AnsweredAssumed Answered

Restrict Dynamic Client Registration to known clients

Question asked by JMCColorado on Dec 21, 2017
Latest reply on Dec 21, 2017 by Mark_HE

Trying to get my head around the OTK OIDC/OAuth for native mobile applications use case. Maybe the communities can help.

 

Disclaimer: I am new to both OIDC and OAuth, so I may be missing something obvious, or completely incorrect in my understanding.

 

I am researching the correct way to integrate a mobile application which uses our centralized authentication service based on CASSO, which is integrated with the OTK to support OIDC and the authorization code grant type.

 

From what I have read, it appears that a mobile native client cannot be trusted to store a client secret that is shared across all instances of the application, so dynamic client registration should be used to register each instance of the mobile application as its own client. (This seems like it could result in a ton of clients, but I guess it is what it is) What I don't understand is how I would enable dynamic client registration for a first-party publicly available mobile app, while still preventing third-party developers from configuring their own application to use dynamic client registration against my OIDC service.

 

Is there a standard way to white-list, or grant tokens to restrict which client applications support dynamic client registration? The OIDC spec seems to allow for this (although they do not define the method), I am wondering what mechanism is typically used for this? If there is a token that is presented, how is it that that token can be kept secret, when the client secret cannot?

 

I am sure I am missing something here, if anyone can point me in the right direction, I would greatly appreciate it.

 

 Client Registration Endpoint

The Client Registration Endpoint is an OAuth 2.0 Protected Resource through which a new Client registration can be requested. The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.

 

Thank you-

 

Josh

Outcomes