OIDC Dynamic Clients- Register a client

Edit online

To register a client, issue a HTTP POST to the Client Registration Endpoint.

See OAuth 2.0 endpoints.

Any values which are posted in the JSON body are stored such that both standard values and custom values can be kept. These values are available in mapping rules and in a macro on the consent page.

Previously the status code for a successful registration is 200, but the specification mandates a 201. Currently, the dynamic client registration returns a 201 status code for a successful registration to ensure compliance with specifications. The following example is an example request to register a client:

POST_DATA='{"redirect_uris": [ "https://app.com"],
     "tos_uri":"https://app.com/tos",
     "company_name":"Applications Inc"}'

curl https://myisam.com/mga/sps/oauth/oauth20/register/mydefinition-d "$POST_DATA" -H "Accept: 
application/json" -H "Authorization: Bearer myAccessToken" -H "Content-type: application/json"

HTTP/1.1 201 OK
Content-Type: application/json

{
"client_secret_expires_at": 0,
"owner_username": "testuser",
"company_name": "Applications Inc",
"registration_client_uri": "https://myisam.com/mga/sps/oauth/oauth20/register/testDef?client_id=myClient",
"client_secret": "mySecret",
"tos_uri": "https://app.com/tos",
"client_id_issued_at": 1522139359,
"redirect_uris": "https://app.com",
"registration_access_token": "myClientAccessToken",
"client_id": "myClientId"
}

An HTTP transformation rule can be used to return a 200 instead to retain the old behavior. See Dynamic client registration.

In IBM® Verify Identity Access version 10.0.4, to register a client, issue a HTTP POST to the Client Registration Endpoint with a signed JSON Web Token as the input. This is to support Dynamic Client Specification for UK Open Banking and other specification that requires it.

