Trying out OpenID Connect Dynamic Client Registration in WSO2 Identity Server

“ OpenID Connect (OIDC) 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.”

Dynamic Client Registration allows the OpenID Connect (OIDC) Relying Party (RP) to register itself with the OpenID Connect Provider (OP).

According to the above diagram, the OpenID Connect Relying Party can dynamically register with the End-User’s OpenID Provider, providing information about itself to the OpenID Provider, and obtaining information needed to use it, including the OAuth 2.0 Client ID for this Relying Party.

WSO2 Identity Server provides the capability to register clients dynamically using OpenId connect. Client applications must be registered before logging in to end-users with OpenID Connect or receiving OAuth 2.0 access tokens. This blog allows you to have hands-on experience on OpenId Connect Dynamic Client Registration in WSO2 IS.

The following section provides information on how an OpenID Connect Relying party can dynamically register with the end user’s OpenID provider.

Prerequisites

1. Download the latest WSO2 Identity Server.
2. Start WSO2 identity server by typing sh wso2server.sh in a terminal running on <IS_HOME>/bin/ . [<IS_HOME> is the directory in which the WSO2 Identity Server is installed.]

Registers an OAuth2 application

[POST https://localhost/api/identity/oauth2/dcr/v1.1/register]

When registering an OAuth2 application, the Client sends an HTTP POST message to the client registration endpoint with client metadata parameters that the client chooses to specify for itself during the registration. You can use the following curl command.

curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{"client_name": "application_test", "grant_types": ["authorization_code","password"], "ext_param_client_id":"provided_client_id0001", "ext_param_client_secret":"provided_client_secret0001", "redirect_uris":["http://localhost:8080/playground2"] }' "https://localhost:9443/api/identity/oauth2/dcr/v1.1/register"

By executing this curl command the IS will create a Service Provider with the name application_test and add an OAuth/OpenID Connect Configuration enabling the grant types we sent in grant_types and set the Callback Url to the URI sent in redirect_uris. Then you should get a response like below.

{"client_id":"provided_client_id0001","client_secret":"provided_client_secret0001","client_secret_expires_at":null,"redirect_uris":["http://localhost:8080/playground2"],"grant_types":["authorization_code","password"],"client_name":"application_test"}

Get OAuth2 application information

Now you can get your created OAuth2 application by providing client_id or client_name.

1. Retrieve an OAuth2 application by client_id.

[GET https://localhost/api/identity/oauth2/dcr/v1.1/register/{client_id}]

curl -k -X GET -H “Authorization: Basic YWRtaW46YWRtaW4=” -H “Content-Type: application/json” -d ‘{}’ “https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/provided_client_id0001"

You should get a response similar to this.

{“client_id”:”provided_client_id0001",”client_secret”:”provided_client_secret0001",”client_secret_expires_at”:null,”redirect_uris”:[“http://localhost:8080/playground2"],"grant_types":["authorization_code","password"],"client_name":"application_test"}

2. Retrieve an OAuth2 application by client_name.

[GET https://localhost/api/identity/oauth2/dcr/v1.1/register]

curl -k -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{}' "https://localhost:9443/api/identity/oauth2/dcr/v1.1/register?client_name=application_test"

You should get a response similar to this.

{“client_id”:”provided_client_id0001",”client_secret”:”provided_client_secret0001",”client_secret_expires_at”:null,”redirect_uris”:[“http://localhost:8080/playground2"],"grant_types":["authorization_code","password"],"client_name":"application_test"}

Updates an OAuth2 application

[PUT https://localhost/api/identity/oauth2/dcr/v1.1/register/{client_id}]

You can update your created OAuth2 application with an HTTP PUT message. use the following curl command.

curl -k -X PUT -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{ "client_name": "application_1", "grant_types": ["authorization_code","password","implicit"] }' "https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/provided_client_id0001"

You should get a response similar to this.

{"client_id":"provided_client_id0001","client_secret":"provided_client_secret0001","client_secret_expires_at":null,"redirect_uris":["http://localhost:8080/playground2"],"grant_types":["authorization_code","password","implicit"],"client_name":"application_1"}

Delete OAuth2 application

[DELETE https://localhost/api/identity/oauth2/dcr/v1.1/register/{client_id}]

You can delete your created application using the following curl command.

curl -k -X DELETE -H “Authorization: Basic YWRtaW46YWRtaW4=” -H “Content-Type: application/json” -d ‘{}’ “https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/provided_client_id0001"

Now you have successfully tried out the OpenID Connect Dynamic Client Registration flow with WSO2 IS.

Wrapping-up

In this article, I tried to give you a brief idea about OpenID Connect Dynamic Client Registration, and how it can be performed using WSO2 Identity Server. Hope you enjoyed reading..!

References

OpenID Connect Dynamic Client Registration - WSO2 Identity Server Documentation