
+          @request_object_encryption_alg_match_required = request_object_encryption_alg_match_required
+          @request_object_encryption_enc_match_required = request_object_encryption_enc_match_required
+          @hsm_enabled = hsm_enabled
+          @hsks = hsks
+          @grant_management_endpoint = grant_management_endpoint
+          @grant_management_action_required = grant_management_action_required
+          @unauthorized_on_client_config_supported = unauthorized_on_client_config_supported
+          @dcr_scope_used_as_requestable = dcr_scope_used_as_requestable
+          @end_session_endpoint = end_session_endpoint
+          @loopback_redirection_uri_variable = loopback_redirection_uri_variable
+          @request_object_audience_checked = request_object_audience_checked
+          @access_token_for_external_attachment_embedded = access_token_for_external_attachment_embedded
+          @authority_hints = authority_hints
+          @federation_enabled = federation_enabled
+          @federation_jwks = federation_jwks
+          @federation_signature_key_id = federation_signature_key_id
+          @federation_configuration_duration = federation_configuration_duration
+          @federation_registration_endpoint = federation_registration_endpoint
+          @organization_name = organization_name
+          @predefined_transformed_claims = predefined_transformed_claims
+          @refresh_token_idempotent = refresh_token_idempotent
+          @signed_jwks_uri = signed_jwks_uri
+          @supported_attachments = supported_attachments
+          @supported_digest_algorithms = supported_digest_algorithms
+          @supported_documents = supported_documents
+          @supported_documents_methods = supported_documents_methods
+          @supported_documents_validation_methods = supported_documents_validation_methods
+          @supported_documents_verification_methods = supported_documents_verification_methods
+          @supported_electronic_records = supported_electronic_records
+          @supported_client_registration_types = supported_client_registration_types
+          @token_exchange_by_identifiable_clients_only = token_exchange_by_identifiable_clients_only
+          @token_exchange_by_confidential_clients_only = token_exchange_by_confidential_clients_only
+          @token_exchange_by_permitted_clients_only = token_exchange_by_permitted_clients_only
+          @token_exchange_encrypted_jwt_rejected = token_exchange_encrypted_jwt_rejected
+          @token_exchange_unsigned_jwt_rejected = token_exchange_unsigned_jwt_rejected
+          @jwt_grant_by_identifiable_clients_only = jwt_grant_by_identifiable_clients_only
+          @jwt_grant_encrypted_jwt_rejected = jwt_grant_encrypted_jwt_rejected
+          @jwt_grant_unsigned_jwt_rejected = jwt_grant_unsigned_jwt_rejected
+          @dcr_duplicate_software_id_blocked = dcr_duplicate_software_id_blocked
+          @trust_anchors = trust_anchors
+          @openid_dropped_on_refresh_without_offline_access = openid_dropped_on_refresh_without_offline_access
+          @supported_documents_check_methods = supported_documents_check_methods
+          @rs_response_signed = rs_response_signed
+          @cnonce_duration = cnonce_duration
+          @dpop_nonce_required = dpop_nonce_required
+          @verifiable_credentials_enabled = verifiable_credentials_enabled
+          @credential_jwks_uri = credential_jwks_uri
+          @credential_offer_duration = credential_offer_duration
+          @dpop_nonce_duration = dpop_nonce_duration
+          @pre_authorized_grant_anonymous_access_supported = pre_authorized_grant_anonymous_access_supported
+          @credential_transaction_duration = credential_transaction_duration
+          @introspection_signature_key_id = introspection_signature_key_id
+          @resource_signature_key_id = resource_signature_key_id
+          @user_pin_length = user_pin_length
+          @supported_prompt_values = supported_prompt_values
+          @id_token_reissuable = id_token_reissuable
+          @credential_jwks = credential_jwks
+          @fapi_modes = fapi_modes
+          @credential_duration = credential_duration
+          @credential_issuer_metadata = credential_issuer_metadata
+          @id_token_aud_type = id_token_aud_type
+          @native_sso_supported = native_sso_supported
+          @oid4vci_version = oid4vci_version
+          @cimd_metadata_policy_enabled = cimd_metadata_policy_enabled
+          @client_id_metadata_document_supported = client_id_metadata_document_supported
+          @cimd_allowlist_enabled = cimd_allowlist_enabled
+          @cimd_allowlist = cimd_allowlist
+          @cimd_always_retrieved = cimd_always_retrieved
+          @cimd_http_permitted = cimd_http_permitted
+          @cimd_query_permitted = cimd_query_permitted
+          @cimd_metadata_policy = cimd_metadata_policy
+          @http_alias_prohibited = http_alias_prohibited
+          @access_token_sign_alg = access_token_sign_alg
+        end
+
+        sig { params(other: T.untyped).returns(T::Boolean) }
+        def ==(other)
+          return false unless other.is_a? self.class
+          return false unless @service_name == other.service_name
+          return false unless @issuer == other.issuer
+          return false unless @description == other.description
+          return false unless @token_batch_notification_endpoint == other.token_batch_notification_endpoint
