Dynamic client registration configuration
Prerequisite
To use dynamic client registration feature, “Technical Clients” support must be configured. Dynamically registered clients are managed in IAM as a type of “Technical Client” that authenticates with OAuth 2.0/OIDC credentials.
See Technical client in IAM and tech-clients REST API for more details on the configuration of “Technical Clients”
Dynamic Client Registration has been prepared to support extended functionality that the authorization server does not yet support. This is intentional to avoid the need to re-register clients once the authorization server also supports the features. For details check the “Special properties” column in the tables below.
Configuration
To configure the dynamic client registration, navigate to Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> <affected AS> >> Dynamic Client Registration (create if missing).
Basic Settings
One of the purposes of dynamic client registration is to create credentials for a client that allows the AS to uniquely identify this client in all future interactions. Use the basic settings to automatically create such credentials:
Configuration | Options | Special properties |
|---|---|---|
Client ID Generator | Any Identity Generator plugin may be chosen. | The UUID Identity Generator is the recommended choice. |
Client Secret Generator | A random string of suitable length is recommended. A Token Endpoint Auth Method processor must be configured to generate client_secrets. |
IAM does not currently offer any mechanism to limit the number of authentication attempts of an OAuth client. Impersonating an OAuth client requires knowing both the corresponding client_id (which cannot be assumed to be secret) and client_secret. It is therefore mandatory that the client secret contains enough entropy to ensure that brute-force attacks remain impractical.
Supported Grants
The configuration of supported grants only governs the registration of grant types during the registration of a client. The authorization server will ignore the registered grant types and still process authorization code grant, client credentials grant, and refresh requests even if the client is not registered with these grant types.
Configuration | Options | Special properties |
|---|---|---|
Authorization Code Grant | Registers the client to use the authorization code grant/flow. | |
Implicit Grant | Registers the client to be registered for implicit grant/flow. | The authorization server does not yet support the implicit grant. It will respond with an error if response_type = token is requested on the authorize call. |
Client Credentials Grant | Registers the client to use the client credentials grant. | |
Access Token Refresh | Registers the client to obtain and use a refresh token during authorization code grant/flow. |
Advanced Settings
This section configures which attributes a client may register during dynamic client registration. The following processors are available:
Processors | Options | Special properties |
|---|---|---|
Client Name | The client may register a human-readable client name. | |
Contacts | The client may register contact information | |
Scope | This plugin filters scopes registered by the client with regex matching. | The authorization server will not enforce that clients request only scopes they are registered for. |
Software ID and Software Version | This plugin filters ID and Version attributes registered by the client with regex matching. | Software ID and Software Version may be configured as mandatory. |
Token Endpoint Auth Method | This plugin configures permissible client authentication methods:
| A client may register client_secret_post even though the authorization server does not yet support this. The authorization server will return an error if a client attempts to authenticate using this method. |
URIs | This plugin filters URIs requested by the client:
| Any URI may be declared mandatory. |