Class AuthorizedClient

java.lang.Object
com.broadleafcommerce.auth.server.domain.AuthorizedClient
All Implemented Interfaces:
Serializable

public class AuthorizedClient extends Object implements Serializable
This is used to persist a RegisteredClient which AuthenticationServices recognizes as registered with itself in its capacity as an authorization server. It is distinct from ClientRegistration, which is for scenarios where AuthenticationServices is acting as a client to other services.

AuthorizedClient entities are members of an AuthorizationServer.

Author:
Nick Crum (ncrum)
See Also:
  • Constructor Details

    • AuthorizedClient

      public AuthorizedClient()
  • Method Details

    • toRegisteredClient

      public org.springframework.security.oauth2.server.authorization.client.RegisteredClient toRegisteredClient()
      Converts this AuthorizedClient into a RegisteredClient.

      In most cases, consumers should rely on AuthorizedClientService.preProcessAndConvertToRegisteredClient(AuthorizedClient) instead of calling this method directly.

      Returns:
      this AuthorizedClient converted into a RegisteredClient representation
      See Also:
    • grantTypeStringsToObjects

      protected Set<org.springframework.security.oauth2.core.AuthorizationGrantType> grantTypeStringsToObjects(@Nullable Set<String> grantTypes)
    • clientAuthenticationMethodStringsToObjects

      protected Set<org.springframework.security.oauth2.core.ClientAuthenticationMethod> clientAuthenticationMethodStringsToObjects(@Nullable Set<String> clientAuthenticationMethods)
    • buildClientSettings

      protected org.springframework.security.oauth2.server.authorization.settings.ClientSettings buildClientSettings()
      Builds RegisteredClient.getClientSettings() matching this client. The final instance combines separate first-class fields that can be managed via REST API calls (such as isRequireAuthorizationConsent()) on AuthorizedClient as well as system-computed values (such as isProofKeyRequired()).
      Returns:
      a client settings instance
    • isProofKeyRequired

      public boolean isProofKeyRequired()
      Determines a value for ClientSettings.isRequireProofKey().

      In the interest of having higher security defaults, Broadleaf requires Proof Key for Code Exchange (PKCE) for all clients by default who may engage in AuthorizationGrantType.AUTHORIZATION_CODE flows (regardless of whether the client is public/confidential).

      Returns:
      a value for ClientSettings.isRequireProofKey()
      See Also:
    • buildTokenSettings

      protected org.springframework.security.oauth2.server.authorization.settings.TokenSettings buildTokenSettings()
      Builds RegisteredClient.getTokenSettings() matching this client. The final instance combines separate first-class fields that can be managed via REST API calls (such as getTokenTimeoutSeconds()) on AuthorizedClient as well as system-computed values.
      Returns:
      a token settings instance
    • getId

      public String getId()
      The primary key of this authorized client.
      Returns:
      the primary key
    • getServerId

      public String getServerId()
      The ID of the authorization server this authorized client is part of.
      Returns:
      the authorization server ID
    • getFriendlyName

      public String getFriendlyName()
      The friendly name of this authorized client. Intended for display purposes
      Returns:
      the friendly name
    • getClientId

      public String getClientId()
      The OAuth2 client ID for this authorized client. Usually generated as a randomized string.
      Returns:
      the client ID
    • getClientIdIssuedAt

      @Nullable public Instant getClientIdIssuedAt()
      Indicates the time at which the getClientId() was issued. This is a completely optional field, and is not set by Broadleaf by default.
      Returns:
      the time at which the client identifier was issued
      See Also:
      • RegisteredClient.getClientIdIssuedAt()
    • getClientSecret

      public String getClientSecret()
      The encrypted OAuth2 client secret for this authorized client. Not serialized as part of the response object.
      Returns:
      the encrypted client secret
    • getClientSecretExpiresAt