The following demonstrates how to register a client by issuing a HTTP POST to the Client Registration Endpoint with a signed JSON Web Token as the input: 
POST_DATA= 
eyJhbGciOiJQUzI1NiIsImtpZCI6Im9ZY1puQmpMQlR5TXhwUHJiMUNQVW91bDJhQWdrRV8zTnJyOG15bXN3Q1UiLC
J0eXAiOiJKV1QifQ.eyJhcHBsaWNhdGlvbl90eXBlIjoid2ViIiwiYXVkIjoiSUJNIiwiZXhwIjoxNjQ0Mzk4NzYwLC
JncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiLCJjbGllbnRfY3JlZGVudGlhbHMiXSwiaWF0IjoxNjQ0Mz
k1MTYwLCJpZF90b2tlbl9zaWduZWRfcmVzcG9uc2VfYWxnIjoiUFMyNTYiLCJpc3MiOiI2NWQxZjI3Yy00YWVhLTQ1ND
ktOWMyMS02MGU0OTVhN2E4NmYiLCJqdGkiOiI5MGFmYmNhOC00Y2UyLTQ4MDYtOGJlMS02MmIzZTdkNDFiMDkiLCJyZW
RpcmVjdF91cmlzIjpbImh0dHBzOi8vd3d3Lm15c3AuaWJtLmNvbS9pc2FtL3Nwcy9vaWRjL3JwL2lzYW1ycC9raWNrb2Z
mL3BhcnRuZXIiXSwicmVxdWVzdF9vYmplY3Rfc2lnbmluZ19hbGciOiJQUzI1NiIsInJlc3BvbnNlX3R5cGVzIjpbImNv
ZGUiLCJjb2RlIGlkX3Rva2VuIl0sInNjb3BlIjoiYWNjb3VudHMgb3BlbmlkIiwic29mdHdhcmVfc3RhdGVtZW50IjoiZ
XlKcmFXUWlPaUp2V1dOYWJrSnFURUpVZVUxNGNGQnlZakZEVUZWdmRXd3lZVUZuYTBWZk0wNXljamh0ZVcxemQwTlZJaX
dpWVd4bklqb2lVRk15TlRZaWZRLmV5SnpiMlowZDJGeVpWOWxiblpwY205dWJXVnVkQ0k2SW5CeWIyUjFZM1JwYjI0aUx
DSmhkV1FpT2lKMFpYTjBZWFZrSWl3aWMyOW1kSGRoY21WZmFXUWlPaUkyTldReFpqSTNZeTAwWVdWaExUUTFORGt0T1dN
eU1TMDJNR1UwT1RWaE4yRTRObVlpTENKemIyWjBkMkZ5WlY5dGIyUmxJam9pYkdsMlpTSXNJbTl5WjE5cFpDSTZJbUUxTT
JFMlpqazNMV1V3TjJNdE5ESTBNQzFoTURSbUxXRXdZV1kyT1RZek1XUTVaaUlzSW5OdlpuUjNZWEpsWDJwM2EzTmZaVzVr
Y0c5cGJuUWlPaUpvZEhSd2N6b3ZMekU1TWk0eE5qZ3VOREl1TWpBekwzTndjeTlxZDJ0eklpd2ljMjltZEhkaGNtVmZjbV
ZrYVhKbFkzUmZkWEpwY3lJNklsdGNJbWgwZEhCek9pOHZkM2QzTG0xNWMzQXVhV0p0TG1OdmJTOXBjMkZ0TDNOd2N5OXZhV
1JqTDNKd0wybHpZVzF5Y0M5cmFXTnJiMlptTDNCaGNuUnVaWEpjSWl4Y0ltaDBkSEJ6T2k4dmQzZDNMbTE1YzNBdWFXS
nRMbU52YlM5cGMyRnRMM053Y3k5dmFXUmpMM0p3TDJsellXMXljQzlyYVdOcmIyWm1MM0JoY25SdVpYSXlYQ0pkSW
l3aWMyOW1kSGRoY21WZlkyeHBaVzUwWDI1aGJXVWlPaUpQY0dWdVFtRnVhMmx1WnlCRGJHbGxiblF4SUU1aGJXVWlM
Q0pwYzNNaU9pSlBjR1Z1UW1GdWEybHVaeUJVWlhOME1TSXNJbk52Wm5SM1lYSmxYMk5zYVdWdWRGOXBaQ0k2SWs5d1pX
NUNZVzVyYVc1bklFTnNhV1Z1ZERFaUxDSmxlSEFpT2pFMk5ETTROamt6TnpNc0ltcDBhU0k2SW1SclRrRlpaMFJWV0ZJ
aUxDSnBZWFFpT2pFMk5ETTROamczTnpNc0ltNWlaaUk2TVRZME16ZzJPRGd6TTMwLk1Jc1RlS2R3RWZreVJKR2JORDMx
aDU3U1Y4WWxyZF9JNGlodExHaVllUi1pSjhPRVZ3VHRsQ1NkNC1FQUZMd0NBVkt1TjVQb2o3ampYWTlONEVIWVFSYnlM
V2Qtekd1V0tnNC14Rm81YVdvUmpGb3UtUzF4aGlOcTdkRndLaTM3Z09jcUthS3ZsMkgxZFlrVnlydmdBX2o0akxXWGdK
MUJSWU1NWEt3WlZrX1JfWUFOUkhvNVNRcFdVeXhwcGRTbHhJY2NqNUhSNkZKSmZjNDlXc0N0U1RqbGVPRU90ZWxJeWNF
TzFzSVhNNFYwdnF0UmdBcFUxSnBWZ1EzbUh0eEVzLWtIdmpJNUQyeUJYcElwU2lyRjJjWmR3SWtDWld1OXN4elhJMGJw
alhIWDNwd2FnQ3A5UjBpOWV1dDJ3a0RKdjlGNWJENVRlNHFPMUs1ZWVPMHRFQSIsInRsc19jbGllbnRfYXV0aF9zdWJq
ZWN0X2RuIjoiNjVkMWYyN2MtNGFlYS00NTQ5LTljMjEtNjBlNDk1YTdhODZmIiwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZX
Rob2QiOiJ0bHNfY2xpZW50X2F1dGgifQ.KTg6vNIERJoLRnDtrmGjF_Fri8diVN7hMfwSntdhbWatcFzUgyTB3GsyadisH
5g3MVagTRplFC83nDNoFbGIj5HFYGddhsQdcveGQ0SWN__GYJHPEOt4p8XdemGQlf9KheNF_eRNM-qI3VBEnvGBPOaWlXVB
FpIYQ-1XMQF-xzvGlglPCnGDVC2gbEO6k9zzl1f-5U78mDPVP4A_s4GWwabXIB-Wp0Jq2Y0jipyJtGci2E35dK_vTaaf7ZS
qM0rQZuH4EbXdqDmHPuuW4AMFc-ZyUXlF8JXggn33poObWZMa_fFkid7Suk7-fV_8hqhDVK6msEfE5x-vRE6AF5CBBw


