Dynamic Registration

/openid/connect/register
otk41
 
/openid/connect/register
 
The /openid/connect/register API implements the Dynamic Registration feature as specified at http://openid.net/specs/openid-connect-registration-1_0.html. Clients accessing this API can register themselves as OAuth clients for this OpenID Connect Provider.
The API generates an access_token with the 
openid_client_registration
 scope. This access token can be used at the API specified as “registration_client_uri” in the response of this API.
Supported Claims
The tables in this section list supported claims.
The following restrictions apply to dynamic registrations: 
  • The API accepts only those requested claim values that are specified in the JSON response of the discovery endpoint. See OpenID Connect Discovery. Unsupported values are set to default values.
  • Clients can only be registered once with the same values
  • The following characters are not accepted for registrations and result in a failed request:
     <>&"
     
OpenID Connect Specified Claims 
For claim details, see the OpenID Connect specification:  http://openid.net/specs/openid-connect-registration-1_0.html.
Supported Claims
Notes
 
redirect_uris
 
The
redirect_uris
claim is required.
The following restrictions apply to the redirect_uri value:
- For 
application_type: web
,
 
only the https:// scheme is allowed. The hostname cannot be 
localhost
.
- For 
application_type: native
, only custom schemes are allowed. The http:// scheme is accepted only if the hostname is 
localhost
.
- No anchors (#) are allowed.
 
response_types
 
When sending authorization requests using a 
response_type
, only the 
response_type
 values configured in the OpenID Connect Discovery are valid. The
 response_type
 in the dynamic registration request must match exactly what is returned by the discovery endpoint. 
 
grant_types
 
 
 
application_type
 
 
 
contacts
 
 
 
client_name
 
 
 
sector_identifier_uri
 
The expected implementation of a unique sub value for each sector identifier when pairwise subject identifiers are used is not yet supported.
 
subject_type
 
 
 
id_token_signed_response_alg
 
 
 
userinfo_signed_response_alg
 
 
 
token_endpoint_auth_method
 
 
Proprietary Claims
The following table lists supported proprietary claims.
Proprietary Claim
Notes
Default Value
 
scope
 
A custom scope. If a scope is provided, it must be supported on the server.
openid email profile openid_client_registration
 
organization
 
The organization of the requestor
The given organization of the client. If no organization is provided, the first redirect_uri is used as the value.
 
description
 
A description for this client
"Registered via OpenID Connect Dynamic Registration"
 
environment
 
The development environment of the client. For example: iOS.
ALL
 
master
 
This value identifies the client as being used as a “master-key”. The feature is applicable to CA Mobile API Gateway clients only.
 A client with a master key can retrieve client credentials at /connect/client/initialize. The client_id of this client cannot be used to request an OAuth token. The client_secret generated for this client intentionally matches the value of the client_id.
false
Unsupported Claims
The following table lists claims that are not supported in the current implementation of dynamic client registration. These claims are defined as optional in the OpenID Connect specification.
Unsupported Claims
 
logo_uri
 
 
request_object_signing_alg
 
 
client_uri
 
 
request_object_encryption_alg
 
 
policy_uri
 
 
request_object_encryption_enc
 
 
tos_uri
 
 
token_endpoint_auth_signing_alg
 
 
jwks_uri
 
 
default_max_age
 
 
jwks
 
 
reguire_auth_time
 
 
id_token_encrypted_response_alg
 
 
default_acr_values
 
 
id_token_encrypted_response_enc
 
 
initiate_login_uri
 
 
userinfo_encrypted_response_alg
 
 
request_uris
 
 
unserinfo_encrypted_response_enc
 
 
Registration Success Response 
A successful registration POST request returns a response that includes generated values such as the client_id and client_secret.
Response Example 
*** Response *** Status Line: HTTP/1.1 201 Created Response Header: Server: Apache-Coyote/1.1 Response Header: Content-Type: application/json;charset=UTF-8 Response Header: Content-Length: 1131 Response Header: Date: Wed, 02 Aug 2017 17:49:30 GMT Response Body: { "client_id": "2220d66d-ccd6-4616-96c6-10c8b6cf3844", "client_secret": "9f03bc93-12d7-4c48-b4ab-fa17fd02931d", "client_secret_expires_at": 0, "client_id_issued_at": 1501871110, "registration_access_token": "b39ba851-0375-4fee-851b-2f71072e966d", "registration_client_uri": "https://myGateway.com:8443/openid/connect/register/2220d66d-ccd6-4616-96c6-10c8b6cf3844", "token_endpoint_auth_method": "client_secret_basic", "application_type": "web", "redirect_uris": ["https://dynamic-client-001-test.com"], "client_name": "https://dynamic-client-001-test.com-2017-08-04T18:25:10.852Z", "subject_type": "pairwise", "sector_identifier_uri": "", "contacts": ["admin"], "response_types": ["code"], "grant_types": ["authorization_code"], "id_token_signed_response_alg": "RS256", "userinfo_signed_response_alg": "RS256", "environment": "ALL", "organization": "https://dynamic-client-001-test.com", "master": false, "description": "Registered via OpenID Connect Dynamic Registration", "scope": "openid email profile openid_client_registration" }
Retrieve Client Configuration
Using a GET request, the client configuration is available at the  /openid/connect/register/{client_id} API.
The client uses the issued access_token as credentials and the issued client_id as the path element.
Request Example 
Request Method: GET Request URI: /openid/connect/register/d71d768f-a121-445e-85a4-1234abcde123 Request Header: authorization: Bearer 12328230-afd7-4303-9b06-b744462dsf06a Request Header: User-Agent: Jakarta Commons-HttpClient/3.1 Request Header: Host: mygateway.com Request Query: null
Response Example
{ "subject_type": "pairwise", "grant_types": ["authorization_code"], "application_type": "web", "description": "Registered via OpenID Connect Dynamic Registration", "registration_client_uri": "https://myGateway.com:8443/openid/connect/register/2220d66d-ccd6-4616-96c6-10c8b6cf3844", "redirect_uris": ["https://dynamic-client-001-test.com"], "sector_identifier_uri": "", "client_id": "2220d66d-ccd6-4616-96c6-10c8b6cf3844", "token_endpoint_auth_method": "client_secret_basic", "userinfo_signed_response_alg": "RS256", "master": false, "environment": "ALL", "client_secret_expires_at": 0, "organization": "https://dynamic-client-001-test.com", "scope": "openid email profile openid_client_registration", "client_secret": "9f03bc93-12d7-4c48-b4ab-fa17fd02931d", "client_id_issued_at": 1501871110, "client_name": "https://dynamic-client-001-test.com-2017-08-04T18:25:10.852Z", "contacts": ["admin"], "response_types": ["code"], "id_token_signed_response_alg": "RS256" }