Dynamic Client Registration API#
Dynamic Clients may be Templatized or Non-Templatized.
To use Templatized Clients, first a Template Client must be created. That is just a normal Client which is also configured to be a Template as shown below:
Admin UI → Profiles → Oauth → Oauth Dev → Clients → Client
Templatized Dynamic Client Registration#
Creating templatized clients only require a single parameter to indicate which client template to instantiate.
| Parameter | Type | Description |
|---|---|---|
software_id | String | The ID of the client template to instantiate |
The Template Client used by the Dynamic Client must configure the following settings:
Client Authentication Method
The Authentication Method that the templatized client should use to authenticate.
Must be either Client Secret or Credential Manager (see Client Authentication ).
Non-Templatized Dynamic Client Registration#
When creating a regular DCR client the request is a combination of grant_types and additional settings depending on what grant_types are requested.
| Parameter | Type | Description |
|---|---|---|
access_token_ttl | Integer | The TTL of the Access Token in seconds. |
allow_per_request_redirect_uris | Boolean | (Deprecated). When using PAR, should each request be allowed to vary the redirect_uri. This is be replaced by redirect policies which are configured on the profile. |
allowed_origins | String Array | A list of urls allowed to frame the flows. |
application_url | URI | A url of the application that the user may be redirected to if the session expires or the user bookmarks the login. Must reside on the same domain as a redirect URI. |
authenticator_filters | String Array | A list of authenticator filter id’s |
authorization_signed_response_alg | String | The algorithm to use for Jwt Secured Authorization Response Mode (JARM). |
backchannel_authentication_request_signing_alg | String | The algorithm to use for signed requests when using CIBA. |
backchannel_client_notification_endpoint | - | Not used as only Poll deliver mode is supported. |
backchannel_logout_uri | URI | A URI to call during OIDC back-channel logout. |
backchannel_token_delivery_mode | String | The only available mode is poll. |
backchannel_user_code_parameter | Boolean | If back channel user code should be used with CIBA. |
client_name | String | A human readable name of the client. |
client_secret_expires_at | - | Not supported. |
client_uri | URI | A URI to a webpage showing information about the client. Must reside on the same domain as a redirect URI. |
default_max_age | Integer | A default max_age used for user authentication. |
default_acr_values | String Array | The authenticator ACRs to be used for this client. |
disallowed_proof_key_challenge_methods | String Array | A list of PKCE challenge methods that should be disabled. |
frontchannel_logout_uri | URI | A URI to call during front-channel logout. Must reside on the same domain as a redirect URI. |
grant_types | String Array | A list of grant_types and capabilities for this client. Possible values are: authorization_code, client_credentials, https://curity.se/grant/assisted-token, implicit, urn:ietf:params:oauth:grant-type:device_code, urn:openid:params:grant-type:ciba, password. |
id_token_encrypted_response_alg | String | The key encryption algorithm to use for encrypted ID token responses. |
id_token_encrypted_response_enc | String | The content encryption algorithm to use for encrypted ID token responses. |
id_token_signed_response_alg | String | The ID token signing algorithm to be used. |
id_token_ttl | Integer | The number of seconds the ID token should be valid for. |
initiate_login_uri | URI | RP Initiated Login URI. Must reside on the same domain as a redirect URI. |
jwks | JSON | A Json Web Key Set containing the public keys this client will use. Combine with token_endpoint_auth_method to enable Client Assertions for client authentication. |
jwks_uri | URI | A URI pointing to a JWKS resource where the public keys for the client are published. Combine with token_endpoint_auth_method to enable Client Assertions for client authentication. |
logo_uri | URI | A URI to a logo for the client. Must reside on the same domain as a redirect URI. |
policy_uri | URI | A URI to a logo for the client. Must reside on the same domain as a redirect URI. |
post_logout_redirect_uris | URI Array | A set of URIs allowed to redirect the user to after logout. |
redirect_uris | URI Array | A set of URIs allowed to redirect to for front-channel flows. |
refresh_token_max_rolling_lifetime | Integer | The max number of seconds the refresh tokens may be refreshed from the time of original issuance. |
refresh_token_ttl | Integer | Time in seconds that the refresh token is valid. 0 will disable the use of refresh tokens. |
request_object_signing_alg | String | The whitelisted request object signing algorithm to be used with this client. |
request_uris | URI Array | A list of request_uri’s allowed for Request Object by reference. |
require_proof_key | Boolean | Requires PKCE to always be used if set to true. |
require_pushed_authorization_requests | Boolean | Requires PAR to always be used if set to true. |
requires_consent | