PingGateway 2024.11

ClientRegistration

A ClientRegistration holds information about registration with an OAuth 2.0 Authorization Server or OpenID Provider.

The configuration includes the client credentials that are used to authenticate to the identity provider. The client credentials can be included directly in the configuration, or retrieved in some other way using an expression, described in Expressions.

Usage

{
  "name": string,
  "type": "ClientRegistration",
  "config": {
    "clientId": configuration expression<string>,
    "issuer": Issuer reference,
    "pkceMethod": configuration expression<string>,
    "scopes": [ configuration expression<string>, …​],
    "registrationHandler": Handler reference,
    "authenticatedRegistrationHandler": Handler reference,
    "clientSecretUsage": configuration expression<enumeration>,
    "clientSecretId": configuration expression<secret-id>,
    "secretsProvider": SecretsProvider reference,
    "skipSignatureVerification": configuration expression<boolean>,
    "jwtExpirationTimeout": duration, //deprecated
    "privateKeyJwtSecretId": configuration expression<secret-id>, //deprecated
    "tokenEndpointAuthMethod": enumeration, //deprecated
    "tokenEndpointAuthSigningAlg": string //deprecated
  }
}

Properties

clientId

"clientId": configuration expression<string>, required

The client_id obtained when registering with the Authorization Server. Expressions describes alternatives to setting this to a literal string.

When using a login page with an AuthorizationCodeOAuth2ClientFilter, the link to the /login endpoint must refer to a valid clientId identified by this property.

issuer

"issuer": Issuer reference, required

The provider configuration to use for this client registration. Provide the name of an Issuer defined in the heap or an inline Issuer configuration object.

pkceMethod

"pkceMethod": configuration expression<string>, optional

The Proof Key for Code Exchange (PKCE) code challenge method; one of:

  • S256: Use a SHA256-based encoding of the code verifier.

  • none: Disable PKCE.

Default: S256

scopes

"scopes": array of configuration expression<strings>, optional

Array of scope strings to present to the user for approval and to include in tokens for decisions about access to protected resources.

Default: Empty

registrationHandler

"registrationHandler": Handler reference, optional

HTTP client handler to invoke during client registration, to access endpoints that don’t require client authentication. Provide either the name of a Handler defined in the heap or an inline Handler configuration object.

Usually set this to the name of a ClientHandler configured in the heap or a Chain that ends in a ClientHandler.

Default: ClientHandler

authenticatedRegistrationHandler

"authenticatedRegistrationHandler": Handler reference, optional

HTTP client handler to invoke during client registration to access endpoints that require client authentication. Configure this property as a Chain with one of the following filters for client authentication:

For example:

{
  "name": "AuthenticatedRegistrationHandler",
  "type": "Chain",
  "config": {
    "handler": "ForgeRockClientHandler",
    "filters": [
      {
        "type": "ClientSecretBasicAuthenticationFilter",
        "config": {
          "clientId": "service-client",
          "clientSecretId": "client.secret.id",
          "secretsProvider" : "SystemAndEnvSecretStore-1"
        }
      }
    ]
  }
}

Default: registrationHandler with no authentication filter

clientSecretUsage

"clientSecretUsage": configuration expression<enumeration>, optional

Specifies how to use the "clientSecretId"; one of:

  • CLIENT_AUTHENTICATION_ONLY

  • ID_TOKEN_VALIDATION_AND_CLIENT_AUTHENTICATION

  • ID_TOKEN_VALIDATION_ONLY

Default: CLIENT_AUTHENTICATION_ONLY

clientSecretId

"clientSecretId": configuration expression<secret-id>, required to verify ID tokens with HMAC-based signatures

The secret ID of the client secret.

Set this for ID token validation when the OpenID provider signs ID tokens using an HMAC algorithm. In addition, set "clientSecretUsage" to ID_TOKEN_VALIDATION_AND_CLIENT_AUTHENTICATION or ID_TOKEN_VALIDATION_ONLY and use a "secretsProvider" to access the client secret.

This secret ID must point to a GenericSecret.

secretsProvider

"secretsProvider": SecretsProvider reference, required to verify ID tokens with HMAC-based signatures

The SecretsProvider to query for the client’s GenericSecret.