      @Nullable public Instant getClientSecretExpiresAt()
      Indicates the time at which getClientSecret() expires. If not set, the client secret does not expire. Broadleaf does not set this value by default.
      Returns:
      the time at which getClientSecret() expires
      See Also:
      • RegisteredClient.getClientSecretExpiresAt()
    • getTokenTimeoutSeconds

      public Integer getTokenTimeoutSeconds()
      The period of time, in seconds, that an access token issued will be valid for.
      Returns:
      the timeout in seconds
    • getRefreshTokenTimeoutSeconds

      public Integer getRefreshTokenTimeoutSeconds()
      The period of time, in seconds, that an refresh token issued will be valid for. A refresh token used within this timeframe will become invalid because of rotation. It should be generally considered that a refresh token can be used once.
      Returns:
      the timeout in seconds
    • getAuthCodeTimeoutSeconds

      public Integer getAuthCodeTimeoutSeconds()
      The period of time, in seconds, that an auth code issued will be valid for.
      Returns:
      the timeout in seconds
    • getResourceIds

      public Set<String> getResourceIds()
      These are values contributed to the AccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM set on access tokens issued for this client.
      Returns:
      the values to contribute to AccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM on tokens issued for this client
      See Also:
    • isAuthoritativeResourceIds

      public boolean isAuthoritativeResourceIds()
      When true, getResourceIds() are considered authoritative. In other words, the tokens issued for this client will only contain audience values from getResourceIds() and no other values. This can be useful in scenarios where a client needs to have highly specific resource restrictions.

      When false, getResourceIds() are considered additive on top of defaults inherited from other places such as AuthorizationServerProperties.OAuth2.getAdditionalAudiences(). In other words, the tokens issued for this client will contain audience values from both getResourceIds() and any other inherited value.

      Returns:
      true if getResourceIds() should be considered authoritative, false if getResourceIds() should be considered additive
      See Also:
    • getClientAuthenticationMethods

      public Set<String> getClientAuthenticationMethods()
      The authentication method(s) that the client may use. This should just be ClientAuthenticationMethod.getValue(). Use ClientAuthenticationMethod.NONE for public clients.

      This particularly affects how a client would provide its credentials to the '/token' endpoint.

      Returns:
      the authentication methods that the client may use
      See Also:
      • RegisteredClient.getClientAuthenticationMethods()
    • isRequireAuthorizationConsent

      public boolean isRequireAuthorizationConsent()
      Set to true if authorization consent is required when the client requests access. This applies to all interactive flows (ex: authorization_code).

      This should typically be set to false for 'first-party' clients (such as the Broadleaf admin application) - this ensures the user is not shown a consent form whenever scopes are requested.

      NOTE - at this time, Broadleaf does not have OOB support for consent flows, so only set to true if there is a valid available implementation of OAuth2AuthorizationConsentService that can persist/load/validate OAuth2AuthorizationConsent.

      See Also:
      • ClientSettings.isRequireAuthorizationConsent()
    • getGrantTypes

      public Set<String> getGrantTypes()
      The grant types for which this client is authorized.
      Returns:
      The grant types for which this client is authorized.
    • getRedirectUris

      public Set<String> getRedirectUris()
      The pre-defined redirect URIs for this client to use during the "authorization_code" access grant. See OAuth spec, section 4.1.1.

      Any of these values may be relative, and if so, the AuthorizedClientService will use the TenantUrlResolver to determine the base URL to resolve them against such that ultimately they are absolute. If resolution to an absolute URL fails for whatever reason, the relative URL will be omitted from the final RegisteredClient.getRedirectUris().

      These are exclusively intended to be for OAuth redirect validation, and not for validation of arbitrary redirects from various authentication operations such as login. See getPostAuthenticationSuccessRedirectUris() for more information.

      Returns:
      The pre-defined redirect URIs for this client.
      See Also:
    • isRelaxRedirectUrisValidation

      public boolean isRelaxRedirectUrisValidation()
      If true, getRedirectUris() will be dynamically modified/expanded at runtime (persisted state does not change) to effectively relax certain validations. If false, getRedirectUris() will be used as-is, resulting in strict comparison semantics.

      In most cases, setting this value to true is reasonable and can avoid requests being rejected for frivolous reasons such as trailing slash mismatches. However, in scenarios where getRedirectUris() must be interpreted verbatim as defined, setting to false can ensure exact match semantics apply and any variations are not allowed.

      Returns:
      whether to relax validation on getRedirectUris()
      See Also:
    • getPostAuthenticationSuccessRedirectUris

      public Set<String> getPostAuthenticationSuccessRedirectUris()
      A whitelist of redirect URIs that the caller can request redirect to after successful authentication related operations. This can contain relative and absolute values.

