Dyn. client registration config.
AS-centric AS - Dynamic client registration configuration

Prerequisite

To use dynamic client registration feature, "Technical Clients" support must be configured. Dynamically registered clients are managed in IAM as a type of "Technical Client" that authenticates with OAuth 2.0/OIDC credentials.

See Technical client in IAM and tech-clients REST API for more details on the configuration of "Technical Clients"

Dynamic Client Registration has been prepared to support extended functionality that the AS-centric authorization server does not yet support. This is intentional to avoid the need to re-register clients once the authorization server also supports the features. For details check the "Special properties" column in the tables below.

Configuration

To configure the dynamic client registration, navigate to Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> <affected AS> >> Dynamic Client Registration (create if missing).

Basic Settings

One of the purposes of dynamic client registration is to create credentials for a client that allows the AS to uniquely identify this client in all future interactions. Use the basic settings to automatically create such credentials:

Configuration
Options
Special properties
Client ID Generator
Any Identity Generator plugin may be chosen.
The UUID Identity Generator is the recommended choice.
Client Secret Generator
A random string of suitable length is recommended.
A Token Endpoint Auth Method processor must be configured to generate client_secrets.

IAM does not currently offer any mechanism to limit the number of authentication attempts of an OAuth client. Impersonating an OAuth client requires knowing both the corresponding client_id (which cannot be assumed to be secret) and client_secret. It is therefore mandatory that the client secret contains enough entropy to ensure that brute-force attacks remain impractical.

Supported Grants

The configuration of supported grants only governs the registration of grant types during the registration of a client. The authorization server will ignore the registered grant types and still process authorization code grant, client credentials grant, and refresh requests even if the client is not registered with these grant types.

Configuration
Options
Special properties
Authorization Code Grant
Registers the client to use the authorization code grant/flow.
Implicit Grant
Registers the client to be registered for implicit grant/flow.
The authorization server does not yet support the implicit grant.
It will respond with an error if response_type = token is requested on the authorize call.
Client Credentials Grant
Registers the client to use the client credentials grant.
Access Token Refresh
Registers the client to obtain and use a refresh token during authorization code grant/flow.

Advanced Settings

This section configures which attributes a client may register during dynamic client registration. The following processors are available:

Processors
Options
Special properties
Client Name
The client may register a human-readable client name.
Contacts
The client may register contact information
Scope
This plugin filters scopes registered by the client with regex matching.
The authorization server will not enforce that clients request only scopes they are registered for.
Software ID and Software Version
This plugin filters ID and Version attributes registered by the client with regex matching.
Software ID and Software Version may be configured as mandatory.
Token Endpoint Auth Method
This plugin configures permissible client authentication methods:
  • client_secret_basic
  • client_secret_post
A client may register client_secret_post even though the authorization server does not yet support this. The authorization server will return an error if a client attempts to authenticate using this method.
URIs
This plugin filters URIs requested by the client:
  • client_uri
  • logo_uri
  • policy_uri
  • tos_uri
Any URI may be declared mandatory.