DCR setup
12.6.3.3.2.5. Dynamic client registration (DCR) setup (in OAuth 2.0 settings)

To configure DCR for STET, add the plugin OAuth 2.0 Dynamic Client Registration in the authorization server configuration (Loginapp >> OAuth 2.0/OIDC Authorization Servers >> the stet-as entry in the list).

  • Configure it as follows:
  • 1.
    Use the default client ID generator and leave the "Client Secret Generator" property empty. TPPs must authenticate to the AS using client certificates and do not need a client secret.
  • 2.
    Enable the following grants:
    • 1.
      Authorization Code Grant
    • 2.
      Client Credentials Grant
    • 3.
      Access Token Refresh
  • 3.
    In the list of "Additional Processors" add the plugin "Token Endpoint Auth Method Processor". It restricts the metadata attributes sent by registering TPP to the values allowed in PSD2.
    • 1.
      Add the value "tls_client_auth" to the list of "Allowed Values"
    • 2.
      Check the "Mandatory" box
  • 4.
    Make sure that the REST end-point Loginapp >> REST Settings >> Technical Client Registration is configured. It must contain one of the following steps to be compliant with OAuth 2.0 Dynamic Client Registration and STET:
    • 1.
      Certificate Credential Extraction Step (requiring a TPP client certificate)
    • 2.
      OAuth 2.0 Client Registration Step
    • 3.
      OAuth 2.0 Client Persisting Step: in this step, the new OAuth 2.0 Clients are written to the IAM database. Here you may add interceptors to inform other systems about new clients. See IAM Custom Development Guide for technical client interceptors for PSD2 features and STET interaction models for more information. You can request the latest version of the IAM Custom Development Guide by opening a support ticket. See (ergon.ch) Techzone - Airlock support process) for more information.