Dynamic client registration
Dynamic Client Registration allows the OpenID Connect (OIDC) Relying Party (RP) to register itself with the OpenID Connect Provider (OP).
Before you begin
Dynamic Client Registration is based on OpenID Connect Dynamic Client Registration 1.0 specifications.
New OIDC applications are created by a tenant administrator or a user with administrative access to the tenant. Now, an API client with the right entitlement can also create an OIDC application through a dynamic client registration endpoint. The application that is created is a "custom application" with the sign-on method set to OpenID Connect.
Dynamic client registration endpoint is located here:
https://{{tenant}}/v1.0/endpoint/default/client_registration.
Consider using the new dynamic client registration endpoint if it meets your requirements. For more information, see Dynamic client registration with new OpenID Connect provider.
About this task
To dynamically register a client, acquire an initial access token, and then register the new OIDC application by using the registration API.
Before you register a new client, check the dynamic client registration settings.Dynamic client registration settings
The dynamic client registration settings can be configured to set the default values for dynamic client registration. See Configuring OIDC dynamic client registration settings.
The relevant settings are described in the following table.
| Field | Description |
|---|---|
| Grant types | The grant types to use if not specified in the dynamic client registration payload. The supported grant types are 'Authorization code', 'Implicit', 'Password', 'Device flow', 'JWT bearer', and 'Refresh token'. |
| ID Token Claims | The default claims for ID token and user information if not specified in the dynamic client registration payload. |
| Token Claims | The default claims for introspection and JWT access token if not specified in the dynamic client registration payload. |
| Access token type | The type of access token to be generated. The valid values are 'default' and 'JWT'. |
| ID token signing algorithm | The algorithm used to sign ID tokens if not specified in the dynamic client registration payload. |
| User consent | Select whether to ask for user consent if not specified in the dynamic client registration payload. |
| Access token lifetime | The access token lifetime in seconds. Maximum 2147483647, minimum 1. |
| Refresh token lifetime | The refresh token lifetime in seconds. Maximum 2147483647, minimum 1. |
| Enforce PKCE verification | Select whether to enforce PKCE if not specified in the dynamic client registration payload. |
| Entitle to all users | Determine whether all users are entitled to use this client if not specified in the dynamic client registration payload. |
| Allow custom client credentials | Determines whether custom client credentials are allowed. If set to 'false', client ID and secret cannot be specified in the dynamic client registration payload. |
The 'Software statement', 'Request authorization', and 'Registration access token' sections of the settings are not relevant to this OpenID Connect provider.
Acquire initial access token
To access a dynamic client registration endpoint, use an access token with the Manage
OIDC client registration dynamically entitlement.
Create an API Client with the Manage OIDC client registration dynamically
entitlement. To create the API Client, see Creating API clients.
After the API Client is created, use the client_credentials flow to get the access token. See the following example:
curl -ki -v https://{{tenant}}/v1.0/endpoint/default/`token -d "grant_type=client_credentials&client_id=<clientId>&client_secret=<clientSecret>"
Register New Application by using Registration API
By using the access token produced in the preceding section, you can create a new OIDC application.
The following table shows the list of client metadata that are currently supported.
| Metadata name | Metadata description | Optional | Valid values |
|---|---|---|---|
| client_name | Application Name | true | string |
| client_id | The client ID is automatically generated if it is not provided. | true | string |
| client_secret | The client secret is automatically generated if it is not provided. | true | string |
| redirect_uris | List of redirect URIs. | false | list of string URI |
| grant_types | Array of grant types that the application can use. | true | ‘authorization_code’, ‘implicit’, ‘password’, ‘urn:ietf:params:oauth:grant-type:device_code’, 'urn:ietf:params:oauth:grant-type:jwt-bearer', and ‘refresh_token’ |
| id_token_signed_response_alg | Token signing algorithm. | true | 'RS256', 'RS384', 'RS512', 'HS256', 'HS384', 'HS512', 'ES256', 'ES384', 'ES512', 'PS256', 'PS384', 'PS512' |
| all_users_entitled | Set to true if all users are entitled to use this application. | true | true or false |
| jwks_uri | URL of the Client's JSON Web Key Set document. | true | URL |
| consent_action | Request for user consent. | true | ‘never_prompt’ or ‘always_prompt’ |
| enforce_pkce | Enforce the usage of PKCE. | true | true or false |
| id_token_claims | List of claims for id_token and user information. | true | list of string |
| token_claims | List of claims for introspect and JWT access token. | true | list of string |
| initiate_login_uri | The URL to start login. | true | URL |
| token_endpoint_auth_method | Client authentication method for the token endpoint. | true | 'default', 'client_secret_basic', 'client_secret_post', 'client_secret_jwt', 'private_key_jwt' |
Example for registering a new application
curl -ki -H "Authorization: bearer <access-token>" -H "Content-Type:application/json" -X POST https://{{tenant}}/v1.0/endpoint/default/client_registration --data-binary '{"redirect_uris":["https://www.redirect.com"],"client_name":"MyApplication"}'{
"grant_types": [
"authorization_code"
],
"client_secret_expires_at": "0",
"registration_client_uri": "https://{{tenant}}/v1.0/endpoint/default/client_registration/<clientId>",
"client_secret": "<client_secret>",
"redirect_uris": [
"https://www.redirect.com"
],
"client_id_issued_at": "1586933118",
"client_name": "MyApplication",
"registration_access_token": "<access_token>",
"client_id": "<clientId>",
"id_token_signed_response_alg": "RS256"
}Further configuration of application
After the application is created, more options exist that you can configure for the application, for example, attribute mapping, access policy, identity sources, entitled users, and others. To configure these options, see Configuring single sign-on in the OpenID Connect provider.
The option to update by using the registration API is not supported.
Read OIDC application by using registration API
curl -ki -H "Authorization: bearer <registration-access-token>" https://{{tenant}}/v1.0/endpoint/default/client_registration/<clientId>Delete OIDC application using registration API
The registration API also provides a way to delete the OIDC application.
curl -ki -H "Authorization: bearer <registration-access-token>" -X DELETE https://{{tenant}}/v1.0/endpoint/default/client_registration/<clientId>Registration access token expired
If the registration access token expires, acquire a new access token. See Acquire Initial Access Token.