Identity Gateway 2023.11

ClientRegistration

A ClientRegistration holds information about registration with an OAuth 2.0 Authorization Server or OpenID Provider.

The configuration includes the client credentials that are used to authenticate to the identity provider. The client credentials can be included directly in the configuration, or retrieved in some other way using an expression, described in Expressions.

Usage

{
  "name": string,
  "type": "ClientRegistration",
  "config": {
    "clientId": configuration expression<string>,
    "issuer": Issuer reference,
    "scopes": [ configuration expression<string>, ...],
    "registrationHandler": Handler reference,
    "authenticatedRegistrationHandler": Handler reference,
    "clientSecret": configuration expression<string>, //deprecated
    "clientSecretId": configuration expression<secret-id>, //deprecated
    "jwtExpirationTimeout": duration, //deprecated
    "keystore": reference, //deprecated
    "privateKeyJwtAlias": string, //deprecated
    "privateKeyJwtPassword": string, //deprecated
    "privateKeyJwtSecretId": configuration expression<secret-id>, //deprecated
    "secretsProvider": SecretsProvider reference, //deprecated
    "tokenEndpointAuthMethod": enumeration, //deprecated
    "tokenEndpointAuthSigningAlg": string //deprecated
  }
}

Properties

"name": string, required
The use of the name property to identify a client that is registering with the Authorization Server is deprecated; use clientId instead. For more information, refer to the Deprecated section of the Release Notes.
"clientId": configuration expression<string>, required

The client_id obtained when registering with the Authorization Server. See also Expressions.

"issuer": Issuer reference, required

The provider configuration to use for this client registration. Provide either the name of a Issuer object defined in the heap or an inline Issuer configuration object. See also Issuer.

"scopes": array of configuration expression<strings>, optional

Array of scope strings to present to the user for approval, and include in tokens so that protected resources can make decisions about access.

Default: Empty

"registrationHandler": Handler reference, optional

HTTP client handler to invoke during client registration, to access endpoints that do not require client authentication. Provide either the name of a Handler object defined in the heap or an inline Handler configuration object.

Usually set this to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.

Default: ClientHandler.

"authenticatedRegistrationHandler": Handler reference, optional

HTTP client handler to invoke during client registration, to access endpoints that require client authentication. Configure this property as a Chain, using one of the following filters for client authentication:

{
  "name": "AuthenticatedRegistrationHandler",
  "type": "Chain",
  "config": {
    "handler": "ForgeRockClientHandler",
    "filters": [
      {
        "type": "ClientSecretBasicAuthenticationFilter",
        "config": {
          "clientId": "service-client",
          "clientSecretId": "client.secret.id",
          "secretsProvider" : "SystemAndEnvSecretStore-1",
        }
      }
    ]
  }
}

Default: registrationHandler with no authentication filter.

"clientSecret": _configuration expression<string>, required if tokenEndpointAuthMethod is client_secret_basic or client_secret_post
This property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

The secret required to authenticate the client to the Authorization Server.

"clientSecretId": _configuration expression<secret-id>, required if tokenEndpointAuthMethod is client_secret_basic or client_secret_post
This property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

The secret ID of the client secret required to authenticate the client to the Authorization Server.

This secret ID must point to a GenericSecret.

"jwtExpirationTimeout": duration, optional
This property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

When private_key_jwt is used for authentication, this property specifies the duration for which the JWT is valid.

Default: 1 minute

"keystore": reference, required if private_key_jwt is used
The use of this property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

The Java keystore containing the private key that is used to sign the JWT.

Provide the name of a keystore object defined in the heap or an inline keystore configuration object.

"privateKeyJwtAlias": string, required if private_key_jwt is used
The use of this property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

Name of the private key contained in the keystore.

"privateKeyJwtPassword": string, required if private_key_jwt is used
The use of this property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

Password to access the private key contained in the keystore.

"privateKeyJwtSecretId": configuration expression<secret-id>, required when private_key_jwt is used for client authentication
This property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

The secret ID of the key that is used to sign the JWT.

This secret ID must point to a CryptoKey.

"secretsProvider": SecretsProvider reference, optional
This property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

The SecretsProvider object to query for the client’s GenericSecret. For more information, see SecretsProvider.

Default: The route’s default secret service. For more information, refer to Default secrets object.

"tokenEndpointAuthMethod": enumeration, optional
This property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

The authentication method with which a client authenticates to the authorization server or OpenID provider at the token endpoint. For information about client authentication methods, see OpenID Client Authentication. The following client authentication methods are allowed:

  • client_secret_basic: Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server by using the HTTP Basic authentication scheme, as in the following example:

    POST /oauth2/token HTTP/1.1
    Host: as.example.com
    Authorization: Basic ....
    Content-Type: application/x-www-form-urlencoded
    
    grant_type=authorization_code&
    code=...
  • client_secret_post: Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server by including the client credentials in the request body, as in the following example:

    POST /oauth2/token HTTP/1.1
    Host: as.example.com
    Content-Type: application/x-www-form-urlencoded
    
    grant_type=authorization_code&;
    client_id=...&
    client_secret=...&
    code=...
  • private_key_jwt: Clients send a signed JSON Web Token (JWT) to the Authorization Server. IG builds and signs the JWT, and prepares the request as in the following example:

    POST /token HTTP/1.1
    Host: as.example.com
    Content-Type: application/x-www-form-urlencoded
    
    grant_type=authorization_code&
    code=...&
    client_id=<clientregistration_id>&
    client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
    client_assertion=PHNhbWxwOl ... ZT

    If the Authorization Server doesn’t support private_key_jwt, a dynamic registration falls back on the method returned by the Authorization Server, for example, client_secret_basic or client_secret_post.

    If tokenEndpointAuthSigningAlg is not configured, the RS256 signing algorithm is used for private_key_jwt.

Consider these points for identity providers:

  • Some providers accept more than one authentication method.

  • If a provider strictly enforces how the client must authenticate, align the authentication method with the provider.

  • If a provider doesn’t support the authentication method, the provider sends an HTTP 400 Bad Request response with an invalid_client error message, according to RFC 6749 The OAuth 2.0 Authorization Framework, section 5.2 .

  • If the authentication method is invalid, the provider sends an IllegalArgumentException.

Default: client_secret_basic

"tokenEndpointAuthSigningAlg": string, optional
This property is deprecated; use authenticatedRegistrationHandler instead. For more information, refer to the Deprecated section of the Release Notes.

The JSON Web Algorithm (JWA) used to sign the JWT that is used to authenticate the client at the token endpoint. The property is used when private_key_jwt is used for authentication.

Use one of the following algorithms:

  • RS256: RSA using SHA-256

  • ES256: ECDSA with SHA-256 and NIST standard P-256 elliptic curve

  • ES384: ECDSA with SHA-384 and NIST standard P-384 elliptic curve

  • ES512: ECDSA with SHA-512 and NIST standard P-521 elliptic curve

Default: RS256