ClientRegistration
A ClientRegistration holds information about registration with an OAuth 2.0 Authorization Server or OpenID Provider.
The configuration includes the client credentials that are used to authenticate to the identity provider. The client credentials can be included directly in the configuration, or retrieved in some other way using an expression, described in Expressions.
Usage
{
"name": string,
"type": "ClientRegistration",
"config": {
"clientId": configuration expression<string>,
"issuer": Issuer reference,
"scopes": [ configuration expression<string>, ...],
"registrationHandler": Handler reference,
"authenticatedRegistrationHandler": Handler reference,
"clientSecret": configuration expression<string>, //deprecated
"clientSecretId": configuration expression<secret-id>, //deprecated
"jwtExpirationTimeout": duration, //deprecated
"keystore": reference, //deprecated
"privateKeyJwtAlias": string, //deprecated
"privateKeyJwtPassword": string, //deprecated
"privateKeyJwtSecretId": configuration expression<secret-id>, //deprecated
"secretsProvider": SecretsProvider reference, //deprecated
"tokenEndpointAuthMethod": enumeration, //deprecated
"tokenEndpointAuthSigningAlg": string //deprecated
}
}
Properties
"name"
: string, required-
The use of the name
property to identify a client that is registering with the Authorization Server is deprecated; useclientId
instead. For more information, refer to the Deprecated section of the Release Notes. "clientId"
: configuration expression<string>, required-
The
client_id
obtained when registering with the Authorization Server. See also Expressions. "issuer"
: Issuer reference, required-
The provider configuration to use for this client registration. Provide either the name of a Issuer object defined in the heap or an inline Issuer configuration object. See also Issuer.
"scopes"
: array of configuration expression<strings>, optional-
Array of scope strings to present to the user for approval, and include in tokens so that protected resources can make decisions about access.
Default: Empty
"registrationHandler"
: Handler reference, optional-
HTTP client handler to invoke during client registration, to access endpoints that do not require client authentication. Provide either the name of a Handler object defined in the heap or an inline Handler configuration object.
Usually set this to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.
Default: ClientHandler.
"authenticatedRegistrationHandler"
: Handler reference, optional-
HTTP client handler to invoke during client registration, to access endpoints that require client authentication. Configure this property as a Chain, using one of the following filters for client authentication:
{ "name": "AuthenticatedRegistrationHandler", "type": "Chain", "config": { "handler": "ForgeRockClientHandler", "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "service-client", "clientSecretId": "client.secret.id", "secretsProvider" : "SystemAndEnvSecretStore-1", } } ] } }
Default:
registrationHandler
with no authentication filter. "clientSecret"
: _configuration expression<string>, required iftokenEndpointAuthMethod
isclient_secret_basic
orclient_secret_post
-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The secret required to authenticate the client to the Authorization Server.
"clientSecretId"
: _configuration expression<secret-id>, required iftokenEndpointAuthMethod
isclient_secret_basic
orclient_secret_post
-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The secret ID of the client secret required to authenticate the client to the Authorization Server.
This secret ID must point to a GenericSecret.
"jwtExpirationTimeout"
: duration, optional-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.When
private_key_jwt
is used for authentication, this property specifies the duration for which the JWT is valid.Default: 1 minute
"keystore"
: reference, required ifprivate_key_jwt
is used-
The use of this property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The Java keystore containing the private key that is used to sign the JWT.
Provide the name of a keystore object defined in the heap or an inline keystore configuration object.
"privateKeyJwtAlias"
: string, required ifprivate_key_jwt
is used-
The use of this property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.Name of the private key contained in the keystore.
"privateKeyJwtPassword"
: string, required ifprivate_key_jwt
is used-
The use of this property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.Password to access the private key contained in the keystore.
"privateKeyJwtSecretId"
: configuration expression<secret-id>, required whenprivate_key_jwt
is used for client authentication-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The secret ID of the key that is used to sign the JWT.
This secret ID must point to a CryptoKey.
"secretsProvider"
: SecretsProvider reference, optional-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The SecretsProvider object to query for the client’s GenericSecret. For more information, see SecretsProvider.
Default: The route’s default secret service. For more information, refer to Default secrets object.
"tokenEndpointAuthMethod"
: enumeration, optional-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The authentication method with which a client authenticates to the authorization server or OpenID provider at the token endpoint. For information about client authentication methods, see OpenID Client Authentication. The following client authentication methods are allowed:
-
client_secret_basic
: Clients that have received aclient_secret
value from the Authorization Server authenticate with the Authorization Server by using the HTTP Basic authentication scheme, as in the following example:POST /oauth2/token HTTP/1.1 Host: as.example.com Authorization: Basic .... Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=...
-
client_secret_post
: Clients that have received aclient_secret
value from the Authorization Server authenticate with the Authorization Server by including the client credentials in the request body, as in the following example:POST /oauth2/token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&; client_id=...& client_secret=...& code=...
-
private_key_jwt
: Clients send a signed JSON Web Token (JWT) to the Authorization Server. IG builds and signs the JWT, and prepares the request as in the following example:POST /token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=...& client_id=<clientregistration_id>& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=PHNhbWxwOl ... ZT
If the Authorization Server doesn’t support
private_key_jwt
, a dynamic registration falls back on the method returned by the Authorization Server, for example,client_secret_basic
orclient_secret_post
.If
tokenEndpointAuthSigningAlg
is not configured, theRS256
signing algorithm is used forprivate_key_jwt
.
Consider these points for identity providers:
-
Some providers accept more than one authentication method.
-
If a provider strictly enforces how the client must authenticate, align the authentication method with the provider.
-
If a provider doesn’t support the authentication method, the provider sends an HTTP 400 Bad Request response with an
invalid_client
error message, according to RFC 6749 The OAuth 2.0 Authorization Framework, section 5.2 . -
If the authentication method is invalid, the provider sends an
IllegalArgumentException
.
Default:
client_secret_basic
-
"tokenEndpointAuthSigningAlg"
: string, optional-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The JSON Web Algorithm (JWA) used to sign the JWT that is used to authenticate the client at the token endpoint. The property is used when
private_key_jwt
is used for authentication.Use one of the following algorithms:
-
RS256
: RSA using SHA-256 -
ES256
: ECDSA with SHA-256 and NIST standard P-256 elliptic curve -
ES384
: ECDSA with SHA-384 and NIST standard P-384 elliptic curve -
ES512
: ECDSA with SHA-512 and NIST standard P-521 elliptic curve
Default:
RS256
-