Dynamic Client Registration

  • Provides a way for Clients to introduce themselves to Authorization Servers.

    • Allowing Clients to register themselves at runtime.

  • Authorization Server can then provision a unique Client ID and Client Secret (if appropriate) to the Client which can then be used for all subsequent OAuth transactions.

  • Can be used by native applications (such as mobile apps) to register themselves and have a unique Client ID & Client Secret per instance.

  • Client being registered with the Authorization Server doesn't entitle the Client access to any resources protected by the Authorization Server.

    • Key fact which differentiates OAuth from other security protocols where the registration event carries with it authority to access resources and therefore needs to be protected by a strict onboarding process.

  • The Client will need to discover the Authorization's Server Client Registration endpoint by sending a request to: /.well-known/oauth-authorization-server

  • This is done by sending a simple HTTP request to the Authorization Server's Client Registration Endpoint:

    • Endpoint can be protected by authorization (also can be open registration as shown in the example below).

REQUEST 

POST /reg HTTP/1.1
Host: oauth-0ab500b504ac233cc0166e0402bd0078.web-security-academy.net
Cookie: _interaction=CFm_EqqiXK3p43Oo0HWu7
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Referer: https://0aa2007c048523e6c0c96e53001600cc.web-security-academy.net/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/json
Content-Length: 195

{
	"client_name": "Oauth client",
	"redirect_uris": ["http://localhost:9000/callback"],
	"client_uri": "http://localhost:9000",
	"grant_types": ["authorization_code"],
        "scope": "openid"
}
RESPONSE 

HTTP/1.1 201 Created
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Type: application/json; charset=utf-8
Date: Tue, 20 Sep 2022 15:25:15 GMT
Connection: close
Content-Length: 968

{
"application_type":"web",
"grant_types":["authorization_code"],
"id_token_signed_response_alg":"RS256",
"post_logout_redirect_uris":[],
"require_auth_time":false,
"response_types":["code"],
"subject_type":"public",
"token_endpoint_auth_method":"client_secret_basic",
"introspection_endpoint_auth_method":"client_secret_basic",
"revocation_endpoint_auth_method":"client_secret_basic",
"require_signed_request_object":false,
"request_uris":[],"client_id_issued_at":1663687515,
"client_id":"Q1bEXlt1GbhCaCoeJzUEw",
"client_name":"Oauth client",
"client_secret_expires_at":0,
"client_secret":"GMtR7QUNs2HVDEt6SPEinwrGYq-U5d2xrxJVRjjAjZVke70CdCPFLaWvvF0bqMM3KRKcNC8PUGTGt_X8OqKlQA",
"client_uri":"http://localhost:9000",
"redirect_uris":["http://localhost:9000/callback"],
"scope":"openid",
"registration_client_uri":"https://oauth-0ab500b504ac233cc0166e0402bd0078.web-security-academy.net/reg/Q1bEXlt1GbhCaCoeJzUEw",
"registration_access_token":"O8wcy2pH_bmmtnYz1wDUuLIhxHbv8GZtRPLeBnv6ETZ"
}

PreviousOpenID ConnectNextJOSE

Last updated