Dynamic client registration with new OpenID Connect provider
Dynamic Client Registration allows the OpenID Connect (OIDC) Relying Party (RP) to register itself with the OpenID Connect Provider (OP).
Before you begin
It is based on OpenID Connect Dynamic Client Registration 1.0 specifications.
New OIDC applications are created by a tenant administrator or a user with administrative access to the tenant. Now, OIDC applications can also be created dynamically through dynamic client registration.
Dynamic client registration endpoint is located here:
https://{{tenant}}/oauth2/register.
About this task
Configure the dynamic client registration settings and then dynamically register the new OIDC application by using the registration API. The application is either a "OpenID Connect" or "OpenID Connect for Open Banking" application.
Dynamic client registration settings
The dynamic client registration settings can be configured to set the default values for dynamic client registration. See Configuring OIDC dynamic client registration settings.
The relevant settings are described in the following table.
| Field | Description |
|---|---|
| Grant types | The grant types to use if not specified in the dynamic client registration payload. The supported grant types are 'Authorization code', 'Implicit', 'Password', 'Refresh token' and 'Client credentials'. If Open Banking recipe is not 'None', the grant type 'Password' is not allowed. |
| ID token claims | The default claims for ID token and user information, if not specified in the dynamic client registration payload. |
| Token claims | The default claims for introspection and JWT access token, if not specified in the dynamic client registration payload. |
| Access token type | The type of access token to be generated. The valid values are 'Default' and 'JWT'. |
| ID token signing algorithm | The algorithm used to sign ID tokens if not specified in the dynamic client registration payload. |
| User consent | Select whether to ask for user consent if not specified in the dynamic client registration payload. |
| Access token lifetime | The access token lifetime in seconds. Maximum 2147483647, minimum 1. |
| Refresh token lifetime | The refresh token lifetime in seconds. Maximum 2147483647, minimum 1. |
| Enforce PKCE verification | Select whether to enforce PKCE if not specified in the dynamic client registration payload. |
| Entitle to all users | Determine whether all users are entitled to use this client if not specified in the dynamic client registration payload. |
| Request object validity period | The request object validity period in seconds. Maximum 2147483647, minimum 1. |
| Require "exp" for request object | Determines whether the ‘exp’ attribute is required in the request object. |
| Allow custom client credentials | Determines whether custom client credentials are allowed. If set to 'false', client ID and secret cannot be specified in the dynamic client registration payload. |
| Allowed request object signing algorithms | A list of allowed signing algorithms for the signed request JWT. If not set, all supported algorithms are allowed. |
| Request transform rule | Enter the rule to modify the dynamic client registration request. If not set, not modification is made to the dynamic client registration request. |
| Open Banking recipe | The Open Banking recipe to apply to all dynamic client registrations. When this field is set to 'None', an 'OpenID Connect' application is created. If it is set to any other value, an 'OpenID Connect for Open Banking' application is created. |
Refer to Configuring OIDC dynamic client registration settings for the 'Software statement', 'Request authorization', and 'Registration access token' sections of the settings.
Require bearer token authentication for dynamic client registration
If the request authorization is configured to require bearer token authorization for dynamic client registration, an initial access token is required.
Create an API Client with the Manage OIDC client registration dynamically
entitlement. To create the API Client, see Managing application API access.
After the API Client is created, use the client_credentials flow to get the access token. The following code is an example:
curl -ki -v https://{{tenant}}/v1.0/endpoint/default/token -d "grant_type=client_credentials&client_id=<clientId>&client_secret=<clientSecret>"
The dynamic client registration request requires the bearer token to be supplied in the authorization header.
Require MTLS for dynamic client registration
If the request authorization is configured to require mutual TLS, a valid certificate must be presented by the client for the request.