+          return false unless @client_assertion_aud_restricted_to_issuer == other.client_assertion_aud_restricted_to_issuer
+          return false unless @clients_per_developer == other.clients_per_developer
+          return false unless @developer_authentication_callback_endpoint == other.developer_authentication_callback_endpoint
+          return false unless @developer_authentication_callback_api_key == other.developer_authentication_callback_api_key
+          return false unless @developer_authentication_callback_api_secret == other.developer_authentication_callback_api_secret
+          return false unless @supported_snses == other.supported_snses
+          return false unless @sns_credentials == other.sns_credentials
+          return false unless @client_id_alias_enabled == other.client_id_alias_enabled
+          return false unless @metadata == other.metadata
+          return false unless @authentication_callback_endpoint == other.authentication_callback_endpoint
+          return false unless @authentication_callback_api_key == other.authentication_callback_api_key
+          return false unless @authentication_callback_api_secret == other.authentication_callback_api_secret
+          return false unless @supported_grant_types == other.supported_grant_types
+          return false unless @supported_response_types == other.supported_response_types
+          return false unless @supported_authorization_details_types == other.supported_authorization_details_types
+          return false unless @supported_service_profiles == other.supported_service_profiles
+          return false unless @error_description_omitted == other.error_description_omitted
+          return false unless @error_uri_omitted == other.error_uri_omitted
+          return false unless @authorization_endpoint == other.authorization_endpoint
+          return false unless @direct_authorization_endpoint_enabled == other.direct_authorization_endpoint_enabled
+          return false unless @supported_ui_locales == other.supported_ui_locales
+          return false unless @supported_displays == other.supported_displays
+          return false unless @pkce_required == other.pkce_required
+          return false unless @pkce_s256_required == other.pkce_s256_required
+          return false unless @authorization_response_duration == other.authorization_response_duration
+          return false unless @token_endpoint == other.token_endpoint
+          return false unless @direct_token_endpoint_enabled == other.direct_token_endpoint_enabled
+          return false unless @supported_token_auth_methods == other.supported_token_auth_methods
+          return false unless @missing_client_id_allowed == other.missing_client_id_allowed
+          return false unless @revocation_endpoint == other.revocation_endpoint
+          return false unless @direct_revocation_endpoint_enabled == other.direct_revocation_endpoint_enabled
+          return false unless @supported_revocation_auth_methods == other.supported_revocation_auth_methods
+          return false unless @introspection_endpoint == other.introspection_endpoint
+          return false unless @direct_introspection_endpoint_enabled == other.direct_introspection_endpoint_enabled
+          return false unless @supported_introspection_auth_methods == other.supported_introspection_auth_methods
+          return false unless @pushed_auth_req_endpoint == other.pushed_auth_req_endpoint
+          return false unless @pushed_auth_req_duration == other.pushed_auth_req_duration
+          return false unless @par_required == other.par_required
+          return false unless @request_object_required == other.request_object_required
+          return false unless @traditional_request_object_processing_applied == other.traditional_request_object_processing_applied
+          return false unless @mutual_tls_validate_pki_cert_chain == other.mutual_tls_validate_pki_cert_chain
+          return false unless @trusted_root_certificates == other.trusted_root_certificates
+          return false unless @mtls_endpoint_aliases == other.mtls_endpoint_aliases
+          return false unless @access_token_type == other.access_token_type
+          return false unless @tls_client_certificate_bound_access_tokens == other.tls_client_certificate_bound_access_tokens
+          return false unless @access_token_duration == other.access_token_duration
+          return false unless @single_access_token_per_subject == other.single_access_token_per_subject
+          return false unless @access_token_signature_key_id == other.access_token_signature_key_id
+          return false unless @refresh_token_duration == other.refresh_token_duration
+          return false unless @refresh_token_duration_kept == other.refresh_token_duration_kept
+          return false unless @refresh_token_duration_reset == other.refresh_token_duration_reset
+          return false unless @refresh_token_kept == other.refresh_token_kept
+          return false unless @supported_scopes == other.supported_scopes
+          return false unless @scope_required == other.scope_required
+          return false unless @id_token_duration == other.id_token_duration
+          return false unless @allowable_clock_skew == other.allowable_clock_skew
+          return false unless @supported_claim_types == other.supported_claim_types
+          return false unless @supported_claim_locales == other.supported_claim_locales