curl https://myisam.com/mga/sps/oauth/oauth20/register/mydefinition-d "$POST_DATA" -H "Accept: 
application/json" -H "Authorization: Bearer myAccessToken" -H "Content-type: application/jose"

{
  "application_type": "web",
  "aud": "IBM",
  "exp": 1644398760,
  "grant_types": [
    "authorization_code",
    "client_credentials"
  ],
  "iat": 1644395160,
  "id_token_signed_response_alg": "PS256",
  "iss": "65d1f27c-4aea-4549-9c21-60e495a7a86f",
  "jti": "90afbca8-4ce2-4806-8be1-62b3e7d41b09",
  "redirect_uris": [
    "https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/kickoff/partner"
  ],
  "request_object_signing_alg": "PS256",
  "response_types": [
    "code",
    "code id_token"
  ],
  "scope": "accounts openid",
  "software_statement": "eyJraWQiOiJvWWNabkJqTEJUeU14cFByYjFDUFVvdWwyYUFna0VfM05ycjhteW1
                         zd0NVIiwiYWxnIjoiUFMyNTYifQ.eyJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InBy
                         b2R1Y3Rpb24iLCJhdWQiOiJ0ZXN0YXVkIiwic29mdHdhcmVfaWQiOiI2NWQxZjI3
                         Yy00YWVhLTQ1NDktOWMyMS02MGU0OTVhN2E4NmYiLCJzb2Z0d2FyZV9tb2RlIjoib
                         Gl2ZSIsIm9yZ19pZCI6ImE1M2E2Zjk3LWUwN2MtNDI0MC1hMDRmLWEwYWY2OTYzMW
                         Q5ZiIsInNvZnR3YXJlX2p3a3NfZW5kcG9pbnQiOiJodHRwczovLzE5Mi4xNjguNDIu
                         MjAzL3Nwcy9qd2tzIiwic29mdHdhcmVfcmVkaXJlY3RfdXJpcyI6IltcImh0dHBzOi8
                         vd3d3Lm15c3AuaWJtLmNvbS9pc2FtL3Nwcy9vaWRjL3JwL2lzYW1ycC9raWNrb2ZmL3B
                         hcnRuZXJcIixcImh0dHBzOi8vd3d3Lm15c3AuaWJtLmNvbS9pc2FtL3Nwcy9vaWRjL3Jw
                         L2lzYW1ycC9raWNrb2ZmL3BhcnRuZXIyXCJdIiwic29mdHdhcmVfY2xpZW50X25hbWUiOiJP
                         cGVuQmFua2luZyBDbGllbnQxIE5hbWUiLCJpc3MiOiJPcGVuQmFua2luZyBUZXN0MSIsI
                         nNvZnR3YXJlX2NsaWVudF9pZCI6Ik9wZW5CYW5raW5nIENsaWVudDEiLCJleHAiOjE2NDM4NjkzNzMsImp
                         0aSI6ImRrTkFZZ0RVWFIiLCJpYXQiOjE2NDM4Njg3NzMsIm5iZiI6MTY0Mzg2ODgzM30.MIsTeKdwEfk
                         yRJGbND31h57SV8Ylrd_I4ihtLGiYeR-iJ8OEVwTtlCSd4-EAFLwCAVKuN5Poj7jjXY9N4EHYQRbyLWd-
                         zGuWKg4-xFo5aWoRjFou-S1xhiNq7dFwKi37gOcqKaKvl2H1dYkVyrvgA_j4jLWXgJ1BRYMMXKwZVk_R_YA
                         NRHo5SQpWUyxppdSlxIccj5HR6FJJfc49WsCtSTjleOEOtelIycEO1sIXM4V0vqtRgApU1JpVgQ3mHtxEs-
                         kHvjI5D2yBXpIpSirF2cZdwIkCZWu9sxzXI0bpjXHX3pwagCp9R0i9eut2wkDJv9F5bD5Te4qO1K5eeO0tEA",
  "tls_client_auth_subject_dn": "65d1f27c-4aea-4549-9c21-60e495a7a86f",
  "token_endpoint_auth_method": "tls_client_auth"
}