      If none are configured or none match the request, getDefaultRedirectUri() should be used.

      Critically, this is distinct from getRedirectUris() and is not intended for use in OAuth validation.

      Returns:
      a whitelist of redirect URIs that callers can request redirect to after successful authentication operations
      See Also:
    • getPostLogoutRedirectUris

      public Set<String> getPostLogoutRedirectUris()
      The post logout redirect URI(s) that the client may use for logout.

      This is only applicable when using the OpenID Connect RP-Initiated Logout 1.0 flow.

      Returns:
      the post-logout redirect URIs that the client may use for logout
      See Also:
      • RegisteredClient.getPostLogoutRedirectUris()
      • OidcLogoutAuthenticationProvider
    • getScopes

      public Set<String> getScopes()
      The scopes for this client. Empty if the client isn't scoped.

      The scopes represent the "upper-bound" of what scopes a client is allowed to request. They will also be used as default scopes if no scopes are requested.

      When this client is expected to be the final principal (ex: client credentials flow), these values represent all scopes that can be requested. Typically, the client credentials token request does not include any scopes, and all these scopes are granted.

      For flows where a user is the final principal (ex: authorization code flow), these values represent the upper-bound of what can be granted. Token requests typically include a scope that must be declared in this field.

      Returns:
      The scopes of this client.
      See Also:
    • getPermissions

      public Set<String> getPermissions()
      Returns the Broadleaf permissions that are assigned as authorities to this client in an OAuth2 flow. These apply to client-only flows (ex: AuthorizationGrantType.CLIENT_CREDENTIALS). These do not apply to user flows.
      Returns:
      the permissions this client is assigned (never null)
      See Also:
    • getApplicationId

      public String getApplicationId()
      Populated if this authorized client is used for authorizing customer users in a certain application. This is generally used in discovering the authorized client or authorization server for customer users.
      Returns:
      the application ID this client is used in, or null if not used for customers
    • getAttributes

      public Map<String,Object> getAttributes()
      Additional attributes for this client, not needed by the vanilla OAuth protocol but might be useful, for example, for storing descriptive information.
      Returns:
      a map of additional attributes
    • getDefaultRedirectUri

      public String getDefaultRedirectUri()
      The default redirect URI to use if a user accesses an authentication operation without a valid requested redirect location.

      In many cases, this is effectively the default value to use if a match is not found in getPostAuthenticationSuccessRedirectUris() or if no value was explicitly requested.

      This is distinct from getRedirectUris() and is not intended for use with OAuth-specific validations.

      Returns:
      a string representing the default fallback URI
      See Also:
    • getResetPasswordBaseUri

      public String getResetPasswordBaseUri()
      The base URI for the reset password form. This is used when generating a reset password link so the user is directed to the right domain hosting the form. If blank, defaultRedirectUri will be used.

      This can be different from defaultRedirectUri in cases where the frontend app is on a different domain than Auth and SSO is still being used, i.e., the reset password form is on https://www.my-auth-server.com and the frontend is https://www.my-store.com. In such a case, the defaultRedirectUri would be https://www.my-store.com but resetPasswordBaseUri would be https://www.my-auth-server.com.

    • isUseRedirectUriToGenerateConsumeTokenUrl

      public boolean isUseRedirectUriToGenerateConsumeTokenUrl()
      Controls whether auth uses the ImpersonationRequest.getRedirect_uri() when building the consume-token redirect URL after a successful impersonation request. The consume token endpoint will add a session cookie identifying the user as a CSR so they do not need to log in on the storefront. The alternative is to build a relative URL to redirect to the same domain as the impersonation endpoint.

      This is true by default.

      The reason to redirect to the consume-token endpoint using the ImpersonationRequest.getRedirect_uri() is to ensure the cookie is set on the same domain as the storefront in cases where the admin and storefront are on separate domains but both can access Auth on their own domains. That is possible when using the standard deployment configuration where all apps and services are deployed behind the Admin and Commerce Gateways.

      Suppose that admin and storefront apps are on different domains: admin.mycompany.com and store.mycompany.com, in this case if the impersonate endpoint added the cookie, it would be on admin.mycompany.com and therefore not accessible on store.mycompany.com. To work around this limitation, the system can redirect to store.mycompany.com/auth/consume-token and then add the session token so that it is on the same domain as the storefront.