+          return false unless @supported_claims == other.supported_claims
+          return false unless @claim_shortcut_restrictive == other.claim_shortcut_restrictive
+          return false unless @jwks_uri == other.jwks_uri
+          return false unless @direct_jwks_endpoint_enabled == other.direct_jwks_endpoint_enabled
+          return false unless @jwks == other.jwks
+          return false unless @id_token_signature_key_id == other.id_token_signature_key_id
+          return false unless @user_info_signature_key_id == other.user_info_signature_key_id
+          return false unless @authorization_signature_key_id == other.authorization_signature_key_id
+          return false unless @user_info_endpoint == other.user_info_endpoint
+          return false unless @direct_user_info_endpoint_enabled == other.direct_user_info_endpoint_enabled
+          return false unless @dynamic_registration_supported == other.dynamic_registration_supported
+          return false unless @registration_endpoint == other.registration_endpoint
+          return false unless @registration_management_endpoint == other.registration_management_endpoint
+          return false unless @policy_uri == other.policy_uri
+          return false unless @tos_uri == other.tos_uri
+          return false unless @service_documentation == other.service_documentation
+          return false unless @backchannel_authentication_endpoint == other.backchannel_authentication_endpoint
+          return false unless @supported_backchannel_token_delivery_modes == other.supported_backchannel_token_delivery_modes
+          return false unless @backchannel_auth_req_id_duration == other.backchannel_auth_req_id_duration
+          return false unless @backchannel_polling_interval == other.backchannel_polling_interval
+          return false unless @backchannel_user_code_parameter_supported == other.backchannel_user_code_parameter_supported
+          return false unless @backchannel_binding_message_required_in_fapi == other.backchannel_binding_message_required_in_fapi
+          return false unless @device_authorization_endpoint == other.device_authorization_endpoint
+          return false unless @device_verification_uri == other.device_verification_uri
+          return false unless @device_verification_uri_complete == other.device_verification_uri_complete
+          return false unless @device_flow_code_duration == other.device_flow_code_duration
+          return false unless @device_flow_polling_interval == other.device_flow_polling_interval
+          return false unless @user_code_charset == other.user_code_charset
+          return false unless @user_code_length == other.user_code_length
+          return false unless @supported_trust_frameworks == other.supported_trust_frameworks
+          return false unless @supported_evidence == other.supported_evidence
+          return false unless @supported_identity_documents == other.supported_identity_documents
+          return false unless @supported_verification_methods == other.supported_verification_methods
+          return false unless @supported_verified_claims == other.supported_verified_claims
+          return false unless @verified_claims_validation_schema_set == other.verified_claims_validation_schema_set
+          return false unless @attributes == other.attributes
+          return false unless @nbf_optional == other.nbf_optional
+          return false unless @iss_suppressed == other.iss_suppressed
+          return false unless @supported_custom_client_metadata == other.supported_custom_client_metadata
+          return false unless @token_expiration_linked == other.token_expiration_linked
+          return false unless @front_channel_request_object_encryption_required == other.front_channel_request_object_encryption_required
+          return false unless @request_object_encryption_alg_match_required == other.request_object_encryption_alg_match_required
+          return false unless @request_object_encryption_enc_match_required == other.request_object_encryption_enc_match_required
+          return false unless @hsm_enabled == other.hsm_enabled
+          return false unless @hsks == other.hsks
+          return false unless @grant_management_endpoint == other.grant_management_endpoint
+          return false unless @grant_management_action_required == other.grant_management_action_required
+          return false unless @unauthorized_on_client_config_supported == other.unauthorized_on_client_config_supported
+          return false unless @dcr_scope_used_as_requestable == other.dcr_scope_used_as_requestable
+          return false unless @end_session_endpoint == other.end_session_endpoint
+          return false unless @loopback_redirection_uri_variable == other.loopback_redirection_uri_variable
+          return false unless @request_object_audience_checked == other.request_object_audience_checked
+          return false unless @access_token_for_external_attachment_embedded == other.access_token_for_external_attachment_embedded
+          return false unless @authority_hints == other.authority_hints
+          return false unless @federation_enabled == other.federation_enabled
+          return false unless @federation_jwks == other.federation_jwks
+          return false unless @federation_signature_key_id == other.federation_signature_key_id