Register new application by using the registration API
The following table shows the list of client metadata that are currently supported.
| Metadata name | Metadata description | Optional | Valid values |
|---|---|---|---|
| client_name | Application Name | true | string |
| client_id | The client ID is automatically generated if it is not provided. | true | string |
| client_secret | The client secret is automatically generated if it is not provided. | true | string |
| redirect_uris | List of redirect URIs. | false | list of string URI |
| grant_types | Array of grant types that the application can use. | true | ‘authorization_code’, ‘implicit’, ‘password’, ‘refresh_token’, and ‘client_credentials’ |
| id_token_signed_response_alg | Token signing algorithm. | true | 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512' |
| all_users_entitled | Set to true if all users are entitled to use this application. | true | true or false |
| jwks_uri | URL of the client's JSON Web Key Set document. | true | URL |
| consent_action | Request for user consent. | true | ‘never_prompt’ or ‘always_prompt’ |
| enforce_pkce | Enforce the usage of PKCE. | true | true or false |
| scope | Space-delimited string of allowed scopes. | true | string |
| id_token_claims | List of claims for id_token and user information. | true | list of strings |
| token_claims | List of claims for introspect and JWT access token. | true | list of strings |
| initiate_login_uri | The URL to start login. | true | URL |
| response_types | Response types used by this client. | true | list of strings |
| token_endpoint_auth_method | Client authentication method for the token endpoint. | true | 'default', 'client_secret_basic', 'client_secret_post', 'private_key_jwt', 'tls_client_auth' |
| tls_client_auth_subject_dn | The expected subject distinguished name of the certificate that the client uses in mutual TLS authentication. | true | string |
| tls_client_auth_san_dns | The expected DNS name SAN entry in the certificate that the client uses in mutual TLS authentication. | true | string |
| tls_client_auth_san_uri | The expected URI SAN entry in the certificate that the client uses in mutual TLS authentication. | true | string |
| tls_client_auth_san_ip | The expected IP address SAN entry in the certificate that the client uses in mutual TLS authentication. | true | string |
| tls_client_auth_san_email | The expected email address SAN entry in the certificate that the client uses in mutual TLS authentication. | true | string |
| tls_client_certificate_bound_access_tokens | Indicates whether certificate binding for access token is required. | true | true or false |
| userinfo_signed_response_alg | The user information response JWT signing algorithm. | true | 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512' |
| userinfo_encrypted_response_alg | The user information response JWT encryption algorithm. | true | 'RSA-OAEP', 'RSA-OAEP-256' |
| userinfo_encrypted_response_enc | The user information response JWT encryption content algorithm. | true | 'A128GCM', 'A192GCM', 'A256GCM' |
Example for registering a new application
The following code is a sample request when dynamic client registration is configured to require bearer token authorization.
curl -ki -H "Authorization: bearer <access-token>" -H "Content-Type:application/json" -X POST https://{{tenant}}/oauth2/register --data-binary '{"redirect_uris":["https://www.redirect.com"],"client_name":"MyApplication"}'
response
{
"grant_types": [
"authorization_code"
],
"client_secret_expires_at": "0",
"registration_client_uri": "https://{{tenant}}/oauth2/register/<clientId>",
"client_secret": "<client_secret>",
"redirect_uris": [
"https://www.redirect.com"
],
"client_id_issued_at": "1586933118",
"client_name": "MyApplication",
"registration_access_token": "<access_token>",
"client_id": "<clientId>",
"id_token_signed_response_alg": "RS256"
}
Further configuration of application
After the application is created, you can configure more options for the application, for example, attribute mapping, access policy, identity sources, entitled users, and others. To configure these options, see Configuring single sign-on in the OpenID Connect application or Configuring single sign-on in the OpenID Connect for Open Banking applications.
Update OIDC application by using registration API
The following code is an example of using the registration_access_token from the
previous step as the authorization bearer token and sending a PUT request to modify the client. Note
that changes made to the OIDC application configuration would be overwritten.
curl -ki -H "Authorization: bearer <registration_access_token>" -H "Content-Type:application/json" -X PUT https://{{tenant}}/oauth2/register/<client-id> --data-binary '{"redirect_uris":["https://www.redirect.com/callback"],"client_name":"MyApplication2"}'
Read OIDC application by using registration API
The registration API also provides a way to read the OIDC application again.
curl -ki -H "Authorization: bearer <registration-access-token>" https://{{tenant}}/oauth2/register/<clientId>
Delete OIDC application by using the registration API
The registration API also provides a way to delete the OIDC application.
curl -ki -H "Authorization: bearer <registration-access-token>" -X DELETE https://{{tenant}}/oauth2/register/<clientId>
Registration access token expired
If the registration access token expires, acquire a new access token by using the client ID and secret of the client that was registered. See Acquire initial access token.