DCR - Dynamic Client Registration
In the OAuth 2.0 framework, the client is the application that requests access to protected resources on behalf of the resource owner. It initiates the authorization process by redirecting the user to the authorization server and, upon successful authorization, obtains a bearer token.
This token allows the client to make authenticated requests to the resource server and act on behalf of the user. The client's ability to securely handle the token and interact properly with the authorization and resource servers is essential to ensuring safe and delegated access to user data.
OAuth 2.0 Clients
OAuth 2.0, OpenID Connect, and Token Exchange clients can be managed in IAM in two ways:
- -As static clients in the configuration
- -As dynamically registered clients in the database
This documentation focuses on dynamic clients that can be managed according to https://tools.ietf.org/html/rfc7591.
Overview of DCR
When configuring Airlock IAM to deal with dynamically registered clients, the challenge is to find all the locations in the configuration that must be modified.
The following list gives a short overview of all the different tasks that need to be accomplished for dynamic client registration to work correctly:
DCR related changes in the Loginapp
- Persisted Clients - for IAM to be able to store and retrieve dynamically registered clients, the OAuth 2.0 Client Repository needs to be configured in the OAuth 2.0/OIDC Authorization Server.
- Dynamic Client Registration must be configured in the OAuth 2.0/OIDC Authorization Server so that IAM exposes a DCR endpoint that processes DCR requests. Attribute Processors decide which attributes a DCR request may contain and how they are processed (e.g. by configuring a RegEx to sanitize values supplied in the request).
- Technical Client Registration Flow provides a flow endpoint where DCR requests are processed. A typical flow will first authenticate the requester, then validate the request body and finally persist the newly registered client.
DCR related changes in the Adminapp
- Technical Clients must be configured to allow the Adminapp access to the OAuth 2.0 Client Repository so that dynamically registered clients can be managed in the Adminapp UI.
Limitations with DCR clients
The following limitations apply when using DCR clients in Airlock IAM:
- DCR clients do not support configuration overrides.
- The OAuth 2.0 Dynamic Client Registration Management Protocol (RFC 7592) is not supported.
- Management capabilities for DCR clients in the Adminapp are limited.
Further information and links
- A step-by-step configuration guide for DCR clients is presented here: Dynamic client registration configuration
- For more information about configuration overrides see OAuth 2.0 OIDC Configuration override.