+          return false unless @federation_configuration_duration == other.federation_configuration_duration
+          return false unless @federation_registration_endpoint == other.federation_registration_endpoint
+          return false unless @organization_name == other.organization_name
+          return false unless @predefined_transformed_claims == other.predefined_transformed_claims
+          return false unless @refresh_token_idempotent == other.refresh_token_idempotent
+          return false unless @signed_jwks_uri == other.signed_jwks_uri
+          return false unless @supported_attachments == other.supported_attachments
+          return false unless @supported_digest_algorithms == other.supported_digest_algorithms
+          return false unless @supported_documents == other.supported_documents
+          return false unless @supported_documents_methods == other.supported_documents_methods
+          return false unless @supported_documents_validation_methods == other.supported_documents_validation_methods
+          return false unless @supported_documents_verification_methods == other.supported_documents_verification_methods
+          return false unless @supported_electronic_records == other.supported_electronic_records
+          return false unless @supported_client_registration_types == other.supported_client_registration_types
+          return false unless @token_exchange_by_identifiable_clients_only == other.token_exchange_by_identifiable_clients_only
+          return false unless @token_exchange_by_confidential_clients_only == other.token_exchange_by_confidential_clients_only
+          return false unless @token_exchange_by_permitted_clients_only == other.token_exchange_by_permitted_clients_only
+          return false unless @token_exchange_encrypted_jwt_rejected == other.token_exchange_encrypted_jwt_rejected
+          return false unless @token_exchange_unsigned_jwt_rejected == other.token_exchange_unsigned_jwt_rejected
+          return false unless @jwt_grant_by_identifiable_clients_only == other.jwt_grant_by_identifiable_clients_only
+          return false unless @jwt_grant_encrypted_jwt_rejected == other.jwt_grant_encrypted_jwt_rejected
+          return false unless @jwt_grant_unsigned_jwt_rejected == other.jwt_grant_unsigned_jwt_rejected
+          return false unless @dcr_duplicate_software_id_blocked == other.dcr_duplicate_software_id_blocked
+          return false unless @trust_anchors == other.trust_anchors
+          return false unless @openid_dropped_on_refresh_without_offline_access == other.openid_dropped_on_refresh_without_offline_access
+          return false unless @supported_documents_check_methods == other.supported_documents_check_methods
+          return false unless @rs_response_signed == other.rs_response_signed
+          return false unless @cnonce_duration == other.cnonce_duration
+          return false unless @dpop_nonce_required == other.dpop_nonce_required
+          return false unless @verifiable_credentials_enabled == other.verifiable_credentials_enabled
+          return false unless @credential_jwks_uri == other.credential_jwks_uri
+          return false unless @credential_offer_duration == other.credential_offer_duration
+          return false unless @dpop_nonce_duration == other.dpop_nonce_duration
+          return false unless @pre_authorized_grant_anonymous_access_supported == other.pre_authorized_grant_anonymous_access_supported
+          return false unless @credential_transaction_duration == other.credential_transaction_duration
+          return false unless @introspection_signature_key_id == other.introspection_signature_key_id
+          return false unless @resource_signature_key_id == other.resource_signature_key_id
+          return false unless @user_pin_length == other.user_pin_length
+          return false unless @supported_prompt_values == other.supported_prompt_values
+          return false unless @id_token_reissuable == other.id_token_reissuable
+          return false unless @credential_jwks == other.credential_jwks
+          return false unless @fapi_modes == other.fapi_modes
+          return false unless @credential_duration == other.credential_duration
+          return false unless @credential_issuer_metadata == other.credential_issuer_metadata
+          return false unless @id_token_aud_type == other.id_token_aud_type
+          return false unless @native_sso_supported == other.native_sso_supported
+          return false unless @oid4vci_version == other.oid4vci_version
+          return false unless @cimd_metadata_policy_enabled == other.cimd_metadata_policy_enabled
+          return false unless @client_id_metadata_document_supported == other.client_id_metadata_document_supported
+          return false unless @cimd_allowlist_enabled == other.cimd_allowlist_enabled
+          return false unless @cimd_allowlist == other.cimd_allowlist
+          return false unless @cimd_always_retrieved == other.cimd_always_retrieved
+          return false unless @cimd_http_permitted == other.cimd_http_permitted
+          return false unless @cimd_query_permitted == other.cimd_query_permitted
+          return false unless @cimd_metadata_policy == other.cimd_metadata_policy
+          return false unless @http_alias_prohibited == other.http_alias_prohibited
+          return false unless @access_token_sign_alg == other.access_token_sign_alg
+          true
+        end
+      end
+    end
+  end
+end