Dynamic client registration
Dynamic client registration feature is the implementation of RFC 7591 which adds support for a dynamic endpoint that allows you to register OpenID Connect applications dynamically with Identify OAuth 2.0 authorization server.
Dynamic client registration endpoint
Request URL:
POST https://#yourdomain/admin/oauth2/register.idp
Content-Type: application/json
Accept: application/json
Authorization: none or Bearer [OAuth 2.0 token]
Request body example:
{
"redirect_uris": [
"https://op.certification.openid.net:62080/authz_cb"
],
"logo_uri": "http://localhost/",
"client_name": "HybridOIDC",
"grant_types": [
"authorization_code",
"implicit"
],
"jwks_uri": "https://op.certification.openid.net:62080/static/jwks_62080.json",
"scope": "identify*scim",
"post_logout_redirect_uris": [
"https://op.certification.openid.net:62080/logout"
],
"response_types": [
"code token"
],
"request_uris":[
"https://identifydev56.safewhere.local/request1.jwt",
"https://identifydev56.safewhere.local/request2.jwt"
]
}
Response body:
{
"client_id": "clientId_SIR1F5VC212IPGC",
"token_endpoint_auth_method": "client_secret_basic",
"client_name": "HybridOIDC",
"redirect_uris": [
"https://op.certification.openid.net:62080/authz_cb"
],
"logo_uri": "http://localhost/",
"scope": "profile email phone address identify*scim",
"jwks": null,
"jwks_uri": "https://op.certification.openid.net:62080/static/jwks_62080.json",
"sector_identifier_uri": "",
"client_secret": "clientSecret_LFGANM65LOB55QFBEX4T",
"client_secret_expires_at": 0,
"registration_access_token": null,
"registration_client_uri": null,
"grant_types": [
"authorization_code",
"implicit"
],
"response_types": [
"code token"
],
"policy_uri": null,
"tos_uri": null,
"post_logout_redirect_uris": [
"https://op.certification.openid.net:62080/logout"
],
"id_token_signed_response_alg": "RS256",
"userinfo_signed_response_alg": null,
"subject_type": "Public",
"request_uris": [
"https://identifydev56.safewhere.local/request1.jwt",
"https://identifydev56.safewhere.local/request2.jwt"
],
"user_claims_placement": "AccessToken"
}
Authorization
Identify OAuth 2.0 dynamic client registration endpoint has both open and close registration modes.
- Open dynamic registration: The endpoint accepts registration requests without OAuth 2.0 access tokens. This mode is enabled by ticking on the option “Enable OAuth open registration” found on System Setup. For security reason, when open dynamic registration is used, we recommend that you protect this endpoint by some other means, e.g. to allow provisioning calls from a specific IP address.
- Close dynamic registration: By default, this endpoint is an OAuth 2.0 Protected Resource which required a specific OAuth 2.0 access token having a urn:identify:rest-api:role claim whose value is “administrator”.
Client metadata
Safewhere Identify supports the following parameters which are already defined on specification. This section is to figure out specific notes for each parameter.
- client_name (Optional): It is used as a service provider name. it is auto-generated if missing.
- redirect_uris (Required): Identify only supports 1 redirect_uri for each client in this version. This means that if a client sends an array of redirect_uris, Identify only uses the first one as client’s redirect_uri and ignores the rest.
- grant_types (Optional): Identify supports all types of grant types. Accepted values are :{authorization_code, implicit, password, client_credentials, refresh_token, urn:ietf:params:oauth:grant-type:device_code}. Default value is authorization_code.
- response_types (Optional): Identify supports all types of response types. Accepted values are :{code, id_token, id_token token, code id_token token, code token, code id_token}.
- If you don't specify any value on grant_types or grant_types contains authorization_code, default value is "code".
- If grant_types contains implicit, default value is "token".
- If grant_types contains both implicit and authorization_code, default value is "code token".
- scope (Optional): Input is list of scopes.
- logo_uri (Optional): It is URI of the logo. The default value is http://localhost
- post_logout_redirect_uris (Optional): Identify only supports 1 logout_uri for each client in this version. This means that if a client sends an array of post_logout_redirect_uris, Identify only uses the first one as the client’s redirect_uri and ignores the rest. The default value is [“https://localhost”]
- token_endpoint_auth_method (Optional): This option specifies a set of Client Authentication methods that are used by Clients to authenticate to the Authorization Server when using the Token Endpoint. Accepted values are: {client_secret_basic, client_secret_post,private_key_jwt}. The default value is client_secret_basic.
- jwks (Optional): Client's JSON Web Key Set RFC7517 document value, which contains the client's public keys. (The jwks_uri and jwks parameters MUST NOT be used together as clarified on the specification.)
- jwks_uri (Optional): URL to reference a client's JSON Web Key (JWK) Set RFC7517 document, which contains the client's public keys (The jwks_uri and jwks parameters MUST NOT be used together as clarified on the specification.)
- sector_identifier_uri (Optional): URL using the HTTPS scheme to be used in calculating Pseudonymous Identifiers by the OP. It references a file with a single JSON array of redirect_uri values.
- subject_type (Optional): This defines the subject_type requested for responses to the Client. Accepted values are: {Public, Pairwise}. The default value is Public.
- user_claims_placement (Optional): This option specifies if user claims are returned along with Access token or ID token. Accepted values are :{AccessToken, IdToken}. The default value is AccessToken.
- request_uris (Optional): This option specifies the array of pre-registered request_uri values which the OIDC application uses. Each request_uri must use the HTTPS scheme and must be reachable from the internet.
- userinfo_signed_response_alg(Optional): This option specifies which algorithm the UserInfo response signing supports. Accepted values are :{RS256, HS256,HS384,HS512}. If its value is not speicied, its UserInfo response is not signed.
Client registration response
Using client metadata received on registration request, Identify creates a corresponding service provider whose name is the value of the client_name. It uses default values for the other settings.
- Client id: A random string with “clientId_” prefix
- Client secret: A random string with “clientSecret_” prefix
- Application audience: Identify’s entity Id
- Application name: A random value with “applicationName_” prefix
- JWS algorithm: RSASigning
- Symmetric signing key: A RNGCrypto with 64-byte key.
- Token life time: 60 minutes
- Code life time: 60 minutes
- Refresh token life time: 105200 minutes
- Use as OpenID Connect: True
- Enabled: True
- Scope: In addition to input scopes, Identify adds all standard scopes by default which are profile, email, address, phone.
Example for address scope:
- response_types : Its default value is selected based on the grant_types parameter.
grant_types value includes: | response_types value includes: |
---|---|
authorization_code | code |
implicit | token |
password | none |
client_credentials | none |
refresh_token | none |
urn:ietf:params:oauth:grant-type:device_code | none |