      However, if Auth is accessed through a different domain than the storefront app (e.g., auth.mycompany.com), then this redirect will not be useful. Such a case typically occurs when also using refresh-token-rotation.

    • getProofKeyRequired

      public Boolean getProofKeyRequired()
      Whether the client is explicitly opted-in to PKCE for auth code flows. The default is true if this value is unset.
    • setId

      public void setId(String id)
      The primary key of this authorized client.
      Parameters:
      id - the primary key
    • setServerId

      public void setServerId(String serverId)
      The ID of the authorization server this authorized client is part of.
      Parameters:
      serverId - the authorization server ID
    • setFriendlyName

      public void setFriendlyName(String friendlyName)
      The friendly name of this authorized client. Intended for display purposes
      Parameters:
      friendlyName - the friendly name
    • setClientId

      public void setClientId(String clientId)
      The OAuth2 client ID for this authorized client. Usually generated as a randomized string.
      Parameters:
      clientId - the client ID
    • setClientIdIssuedAt

      public void setClientIdIssuedAt(@Nullable Instant clientIdIssuedAt)
      Indicates the time at which the getClientId() was issued. This is a completely optional field, and is not set by Broadleaf by default.
      Parameters:
      clientIdIssuedAt - The time at which the client identifier was issued
      See Also:
      • RegisteredClient.getClientIdIssuedAt()
    • setClientSecret

      public void setClientSecret(String clientSecret)
      The encrypted OAuth2 client secret for this authorized client. Not serialized as part of the response object.
      Parameters:
      clientSecret - the encrypted client secret
    • setClientSecretExpiresAt

      public void setClientSecretExpiresAt(@Nullable Instant clientSecretExpiresAt)
      Indicates the time at which getClientSecret() expires. If not set, the client secret does not expire. Broadleaf does not set this value by default.
      Parameters:
      clientSecretExpiresAt - the time at which getClientSecret() expires
      See Also:
      • RegisteredClient.getClientSecretExpiresAt()
    • setTokenTimeoutSeconds

      public void setTokenTimeoutSeconds(Integer tokenTimeoutSeconds)
      The period of time, in seconds, that an access token issued will be valid for.
      Parameters:
      tokenTimeoutSeconds - the timeout in seconds
    • setRefreshTokenTimeoutSeconds

      public void setRefreshTokenTimeoutSeconds(Integer refreshTokenTimeoutSeconds)
      The period of time, in seconds, that an refresh token issued will be valid for. A refresh token used within this timeframe will become invalid because of rotation. It should be generally considered that a refresh token can be used once.
      Parameters:
      refreshTokenTimeoutSeconds - the timeout in seconds
    • setAuthCodeTimeoutSeconds

      public void setAuthCodeTimeoutSeconds(Integer authCodeTimeoutSeconds)
      The period of time, in seconds, that an auth code issued will be valid for.
      Parameters:
      authCodeTimeoutSeconds - the timeout in seconds
    • setResourceIds

      public void setResourceIds(Set<String> resourceIds)
      These are values contributed to the AccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM set on access tokens issued for this client.
      Parameters:
      resourceIds - the values to contribute to AccessTokenClaimKeys.RegisteredClaims.AUDIENCE_CLAIM on tokens issued for this client
      See Also:
    • setAuthoritativeResourceIds

      public void setAuthoritativeResourceIds(boolean authoritativeResourceIds)
      When true, getResourceIds() are considered authoritative. In other words, the tokens issued for this client will only contain audience values from getResourceIds() and no other values. This can be useful in scenarios where a client needs to have highly specific resource restrictions.

      When false, getResourceIds() are considered additive on top of defaults inherited from other places such as AuthorizationServerProperties.OAuth2.getAdditionalAudiences(). In other words, the tokens issued for this client will contain audience values from both getResourceIds() and any other inherited value.

      Parameters:
      authoritativeResourceIds - true if getResourceIds() should be considered authoritative, false if getResourceIds() should be considered additive
      See Also:
    • setClientAuthenticationMethods

      public void setClientAuthenticationMethods(Set<String> clientAuthenticationMethods)
      The authentication method(s) that the client may use. This should just be ClientAuthenticationMethod.getValue(). Use ClientAuthenticationMethod.NONE for public clients.

      This particularly affects how a client would provide its credentials to the '/token' endpoint.

