Dynamic client registration (DCR) setup

Configure it as follows:

0. Use the default client ID generator and leave the Client Secret Generator property empty. TPPs must authenticate to the AS using client certificates and do not need a client secret.
1. In the list of Attribute Processors, add the Token Endpoint Auth Method Processor plugin. It restricts the metadata attributes sent by registering TPP to the values allowed in PSD2.

2. Edit the plugin as follows:

   0. Add the value tls_client_auth to the list of Allowed Values.
   1. Check the Mandatory box.
   2. Return to the OAuth 2.0 Dynamic Client Registration plugin dialog.
3. (Optionally) To include the technical client ID in the response of the dynamic client registration, enable the Return Technical Client ID property (which is disabled by default).

4. Note: The technical client ID is not the same as the client ID, which is also sent with the registration response. The technical client ID can be used to further administer the newly created client, for example, via the Adminapp REST API.

5. In the Supported Grants section, enable the following grants:
6. • Authorization Code Grant
   • Client Credentials Grant
   • Access Token Refresh
7. Make sure that the REST end-point Loginapp >> Technical Client Registration is configured. It must contain one of the following steps to be compliant with OAuth 2.0 Dynamic Client Registration and STET:
8. • Certificate Credential Extraction Step (requiring a TPP client certificate)
   • OAuth 2.0 Client Registration Step
   • OAuth 2.0 Client Persisting Step: in this step, the new OAuth 2.0 Clients are written to the IAM database. Here you may add interceptors to inform other systems about new clients. See IAM Custom Development Guide for technical client interceptors for PSD2 features and STET interaction models for more information. You can request the latest version of the IAM Custom Development Guide by opening a support ticket. See Techzone - Airlock support process) for more information.