DCR VS DCRM with WSO2 Identity server

What is DCR (Dynamic Client Registration)

Dynamic Client registration is a protocol which allows OAuth clients to register applications in an authorization server. Before this mechanism which is introduced from the spec [1] the client registration happened manually. With this implementation the client registration could be done in two ways.

 - A client can be registered dynamically with the authorization server itself
 - A programmer can register a client programmatically.

Following is the protocol flow of DCR


1. A client sends a registration request with as follows. This should be a post request.
2. Server sends information response with 201 created.


Request :

POST https://localhost:9443/api/identity/oauth2/dcr/v1.0/register HTTP/1.1
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/json
Content-Length: 114
Host:localhost:9443
{
  "redirect_uris": [
    "http://localhost"
  ],
  "client_name""client_test",
  "grant_types": [
    "password"
  ]
}


Response :

HTTP/1.1 201 Created
Content-Length: 163
Content-Type: application/json
Connection: Close
{
   "client_id""3701c489-3e03-4f2b-a125-ee3f8d25a501",
   "client_secret""4bff3ec0-a5ab-4252-8768-126633278333",
   "redirect_uris": ["http://localhost"],
   "client_name""client_test"
}

What is DCRM (Dynamic Client Registration Management)

The main finctionalities introduced form this specification [2] are :

  1. Current registration state of a client (Client Read Request)
  2. Update request to an already registered client (Client Update Request)
  3. Delete request to unregister a client (Client Delete Request)
This specification is an extension of DCR specification. Following is the protocol flow of DCRM. 




Client Read Request

Following is a sample client read request and response using WSO2 identity server.

 Request :

Get https://localhost:9443/api/identity/oauth2/dcr/v1.0/register
/3701c489-3e03-4f2b-a125-ee3f8d25a501 HTTP/1.1
Host:localhost:9443

 Response:
HTTP/1.1 200 OK
Content-Length: 163
Content-Type: application/json
Connection: Close
{
   "client_id""3701c489-3e03-4f2b-a125-ee3f8d25a501",
   "client_secret""4bff3ec0-a5ab-4252-8768-126633278333",
   "redirect_uris": ["http://localhost"],
   "client_name""name_1"

}

This request is made from concatenating a client identifier ti the DCR register EP. This client identifier is the client key of the application.


Client Update Request

This is used to update an already registerd client application. This update request is a HTTP put request. 
Few considerations are there when doing the DCRM update request.
  1. This request MUST include all client metadata field which is obtained from previos read / registration request.
  2. The fields which are not specified in the request should be filled with  null values
  3. The 'client_id' in the should be included in the request and it  MUST be the same as its currently issued client identifier. 
  4. The 'client_secret' value can be included in the request, but the value should be matched with the currency issued 'client_secret'. 
  5. The 'client_secret' of the request can not override the existing one of the application.
Following is a sample request and response using WSO2 identity server.

Request :

PUT https://localhost:9443/api/identity/oauth2/dcr/v1.0/register/
3701c489-3e03-4f2b-a125-ee3f8d25a501 HTTP/1.1
Content-Type: application/json
Content-Length: 115
Host: localhost:9443
{
  "redirect_uris": [
    "http://localhost/123"
  ],
  "client_name""name_1",
  "grant_types": [
    "password"
  ]
}
Response :


HTTP/1.1 200 OK
Content-Length: 164
Content-Type: application/json
Connection: Close
{
   "client_id""3701c489-3e03-4f2b-a125-ee3f8d25a501",
   "client_secret""4bff3ec0-a5ab-4252-8768-126633278333",
   "redirect_uris": ["http://localhost"],
   "client_name""name_1"
}


Client Delete Request

By doing HTTP DELETE request the client can delete itself from the authorization server. 
A delete request will invalidate all 'client_id' ,'client_secret' and 'registration_access_token' of the client.

 Following is a sample request and response using WSO2 identity server.

Request :

DELETE https://localhost:9443/api/identity/oauth2/dcr/v1.0/register/
3701c489-3e03-4f2b-a125-ee3f8d25a501 HTTP/1.1
Content-Type: application/json
Content-Length: 0
Host: localhost:9443

Response :

HTTP/1.1 204 No Content
Connection: Close

[1] https://tools.ietf.org/html/rfc7591
[2] https://tools.ietf.org/html/rfc7592


Comments

Post a Comment

Popular posts from this blog

Applying CORS Filter to wso2 Identity Server

When we are invoking an endpoint in oauth2 war from a javascript of a web app which is located in a different domain than identity server domain we are getting "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://XXXXXXX is therefore not allowed access." The issue is occurring as the script on your page is running from a specifc domain and would try to request the resource via an XmlHttpRequest or XDomainRequst from a different domain as this is a cross -origin request. In order to get rid of this we need to enable this by sending below header using a custom filter.  Access-Control-Allow-Origin: http: //example.com   (Here  http://example.com is the domain name of where page with that script is hosted) Invoking UserInfo endpoint of wso2 Identity Server from JavaScript We have two possible solutions to apply the CORS header.  1. Customizing OpenIDConnectUserEndpoint.java as below and replacing the oauth
Read more

JWKS endpoint of wso2 IS

What is JWKS endpoint? The JSON Web Key Set (JWKS) endpoint is a read-only endpoint. This url returns the Identity Server's public key set in Json web key set format. This contains the signing key(s) the RP uses to validate signatures from the Identity Server. This endpoint is defined loosely by the OpenID Connect Discovery specification . Try JWKS endpoint with Identity Server The endpoint url for the super tenant: https://localhost:9443/oauth2/jwks The jwks for the super tenant will be as follows: { "keys" : [ { "alg" : "RS256" , "kty" : "RSA" , "use" : "sig" , "n" : " AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5 " , "e" : "AQAB" , "kid" : " d0ec514a32b6f88c0abd12a2840699bdd3deba9d "
Read more