Configuring an OpenID Connect Provider to accept client registration requests
The client registration endpoint is an administrator managed service that is used to register, update, delete, and retrieve information about an OpenID Connect Relying Party that intends to use the OpenID Connect Provider. In turn, the registration process can provide information for the Relying Party to use it, including the OAuth 2.0 Client ID and Client Secret, if not specified.
Before you begin
In a local store configuration, the client registration service is limited to only retrieving OpenID Connect Relying Party information. You can modify the server.xml file to add more operations to register, update, or delete an OpenID Connect Relying Party.
In a database store configuration, there is no limitation on the client registration service and all operations are functional through the REST interface.
The client registration endpoint is a protected administration endpoint with the clientManager role. To access this endpoint, the user must be granted the clientManager role by the administrator.
The clientManager role is one of the oauth-roles defined for an oauthProvider. The following is a sample configuration that shows a grant of the clientManager role to the user Alice or members in the clientAdministrator group.
<oauth-roles>
<authenticated>
<special-subject type="ALL_AUTHENTICATED_USERS" />
</authenticated>
<clientManager>
<group name="clientAdministrator" />
<user name="Alice" />
</clientManager>
</oauth-roles>
About this task
Client registration information about an OpenID Connect Relying Party is largely used to define the usage scenario constraints of the client. Additionally, other operations of the OP that are opaque to the client use the client registration metadata to make authorization decisions.
The following example assumes that the Liberty OP is configured with SSL on port 443.
https://server.example.com:443/oidc/endpoint/<provider_name>/registration
The previous example also assumes that the server.xml file is configured with a user name: clientAdmin and password: clientAdminPassword, that uses the oauth-role: clientManager.
The client registration metadata consists of the following parameters:
Attribute Name | Data Type | Required/Optional | Description |
---|---|---|---|
client_id | Input/Output | Optional | The client identifier that is being registered with the OP. Unless specified, this parameter value is generated during registration by default. This is a string. |
client_secret | Input/Output | Optional | The client secret that is being registered with the OP. Unless specified, this parameter value is generated during registration by default. This is a string. During an update operation, the parameter value '*' preserves the existing value. A blank parameter value generates a new client_secret. A non-blank parameter value overrides the existing value with the newly specified value. |
client_name | Input/Output | Optional | A description for the client that is being registered with the OP. Unless specified, this parameter is set to the client_id parameter value by default. This is a string. |
application_type | Input | Optional | The application type that describes the client.
Unless specified, the default value is web. This
is a string. For example, possible values:
|
response_types | Input | Optional | The response type constraints that are used
by this client. Unless specified, the default value is code.
This is a JSON array. For example, possible values are:
For a specific response_type, the corresponding grant_types must be specified. For more information, see response_types at the Client Metadata website. |
grant_types | Input | Optional | The grant type constraints that are used by
this client. Unless specified, the default value is authorization_code.
This is a JSON array. For example, the possible values are:
|
redirect_uris | Input | Optional | The array of redirect URIs to which the client is constrained to. This is a JSON array. |
post_logout_redirect_uris | Input | Optional | The array of post logout redirect URIs to which the client is constrained. This is a JSON array. |
trusted_uri_prefixes | Input | Optional | The array of trusted URI prefixes that the client has deemed safe for sending access tokens. This is a JSON array. |
scope | Input | Optional | The space delimited scope values to which the client is constrained. This is a string. If the client is allowed to request any scope, a value of ALL_SCOPES can be used. |
preauthorized_scope | Input | Optional | The space delimited scope values that the client is preauthorizing that does not require user consent. This is a string. |
subject_type | Input | Optional | The subject type constraint that is described
by the client. This is a string. For example, possible values are:
|
token_endpoint_auth_method | Input | Optional | The token endpoint authentication method constraint
that is used by the client. Unless specified, the default value is client_secret_basic.
This is a string. For example, possible values are:
|
functional_user_id | Input | Optional | This parameter indicates which user ID to associate with a request made on behalf of a client in a client_credentials grant type. This is a string. |
functional_user_groupIds | Input | Optional | A list of group IDs to associate with access
tokens obtained by this client using the client credentials grant
type. The value is a list of group IDs to which the functional user
is a member, where the group IDs are case-sensitive strings. The strings
are defined by the authorization server. If the value contains multiple
group IDs, their order does not matter. If the list is empty, the
claim is omitted. When this client metadata parameter is specified,
the value is returned in the functional_user_groupIds response
parameter from the introspection endpoint for access tokens that are
issued to this client with a client credentials grant. If the functional_user_id parameter
is not used, this parameter is ignored. Note: Authorization Servers
must not trust the client to self-assert this parameter.
|
introspect_tokens | Input | Optional | A parameter value that indicates whether the specified client has the privilege to introspect an access token that is issued by the OP. This is a Boolean value. |
registration_client_uri | Output only | N/A | A parameter that is returned in a response with the value that indicates the unique URL for a registered client. This is a string. |
client_secret_expires_at | Output only | N/A | A parameter that is returned in a response with the value that indicates the number of seconds from 1970-01- 01T0:0:0Z as measured in UTC, at which the client secret expires. The value 0 indicates no expiration time. |
client_id_issued_at | Output only | N/A | A parameter that is returned in a response with the value that indicates the number of seconds from 1970-01- 01T0:0:0Z as measured in UTC, at which the client ID was issued. The value 0 indicates that no client ID issue time was identified. |