OIDC Dynamic Clients- Authentication and deployment
There are considerations to take when you are deploying a definition that allows the registration of clients through a public API.
Consider the following factors:
- Do you require authentication to register a client?
- If you do not require authentication for when a client is registered, there is no way of
identifying who owns a client application. CAUTION:This is a higher risk deployment pattern than if you require authentication.You can control the access to the registration endpoint with an Access Control List (ACL). The reverse proxy OAuth configuration API then configures the ACLs with the Require authentication to register a client option. Group based requirements might also be added to ensure that only administrators or trusted users can register clients. The authenticated users credential information is available in the STSUniversalUser attribute list during the registration. This information can be associated with the registered client for use during the consent step, informing the end user who the application administrator is.
- What consent challenges are sent to the resource owner?
- Since dynamic clients are inherently less trusted than an administrator-registered client, the emphasis on the users consent in the delegated authorization is increased. When and how consent might be performed depends on who is able to register a client. Dynamic client parameters such as client_uri are available on the consent page as a macro. you can use this parameter and other values (For example, tos_uri, log_uri, policy_uri) to allow the user to identify, discover, and verify who a client is before granting them access.
- Will you issue a client secret?
- A client secret allows access to the client centric API endpoints such as /token and /introspect, as well as allows the client to perform HMAC signing of JWTs. Without a client secret, an authorization code flow cannot be performed. When the configuration property issue client secret is enabled, a client secret is issued when the registration is made by an authenticated party.