AuthServer
Client ID Metadata Documents
Use CIMD when a public client should identify itself with a stable HTTPS metadata document.
CIMD is the portable-client path in SqlOS.
Instead of creating a local client first, the client uses a stable HTTPS client_id. SqlOS fetches that URL, validates the JSON, and caches the metadata in the existing client store.
Use CIMD when:
Do not start here if you are just wiring your own first-party web app. Seed a client first and keep the first version simple.
CIMD is enabled by default, but the helper below makes the intent obvious and also turns on resource indicators for portable-client flows:
builder.AddSqlOS<AppDbContext>(options =>
{
options.AuthServer.EnablePortableMcpClients(registration =>
{
registration.Cimd.TrustedHosts.Add("clients.example.com");
});
});You can also configure it directly:
builder.AddSqlOS<AppDbContext>(options =>
{
options.AuthServer.ClientRegistration.Cimd.Enabled = true;
options.AuthServer.ClientRegistration.Cimd.DefaultCacheTtl = TimeSpan.FromHours(12);
});SqlOS expects:
client_id with a pathclient_id exactly matches the URL usedclient_nameredirect_uristoken_endpoint_auth_method=none in v1SqlOS also:
Use trust rules when you want more than the defaults.
builder.AddSqlOS<AppDbContext>(options =>
{
options.AuthServer.ClientRegistration.Cimd.TrustPolicy = async (context, cancellationToken) =>
{
if (!context.ClientIdUri.Host.EndsWith(".example.com", StringComparison.OrdinalIgnoreCase))
{
return SqlOSClientRegistrationPolicyDecision.Deny("Only example.com metadata hosts are allowed.");
}
return SqlOSClientRegistrationPolicyDecision.Allow();
};
});That is the right place for:
CIMD clients appear in the normal client list with source and cache details.
Operators can: