Client registration
Last updated
Was this helpful?
IDP Kit
Last updated
Was this helpful?
The IDP Kit provides a command line interface (CLI) to register and manage clients. Furthermore, the dynamic client registration and management APIs are provided, according to the specifications in:
To register a new client via the dynamic client registration API, authentication using the registration access token is required by default. The IDP Kit can be configured to allow unauthenticated client registration.
To get this registration access token use the command:
This will output a valid JWT token to use with the API endpoint, like this:
Output
To allow unauthenticated client registration requests via the REST API, set the following in the idp-config.json:
CLI
To register a new client use the register command, like e.g.:
To specify multiple redirect_uris, repeat the -r ... flag for each URI.
Use --all-redirect-uris and omit the -r ... flags, to allow all redirect URIs for this client.
Use -u <client_id> to update an existing client by its ID, instead of creating a new registration.
REST API
[POST] /api/oidc/clients/register
Result
Example:
This example response has the following properties:
client_secret_expires_at: Expiration timestamp of client secret, or 0 if no expiration
all_redirect_uris: Specific to IDP Kit: allow all redirect URIs for this client if redirect_uris is empty or not set
registration_client_uri: URI of API to get, update or delete this client information
registration_access_token: access token for using registration_client_uri API to get, update or delete this client information
client_id_issued_at: Timestamp of first registration of this client
client_secret: Client secret to use for token endpoint authentication method
client_id: Client id to use for token endpoint authentication method
redirect_uris: Array of redirect URIs that are allowed for this client
To list all registered clients, type
This will output a list of keys and client information objects for all registered clients:
Output
CLI
To get a client information by the client ID, use this command, specifying the ID via the -i ... command argument:
REST API
[GET] /api/oidc/clients/<client_id>
Result
CLI
REST API
[PUT] /api/oidc/clients/<client_id>
Result
CLI
Use the remove command to unregister an existing client registration:
Example output
REST API
[DELETE] /api/oidc/clients/<client_id>
The result of a successful delete request, is an empty response with the HTTP response code 204 No Content.
For managing registered clients, i.e. get, update or removal of client information, via the dynamic client management API, you have to use the registration_client_uri and registration_access_token as returned by the response for the specific client.
The , for registering new clients, does NOT grant permission to manage existing client registrations!
Post a object to this endpoint, using the described above, like shown in this simple example:
If is enabled, the registration access token in the Authorization header can be omitted in this request.
In case of success, the CLI and REST API will output a client information object, corresponding to the client registration response from the OIDC spec: .
Each listed object corresponds to the client registration response, described in the section .
To get the client info via the dynamic client management API, make a GET call to the registration_client_uri using the registration_access_token given in the client information obtained from the initial or the latest .
Clients use the registration_client_uri as returned by the server in the registration response object, and MUST NOT construct the URL from component pieces, such as API endpoint and client ID.
The output is a client information object, that corresponds to the client registration response, described in the section .
To update an existing client registration use the -u ... command flag of the , like so:
Post the updated client information, including all required parameters, to the registration_client_uri using the HTTP PUT method and the registration_access_token given in the client information obtained from the initial or the latest .
Clients use the registration_client_uri as returned by the server in the registration response object, and MUST NOT construct the URL from component pieces, such as API endpoint and client ID.
The output is a client information object, with the updated registration information, that corresponds to the client registration response, described in the section .
To unregister the client via the dynamic client management API, make a DELETE request to the registration_client_uri using the registration_access_token given in the client information obtained from the initial or the latest .
Clients use the registration_client_uri as returned by the server in the registration response object, and MUST NOT construct the URL from component pieces, such as API endpoint and client ID.