Dynamic client registration configuration

Prerequisite

To use dynamic client registration feature, “Technical Clients” support must be configured. Dynamically registered clients are managed in IAM as a type of “Technical Client” that authenticates with OAuth 2.0/OIDC credentials.

 
Info

Dynamic Client Registration has been prepared to support extended functionality that the authorization server does not yet support. This is intentional to avoid the need to re-register clients once the authorization server also supports the features. For details check the “Special properties” column in the tables below.

Client Repository

The first configuration step is to create a persister where dynamically registered clients will be stored.

  1. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> {{AS-Id}}
  2. In section Clients in property Persisted Clients create an OAuth 2.0 Persisted Clients plugin
  3. In property OAuth 2.0 Client Repository create or select a Technical Client Database Repository plugin

Dynamic Client Registration

The second configuration step is to configure the authorization server for dynamically registered clients.

  1. Go to:
    to Loginapp >> OAuth 2.0/OIDC Authorization Servers >> Authorization Servers >> {{AS-Id}} >> Dynamic Client Registration
  2. In property Client ID create a UUID Client ID plugin.
    It is possible to choose a Client ID from Request plugin. This does not conform with RFC 7591 but supports some specific use cases (e.g. bLink).
  3. In property Client Secret Generator create a Pattern-based Random String Generator plugin.
    IAM does not currently offer any mechanism to limit the number of authentication attempts of an OAuth client. It is recommended to choose rather long values for the client_secret (e.g 32 characters).
  4. In property Attribute Processors create the appropriate plugins for all the attributes a client wants to register. These are example Attribute Processors that should be configured for all DCR setups:
    • Client Name Processor to present a human-readable client name in the Adminapp UI
    • Scope Processor to allow the client to request scopes.

  6. If a client requests attributes that are missing on the list of Attribute Processors, the registration will be successful, but these attributes will be ignored.

  7. In section Supported Grants select all the Grants a dynamically registered client will be allowed to use.
    The authorization server does not yet support the Implicit Grant. If a client attempts to use an implicit grant, an error response will be returned.

Technical Client Registration Flow

The third step is to expose a REST endpoint where DCR clients can be registered.

  1. Go to:
    Loginapp
  2. In section OpenID Connect, OAuth, SAMl, One-Shot in property Technical Client Registration create a Technical Client Registration Settings plugin.
  3. In property Default Flow create a Technical Client Registration Flow plugin
  4. In property Steps add at least the following plugins:
    • OAuth 2.0 Client Registration Step
    • OAuth 2.0 Client Persisting Step

Technical Clients in the Adminapp

The fourth and last step is to allow technical clients to be managed in the Adminapp UI.

  1. Go to:
    Adminapp
  2. In section Basic Settings in property Technical Clients create and edit a Technical Client Settings plugin
  3. In property Repository reuse the Technical Client Database Repository plugin from the first step.