Client registration
The IDP Kit provides a command line interface (CLI) to register and manage clients. Furthermore, the dynamic client registration and management APIs are provided, according to the specifications in:
Authentication for dynamic client registration API
To register a new client via the dynamic client registration API, authentication using the registration access token is required by default. The IDP Kit can be configured to allow unauthenticated client registration.
Registration access token
To get this registration access token use the command:
This will output a valid JWT token to use with the register
API endpoint, like this:
Output
Open client registration
To allow unauthenticated client registration requests via the REST API, set the following configuration option in the idp-config.json
:
Authentication for existing client management
For managing registered clients, i.e. get, update or removal of client information, via the dynamic client management API, you have to use the registration_client_uri
and registration_access_token
as returned by the client registration response for the specific client.
The registration access token, for registering new clients, does NOT grant permission to manage existing client registrations!
Register new client
CLI
To register a new client use the register
command, like e.g.:
To specify multiple redirect_uris, repeat the -r ...
flag for each URI.
Use --all-redirect-uris
and omit the -r ...
flags, to allow all redirect URIs for this client.
Use -u <client_id>
to update an existing client by its ID, instead of creating a new registration.
REST API
[POST] /api/oidc/clients/register
Post a client registration request object to this endpoint, using the registration access token described above, like shown in this simple example:
If open client registration is enabled, the registration access token in the Authorization
header can be omitted in this request.
Result
In case of success, the CLI and REST API will output a client information object, corresponding to the client registration response from the OIDC spec: Client Registration Response.
Example:
This example response has the following properties:
client_secret_expires_at
: Expiration timestamp of client secret, or 0 if no expirationall_redirect_uris
: Specific to IDP Kit: allow all redirect URIs for this client if redirect_uris is empty or not setregistration_client_uri
: URI of API to get, update or delete this client informationregistration_access_token
: access token for usingregistration_client_uri
API to get, update or delete this client informationclient_id_issued_at
: Timestamp of first registration of this clientclient_secret
: Client secret to use for token endpoint authentication methodclient_id
: Client id to use for token endpoint authentication methodredirect_uris
: Array of redirect URIs that are allowed for this client
List registered clients
To list all registered clients, type
This will output a list of keys and client information objects for all registered clients:
Output
Each listed object corresponds to the client registration response, described in the section Register new client.
Get client information by ID
CLI
To get a client information by the client ID, use this command, specifying the ID via the -i ...
command argument:
REST API
[GET] /api/oidc/clients/<client_id>
To get the client info via the dynamic client management API, make a GET
call to the registration_client_uri
using the registration_access_token
given in the client information obtained from the initial client registration or the latest client update.
Clients MUST use the registration_client_uri
as returned by the server in the registration response object, and MUST NOT construct the URL from component pieces, such as API endpoint and client ID.
Result
The output is a client information object, that corresponds to the client registration response, described in the section Register new client.
Update client registration
CLI
To update an existing client registration use the -u ...
command flag of the register
command, like so:
All required parameters MUST be specified in the update command, as the existing registration will be replaced but not merged with parameters given in this command!
REST API
[PUT] /api/oidc/clients/<client_id>
Post the updated client information, including all required parameters, to the registration_client_uri
using the HTTP PUT
method and the registration_access_token
given in the client information obtained from the initial client registration or the latest client update.
All required parameters MUST be included in the update request body, as the existing registration will be replaced but not merged with object given in the update request!
Clients MUST use the registration_client_uri
as returned by the server in the registration response object, and MUST NOT construct the URL from component pieces, such as API endpoint and client ID.
Result
The output is a client information object, with the updated registration information, that corresponds to the client registration response, described in the section Register new client.
Remove client registration
CLI
Use the remove
command to unregister an existing client registration:
Example output
REST API
[DELETE] /api/oidc/clients/<client_id>
To unregister the client via the dynamic client management API, make a DELETE
request to the registration_client_uri
using the registration_access_token
given in the client information obtained from the initial client registration or the latest client update.
The result of a successful delete request, is an empty response with the HTTP response code 204 No Content
.
Clients MUST use the registration_client_uri
as returned by the server in the registration response object, and MUST NOT construct the URL from component pieces, such as API endpoint and client ID.
Last updated