      Parameters:
      clientAuthenticationMethods - the authentication methods that the client may use
      See Also:
      • RegisteredClient.getClientAuthenticationMethods()
    • setRequireAuthorizationConsent

      public void setRequireAuthorizationConsent(boolean requireAuthorizationConsent)
      Set to true if authorization consent is required when the client requests access. This applies to all interactive flows (ex: authorization_code).

      This should typically be set to false for 'first-party' clients (such as the Broadleaf admin application) - this ensures the user is not shown a consent form whenever scopes are requested.

      NOTE - at this time, Broadleaf does not have OOB support for consent flows, so only set to true if there is a valid available implementation of OAuth2AuthorizationConsentService that can persist/load/validate OAuth2AuthorizationConsent.

      See Also:
      • ClientSettings.isRequireAuthorizationConsent()
    • setGrantTypes

      public void setGrantTypes(Set<String> grantTypes)
      The grant types for which this client is authorized.
      Parameters:
      grantTypes - the grant types
    • setRedirectUris

      public void setRedirectUris(Set<String> redirectUris)
      The pre-defined redirect URIs for this client to use during the "authorization_code" access grant. See OAuth spec, section 4.1.1.

      Any of these values may be relative, and if so, the AuthorizedClientService will use the TenantUrlResolver to determine the base URL to resolve them against such that ultimately they are absolute. If resolution to an absolute URL fails for whatever reason, the relative URL will be omitted from the final RegisteredClient.getRedirectUris().

      These are exclusively intended to be for OAuth redirect validation, and not for validation of arbitrary redirects from various authentication operations such as login. See getPostAuthenticationSuccessRedirectUris() for more information.

      Parameters:
      redirectUris - the redirect URIs
      See Also:
    • setRelaxRedirectUrisValidation

      public void setRelaxRedirectUrisValidation(boolean relaxRedirectUrisValidation)
      If true, getRedirectUris() will be dynamically modified/expanded at runtime (persisted state does not change) to effectively relax certain validations. If false, getRedirectUris() will be used as-is, resulting in strict comparison semantics.

      In most cases, setting this value to true is reasonable and can avoid requests being rejected for frivolous reasons such as trailing slash mismatches. However, in scenarios where getRedirectUris() must be interpreted verbatim as defined, setting to false can ensure exact match semantics apply and any variations are not allowed.

      Parameters:
      relaxRedirectUrisValidation - whether to relax validation on getRedirectUris()
      See Also:
    • setPostAuthenticationSuccessRedirectUris

      public void setPostAuthenticationSuccessRedirectUris(Set<String> postAuthenticationSuccessRedirectUris)
      A whitelist of redirect URIs that the caller can request redirect to after successful authentication related operations. This can contain relative and absolute values.

      If none are configured or none match the request, getDefaultRedirectUri() should be used.

      Critically, this is distinct from getRedirectUris() and is not intended for use in OAuth validation.

      Parameters:
      postAuthenticationSuccessRedirectUris - a whitelist of redirect URIs that callers can request redirect to after successful authentication operations
      See Also:
    • setPostLogoutRedirectUris

      public void setPostLogoutRedirectUris(Set<String> postLogoutRedirectUris)
      The post logout redirect URI(s) that the client may use for logout.

      This is only applicable when using the OpenID Connect RP-Initiated Logout 1.0 flow.

      Parameters:
      postLogoutRedirectUris - the post-logout redirect URIs that the client may use for logout
      See Also:
      • RegisteredClient.getPostLogoutRedirectUris()
      • OidcLogoutAuthenticationProvider
    • setScopes

      public void setScopes(Set<String> scopes)
      The scopes for this client. Empty if the client isn't scoped.

      The scopes represent the "upper-bound" of what scopes a client is allowed to request. They will also be used as default scopes if no scopes are requested.

      When this client is expected to be the final principal (ex: client credentials flow), these values represent all scopes that can be requested. Typically, the client credentials token request does not include any scopes, and all these scopes are granted.

      For flows where a user is the final principal (ex: authorization code flow), these values represent the upper-bound of what can be granted. Token requests typically include a scope that must be declared in this field.