When the OpenID provider signs ID tokens using an HMAC algorithm, use this provider to access the "clientSecretId".

skipSignatureVerification

"skipSignatureVerification": configuration expression<boolean>, optional

A flag for signature validation of OpenID Connect ID tokens:

  • true: Don’t validate signatures.

    For backward compatibility, the default value of this property is true.

    Before using the value true, consider the security impact on your deployment. Use only when the connection between the Issuer and Client is direct and well secured.

  • false: Validate signatures.

Default: true

jwtExpirationTimeout (deprecated)

"jwtExpirationTimeout": duration, optional

This property is deprecated. Use authenticatedRegistrationHandler instead. Learn more in the Deprecated section of the Release Notes.

When private_key_jwt is used for authentication, this property specifies the duration for which the JWT is valid.

Default: 1 minute

privateKeyJwtSecretId (deprecated)

"privateKeyJwtSecretId": configuration expression<secret-id>, required when private_key_jwt is used for client authentication

This property is deprecated. Use authenticatedRegistrationHandler instead. Learn more in the Deprecated section of the Release Notes.

The secret ID of the key to sign the JWT.

This secret ID must point to a CryptoKey.

tokenEndpointAuthMethod (deprecated)

"tokenEndpointAuthMethod": enumeration, optional

This property is deprecated. Use authenticatedRegistrationHandler instead. Learn more in the Deprecated section of the Release Notes.

The authentication method with which a client authenticates to the Authorization Server or OpenID provider at the token endpoint. Learn more in the OpenID documentation on Client Authentication.

The following client authentication methods are allowed:

  • client_secret_basic: Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server with the HTTP Basic authentication scheme:

    POST /oauth2/token HTTP/1.1
Host: as.example.com
Authorization: Basic ....
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=...

  • client_secret_post: Clients that have received a client_secret value from the Authorization Server authenticate with the Authorization Server with the client credentials in the request body:

    POST /oauth2/token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&;
client_id=...&
client_secret=...&
code=...

  • private_key_jwt: Clients send a signed JSON Web Token (JWT) to the Authorization Server. PingGateway builds and signs the JWT and prepares the request:

    POST /token HTTP/1.1
Host: as.example.com
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&
code=...&
client_id=<clientregistration_id>&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=PHNhbWxwOl ... ZT

    If the Authorization Server doesn’t support private_key_jwt, the dynamic registration falls back to the method returned by the Authorization Server, such as client_secret_basic or client_secret_post.

    If tokenEndpointAuthSigningAlg isn’t configured, the RS256 signing algorithm is used for private_key_jwt.

Consider these points for identity providers:

  • Some providers accept more than one authentication method.

  • If a provider strictly enforces how the client must authenticate, align the authentication method with the provider.

  • If a provider doesn’t support the authentication method, the provider sends an HTTP 400 Bad Request response with an invalid_client error message, according to RFC 6749 The OAuth 2.0 Authorization Framework, section 5.2.

  • If the authentication method is invalid, the provider sends an IllegalArgumentException.

Default: client_secret_basic

tokenEndpointAuthSigningAlg (deprecated)

"tokenEndpointAuthSigningAlg": string, optional

This property is deprecated. Use authenticatedRegistrationHandler instead. Learn more in the Deprecated section of the Release Notes.

The JSON Web Algorithm (JWA) used to sign the JWT that is used to authenticate the client at the token endpoint. The property is used when private_key_jwt is used for authentication.

Use one of the following algorithms:

  • RS256: RSA using SHA-256

  • ES256: ECDSA with SHA-256 and NIST standard P-256 elliptic curve

  • ES384: ECDSA with SHA-384 and NIST standard P-384 elliptic curve

  • ES512: ECDSA with SHA-512 and NIST standard P-521 elliptic curve

Default: RS256

Example

Learn more in AM as OIDC provider.

More information

org.forgerock.openig.filter.oauth2.client.ClientRegistration

Issuer

The OAuth 2.0 Authorization Framework

The OAuth 2.0 Authorization Framework: Bearer Token Usage

OpenID Connect