OpenID Connect Dynamic Client Registration
Ory Hydra is capable of exposing
- OpenID Connect Dynamic Client Registration
- OAuth 2.0 Dynamic Client Registration Protocol
- OAuth 2.0 Dynamic Client Registration Management Protocol
endpoints and capabilities. This feature allows third parties to create OAuth2 Clients in self-service, without administrative privileges. The feature is disabled by default!
This is particularly useful if you are running a public service and want users to be able to create their own OAuth2 clients.
To enable this feature, set the following configuration option:
oidc:
dynamic_client_registration:
enabled: true
Enabling this feature will add listeners to the following four routes at the public endpoint:
POST /openid/register
- Register a new OAuth2 Client;GET /openid/register/<client_id>
- Fetch the OAuth2 Client;PUT /openid/register/<client_id>
- Update the OAuth2 Client;DELETE /openid/register/<client_id>
- Delete the OAuth2 Client;
Register OAuth2 & OpenID Connect Clients
If OpenID Connect Dynamic Client Registration is enabled, registering a new OAuth2 Client is as simple as:
POST /openid/register
Content-Type: application/json
{
"client_id": "...",
"registration_access_token": "...",
...
}
note
The registration_access_token
will only be sent once! You need to store this token in a secure location. This token will be used
to update the OAuth2 Client.
Please note that it isn't possible to set OAuth2 Client Metadata, the OAuth2 Client ID nor the OAuth2 Client Secret using this endpoint. This ensure that third parties follow the strict security guidlines of the system.
The metadata field is protected and privileged and can only be set using the administrative endpoint! OAuth2 Client Metadata can also not be read using OpenID Connect Dynamic Client Registration endpoints!
Manage OAuth2 & OpenID Connect Clients
The POST
endpoint requires the client to authenticate with the registration_access_token
regardless of the
token_endpoint_auth_method
. It can be used to update the OAuth2 Client.
PUT /openid/register/{client_id}
Authorization: Bearer <registration_access_token>
Content-Type: application/json
{
"redirect_uris": [...]
...
}
The response will include the updated OAuth2 Client.
note
When updating the OAuth2 Client, the server will respond with a new registration access token. The old one will become invalid!
{
"client_id": "...",
"registration_access_token": "..."
...
}
Get OAuth2 & OpenID Connect Clients
The GET
endpoint requires the client to authenticate with the registration_access_token
regardless of the
token_endpoint_auth_method
. It can be used to retrieve the OAuth2 Client.
GET /openid/register/{client_id}
Authorization: Bearer <registration_access_token>
Content-Type: application/json
{
"redirect_uris": [...]
...
}
Delete OAuth2 & OpenID Connect Clients
The DELETE
endpoint requires the client to authenticate with the registration_access_token
regardless of the
token_endpoint_auth_method
. It can be used to delete the OAuth2 Client.
DELETE /openid/register/{client_id}
Authorization: Bearer <registration_access_token>