Dynamic client registration allows developers to register OAuth clients via an API based on open standards. PingFederate supports various client metadata (see Supported client metadata). If specific use cases require additional metadata, add them as extended properties on the System > Extended Properties screen.


Because dynamic client registration can expose your server to unwanted client registrations, it is recommended to protect PingFederate by requiring an initial access token, configuring one or more client registration policies, and protecting access to the dynamic client registration endpoint.


Dynamic client registration requires OAuth client storage in an external datastore, such as a database or LDAP directory. If you have not yet switched from on-disk client storage (default) to an external datastore, refer to Defining an OAuth client datastore for instructions to complete the task.

You may continue with the rest of the configuration; however, dynamic client registration remains inactive until an external client storage is defined.

  1. Go to the OAuth Server > Client Settings > Dynamic Client Registration screen.
  2. If you want to enable dynamic client registration, select the relevant check box.

    (This check box is not selected by default.)

  3. Optional: Select the check box to mandate the requirement of an initial access token

    Although optional, it is recommend to select this option to add a layer of protection against unwanted client registrations.

    If selected, you must also select the required scope (or scope group) from the list.

    Furthermore, developers must be set up to obtain access tokens with the required scope (or scope group) from your PingFederate AS server. For example, you may create a new OAuth client for a group of developers, assign this client a specific scope for the purpose of creating other clients using the OAuth 2.0 Dynamic Client Registration protocol, and let the developers obtain their access tokens directly by completing one of the supported OAuth flows. You may also write a custom web app that does the OAuth flow to obtain access tokens on behalf of the developers as they make their requests.

When dynamic client registration is active, developers can send client registrations to the /as/clients.oauth2 endpoint to create OAuth clients dynamically.