[keycloak-dev] Dynamic client registrations without initial-access-token
Marek Posolda
mposolda at redhat.com
Thu Aug 11 11:30:34 EDT 2016
According to the specification
http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration
there is this:
"To support open Dynamic Registration, the Client Registration Endpoint
SHOULD accept registration requests without OAuth 2.0 Access Tokens.
These requests MAY be rate-limited or otherwise limited to prevent a
denial-of-service attack on the Client Registration Endpoint."
So it looks we need to have a way to allow dynamic client registrations
even without Initial Access Token. Without supporting it, we are not
able to move forward with OIDC conformance testsuite with "Dynamic"
profile as it seems there is not a way to retrieve initialAccessToken
from Keycloak and "inject" it to conformance testsuite.
So I've added the possibility to define trusted hosts under "Initial
Access Tokens" tab. Client registration requests from those hosts are
permitted even without initial-access-token . It's possible to limit the
count of registrations for each host similarly like is for "Initial
Access Tokens".
This approach allows to move forward with OIDC Conformance testsuite
with "Dynamic" profile.
If you agree and we move forward with this approach, then we should
consider to rename "Initial Access Tokens" tab to "Client Registration"
or "Dynamic Client Registration" ? As Initial Access Tokens are anyway
related just to dynamic client registrations.
WDYT?
Marek
More information about the keycloak-dev
mailing list