      Parameters:
      scopes - The Set of scopes to assign to this client.
      See Also:
    • setPermissions

      public void setPermissions(Set<String> permissions)
      Returns the Broadleaf permissions that are assigned as authorities to this client in an OAuth2 flow. These apply to client-only flows (ex: AuthorizationGrantType.CLIENT_CREDENTIALS). These do not apply to user flows.
      Parameters:
      permissions - the permissions this client is assigned
      See Also:
    • setAdmin

      public void setAdmin(boolean isAdmin)
      Whether or not this authorized client is used for authorizing admin users. This is generally used in discovering the authorized client or authorization server for admin users.
      Parameters:
      isAdmin - whether or not this authorized client is for admin users
    • setApplicationId

      public void setApplicationId(String applicationId)
      Populated if this authorized client is used for authorizing customer users in a certain application. This is generally used in discovering the authorized client or authorization server for customer users.
      Parameters:
      applicationId - the application ID this client is used in
    • setAttributes

      public void setAttributes(Map<String,Object> attributes)
      Additional attributes for this client, not needed by the vanilla OAuth protocol but might be useful, for example, for storing descriptive information.
      Parameters:
      attributes - the additional attributes
    • setDefaultRedirectUri

      public void setDefaultRedirectUri(String defaultRedirectUri)
      The default redirect URI to use if a user accesses an authentication operation without a valid requested redirect location.

      In many cases, this is effectively the default value to use if a match is not found in getPostAuthenticationSuccessRedirectUris() or if no value was explicitly requested.

      This is distinct from getRedirectUris() and is not intended for use with OAuth-specific validations.

      Parameters:
      defaultRedirectUri - the default fallback URI to use for this client
      See Also:
    • setResetPasswordBaseUri

      public void setResetPasswordBaseUri(String resetPasswordBaseUri)
      The base URI for the reset password form. This is used when generating a reset password link so the user is directed to the right domain hosting the form. If blank, defaultRedirectUri will be used.

      This can be different from defaultRedirectUri in cases where the frontend app is on a different domain than Auth and SSO is still being used, i.e., the reset password form is on https://www.my-auth-server.com and the frontend is https://www.my-store.com. In such a case, the defaultRedirectUri would be https://www.my-store.com but resetPasswordBaseUri would be https://www.my-auth-server.com.

    • setUseRedirectUriToGenerateConsumeTokenUrl

      public void setUseRedirectUriToGenerateConsumeTokenUrl(boolean useRedirectUriToGenerateConsumeTokenUrl)
      Controls whether auth uses the ImpersonationRequest.getRedirect_uri() when building the consume-token redirect URL after a successful impersonation request. The consume token endpoint will add a session cookie identifying the user as a CSR so they do not need to log in on the storefront. The alternative is to build a relative URL to redirect to the same domain as the impersonation endpoint.

      This is true by default.

      The reason to redirect to the consume-token endpoint using the ImpersonationRequest.getRedirect_uri() is to ensure the cookie is set on the same domain as the storefront in cases where the admin and storefront are on separate domains but both can access Auth on their own domains. That is possible when using the standard deployment configuration where all apps and services are deployed behind the Admin and Commerce Gateways.

      Suppose that admin and storefront apps are on different domains: admin.mycompany.com and store.mycompany.com, in this case if the impersonate endpoint added the cookie, it would be on admin.mycompany.com and therefore not accessible on store.mycompany.com. To work around this limitation, the system can redirect to store.mycompany.com/auth/consume-token and then add the session token so that it is on the same domain as the storefront.

      However, if Auth is accessed through a different domain than the storefront app (e.g., auth.mycompany.com), then this redirect will not be useful. Such a case typically occurs when also using refresh-token-rotation.

    • setProofKeyRequired

      public void setProofKeyRequired(Boolean proofKeyRequired)
      Whether the client is explicitly opted-in to PKCE for auth code flows. The default is true if this value is unset.
    • equals

      public boolean equals(Object o)
      Overrides:
      equals in class Object
    • canEqual

      protected boolean canEqual(Object other)
    • hashCode

      public int hashCode()
      Overrides:
      hashCode in class Object
    • toString

      public String toString()
      Overrides:
      toString in class Object
    • isAdmin

      public boolean isAdmin()
      Whether or not this authorized client is used for authorizing admin users. This is generally used in discovering the authorized client or authorization server for admin users.
      Returns:
      whether or not this authorized client is for admin users