AS-centric AS - Dynamic client registration configuration

Prerequisite

To use dynamic client registration feature, "Technical Clients" support must be configured. Dynamically registered clients are managed in IAM as a type of "Technical Client" that authenticates with OAuth 2.0/OIDC credentials.

See Technical client in IAM and tech-clients REST API for more details on the configuration of "Technical Clients"

Dynamic Client Registration has been prepared to support extended functionality that the AS-centric authorization server does not yet support. This is intentional to avoid the need to re-register clients once the authorization server also supports the features. For details check the "Special properties" column in the tables below.

Configuration

To configure the dynamic client registration, navigate to Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> <affected AS> >> Dynamic Client Registration (create if missing).

Basic Settings

One of the purposes of dynamic client registration is to create credentials for a client that allows the AS to uniquely identify this client in all future interactions. Use the basic settings to automatically create such credentials:

Configuration	Options	Special properties
Client ID Generator	Any Identity Generator plugin may be chosen.	The UUID Identity Generator is the recommended choice.
Client Secret Generator		A random string of suitable length is recommended. A Token Endpoint Auth Method processor must be configured to generate client_secrets.

IAM does not currently offer any mechanism to limit the number of authentication attempts of an OAuth client. Impersonating an OAuth client requires knowing both the corresponding client_id (which cannot be assumed to be secret) and client_secret. It is therefore mandatory that the client secret contains enough entropy to ensure that brute-force attacks remain impractical.

Supported Grants

The configuration of supported grants only governs the registration of grant types during the registration of a client. The authorization server will ignore the registered grant types and still process authorization code grant, client credentials grant, and refresh requests even if the client is not registered with these grant types.

Configuration	Options	Special properties
Authorization Code Grant	Registers the client to use the authorization code grant/flow.
Implicit Grant	Registers the client to be registered for implicit grant/flow.	The authorization server does not yet support the implicit grant. It will respond with an error if response_type = token is requested on the authorize call.
Client Credentials Grant	Registers the client to use the client credentials grant.
Access Token Refresh	Registers the client to obtain and use a refresh token during authorization code grant/flow.

Advanced Settings

This section configures which attributes a client may register during dynamic client registration. The following processors are available:

Processors	Options	Special properties
Client Name	The client may register a human-readable client name.
Contacts	The client may register contact information
Scope	This plugin filters scopes registered by the client with regex matching.	The authorization server will not enforce that clients request only scopes they are registered for.
Software ID and Software Version	This plugin filters ID and Version attributes registered by the client with regex matching.	Software ID and Software Version may be configured as mandatory.
Token Endpoint Auth Method	This plugin configures permissible client authentication methods: client_secret_basic client_secret_post	A client may register client_secret_post even though the authorization server does not yet support this. The authorization server will return an error if a client attempts to authenticate using this method.
URIs	This plugin filters URIs requested by the client: client_uri logo_uri policy_uri tos_uri	Any URI may be declared mandatory.