The signed JSON Web Token is handled by exposing an OOTB STS chain called OIDC_DCR Request JOSE. The issuer is validate/dcr/issuer and it applies to Validate/dcr/appliesto. The default mapping rule is DCR_ValidateJWT_RequestJWT.js.

The software_statement in the request represents a signed JSON Web Token that asserts metadata values about the client software. The signature of the request is validated against the jwks information in the software_statement. The following is an example of the software_statement: 
{
  "software_environment": "production",
  "aud": "testaud",
  "software_id": "65d1f27c-4aea-4549-9c21-60e495a7a86f",
  "software_mode": "live",
  "org_id": "a53a6f97-e07c-4240-a04f-a0af69631d9f",
  "software_jwks_endpoint": "https://softare_company1/jwks",
  "software_redirect_uris": "[\"https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/kickoff/partner\",\"https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/kickoff/partner2\"]",
  "software_client_name": "OpenBanking Client1 Name",
  "iss": "OpenBanking Test1",
  "software_client_id": "OpenBanking Client1",
  "exp": 1643869373,
  "jti": "dkNAYgDUXR",
  "iat": 1643868773,
  "nbf": 1643868833
}

The validation of the software_statement is done by using another OOTB STS chain called OIDC_SSA_JWT_STSChain. The issuer is validate/ssa/issuer and it applies to validate/ssa/appliesto. The STS chain exposes a mapping module to facilitate validation of the software_statement for region-specific information.

The default STS mapping rule is called DCR_ValidateSSA_SSAJWT.js.

The signature of the software_statement is validated and in the mapping rule, the signature algorithm, expiry, and certificate-related information are validated.

