<div dir="ltr">I'm not sure how useful this is, nor do I think it's particularly safe. There's nothing to stop someone sending a request and masking a different IP address. It would have to use mutual SSL to be secure. Or at least use SSL and have a callback (to confirm that request comes from the actual host), but then it's not using the OIDC standard protocol anymore. <div><br></div><div>Let's discuss it in more detail when you're back from PTO.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 11 August 2016 at 17:30, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">According to the specification<br>
<a href="http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration" rel="noreferrer" target="_blank">http://openid.net/specs/<wbr>openid-connect-registration-1_<wbr>0.html#ClientRegistration</a><br>
there is this:<br>
<br>
"To support open Dynamic Registration, the Client Registration Endpoint<br>
SHOULD accept registration requests without OAuth 2.0 Access Tokens.<br>
These requests MAY be rate-limited or otherwise limited to prevent a<br>
denial-of-service attack on the Client Registration Endpoint."<br>
<br>
So it looks we need to have a way to allow dynamic client registrations<br>
even without Initial Access Token. Without supporting it, we are not<br>
able to move forward with OIDC conformance testsuite with "Dynamic"<br>
profile as it seems there is not a way to retrieve initialAccessToken<br>
from Keycloak and "inject" it to conformance testsuite.<br>
<br>
So I've added the possibility to define trusted hosts under "Initial<br>
Access Tokens" tab. Client registration requests from those hosts are<br>
permitted even without initial-access-token . It's possible to limit the<br>
count of registrations for each host similarly like is for "Initial<br>
Access Tokens".<br>
<br>
This approach allows to move forward with OIDC Conformance testsuite<br>
with "Dynamic" profile.<br>
<br>
If you agree and we move forward with this approach, then we should<br>
consider to rename "Initial Access Tokens" tab to "Client Registration"<br>
or "Dynamic Client Registration" ? As Initial Access Tokens are anyway<br>
related just to dynamic client registrations.<br>
<br>
WDYT?<br>
<br>
Marek<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div>