{ "name": "20 - Protect authorization server dynamic client registration endpoint", "comment": "Ensure FAPI-compliant registration requests", "baseURI": "https://&{tenantHostname}", "condition": "${find(request.uri.path, '^/am/oauth2/realms/root/realms/&{realm}/register')}", "handler": { "type": "Chain", "config": { "filters": [ { "type": "FapiDcrFilterChain", "config": { "apiClientOrgService": "IdmApiClientOrganisationService", "apiClientService": "IdmApiClientService", "comment": "Do not use allowPingIssuedTestCerts in production.", "allowPingIssuedTestCerts": true, "clientCertificate": "${pemCertificate(urlDecode(request.headers['ssl-client-cert'][0]))}", "clientId": "${request.queryParams.client_id[0]}", "forwardedHost": "&{tenantHostname}", "jwkSetService": "JwkSetService", "trustedDirectoryService": "TrustedDirectoryService", "supportedSigningAlgorithms": [ "PS256" ], "supportedTokenEndpointAuthMethods": "${oauth2.tokenEndpointAuthMethodsSupported}" } }, { "name": "AddGatewayAccessTokenForNewRegistrations", "comments": [ "For new registrations, add credentials.", "For existing registrations, supply the registration_access_token from the DCR response." ], "type": "ConditionalFilter", "config": { "condition": "${request.method == 'POST'}", "delegate": { "type": "ClientCredentialsOAuth2ClientFilter", "config": { "tokenEndpoint": "https://&{tenantHostname}/am/oauth2/realms/root/realms/&{realm}/access_token", "scopes": [ "dynamic_client_registration" ], "endpointHandler": { "name": "ClientCredentialsOAuth2ClientFilterHandler", "type": "Chain", "config": { "handler": "ForgeRockClientHandler", "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "&{gatewayOAuth2ClientId}", "clientSecretId": "gateway.oauth2.client.secret", "secretsProvider": "SystemAndEnvSecretStore" } } ] } } } } } } ], "handler": "PlatformReverseProxyHandler" } } }