The following example demonstrates the registration response upon successful registration of the client:
{
"software_mode": "live",
"software_redirect_uris": "[\"https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/kickoff/partner\",\"https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/kickoff/partner2\"]",
"application_type": "web",
"software_client_name": "OpenBanking Client1 Name",
"owner_username": "__$mtls$__",
"iss": "65d1f27c4aea45499c21",
"tls_client_auth_subject_dn": "CN=www.myidp.ibm.com",
"registration_client_uri": "https://www.myidp.ibm.com/mga/sps/oauth/oauth20/register/OIDCDefinition/bx9XOis7F12VUJbjQ8Ft",
"registration_access_token": "Sf6omEzVHJP9Kqg0r1jptffE5SHzRPfL",
"token_endpoint_auth_method": "tls_client_auth",
"client_id": "bx9XOis7F12VUJbjQ8Ft",
"software_statement": "eyJraWQiOiJvWWNabkJqTEJUeU14cFByYjFDUFVvdWwyYUFna0VfM05ycjhteW1zd0NVIiwiYWx
                       nIjoiUFMyNTYifQ.eyJzb2Z0d2FyZV9lbnZpcm9ubWVudCI6InByb2R1Y3Rpb24iLCJhdWQiOiJ0
                       ZXN0YXVkIiwic29mdHdhcmVfaWQiOiI2NWQxZjI3YzRhZWE0NTQ5OWMyMSIsInNvZnR3YXJlX21vZ
                       GUiOiJsaXZlIiwib3JnX2lkIjoiYTUzYTZmOTctZTA3Yy00MjQwLWEwNGYtYTBhZjY5NjMxZDlmIiw
                       ic29mdHdhcmVfandrc19lbmRwb2ludCI6Imh0dHBzOi8vOS4xMjcuMTMuMzMvc3BzL2p3a3MiLCJzb2Z0
                       d2FyZV9yZWRpcmVjdF91cmlzIjoiW1wiaHR0cHM6Ly93d3cubXlzcC5pYm0uY29tL2lzYW0vc3BzL29pZGM
                       vcnAvaXNhbXJwL2tpY2tvZmYvcGFydG5lclwiLFwiaHR0cHM6Ly93d3cubXlzcC5pYm0uY29tL2lzYW0vc3Bz
                       L29pZGMvcnAvaXNhbXJwL2tpY2tvZmYvcGFydG5lcjJcIl0iLCJzb2Z0d2FyZV9jbGllbnRfbmFtZSI6Ik9
                       wZW5CYW5raW5nIENsaWVudDEgTmFtZSIsImlzcyI6IjY1ZDFmMjdjNGFlYTQ1NDk5YzIxIiwic29md
                       HdhcmVfY2xpZW50X2lkIjoiT3BlbkJhbmtpbmcgQ2xpZW50MSJ9.lRuFpHfg8SWaNcK6SMyRBrxul2an3ead2
                       jcVxyy3QAyEIZL8qWYuC-HiyCjlmMXRU-DMW_WaQdl6SUDTEzPM57h-djWsyRRlbA0FgoEf4-8eKEo1lclIDy57n
                       Ck92zmPmBsdDg4pnfCRbd8SEmRp3EMpWjugW3jgBfBBNZ0jKdWLao3km5B9dHF2ErzCghem3Y2w6sgAQIIW2yhCbtk-
                       33jDuhKoXFRQuvMobmRg4aZYzgSzhQiyMVJY3FjqpZzp6soyb_pRGZ8vyeoloNMSYl45hzMGOt5BL6UZOrApAXJ
                       Qosqxbo41px1ZsPkXNwEo0eyRfX2OQEZx122rqqTgoQ",  
"software_id": "65d1f27c4aea45499c21",
"scope": "accounts openid",
"software_environment": "production",
"client_id_issued_at": 1647835807,
"exp": 1647839407,
"iat": 1647835807,
"jti": "8373d3c0-4d64-44e2-85c8-73b5f656fa74",
"id_token_signed_response_alg": "PS256",
"grant_types": [
"authorization_code",
"client_credentials"
],
"software_client_id": "OpenBanking Client1",
"redirect_uris": [
"https://www.mysp.ibm.com/isam/sps/oidc/rp/isamrp/kickoff/partner"
],
"software_jwks_endpoint": "https://company.com/jwks",
"aud": "testaud",
"org_id": "a53a6f97-e07c-4240-a04f-a0af69631d9f",
"request_object_signing_alg": "PS256",
"response_types": [
"code",
"code id_token"
]
}

If the FAPI compliant flag for the registered client is enabled, the format of the registration_client_uri response is modified.

This is achieved by using a mapping rule modification in the post_token mapping rule. For example: 
var registration_client_uri = 
stsuu.getContextAttributes().getAttributeValueByNameAndType("registration_client_uri","urn:ibm:names:I
TFIM:oauth:response:attribute");

var client_id = 
stsuu.getContextAttributes().getAttributeValueByNameAndType("client_id","urn:ibm:names:ITFIM:oauth:response:attribute");

IDMappingExtUtils.traceString("Original registration_client_uri : "+registration_client_uri);

if(request_type == "client_register"){

if(registration_client_uri != null && client_id != null){

stsuu.getContextAttributes().removeAttributeByNameAndType("registration_client_uri","urn:ibm:names:ITF
IM:oauth:response:attribute");

var new_registration_uri = registration_client_uri.split("\\?")[0] + "/" + client_id;

IDMappingExtUtils.traceString("New registration_client_uri : "+new_registration_uri);

stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("registration_client_uri","urn:ibm:names:ITFIM
:oauth:response:attribute",new_registration_uri));
}
}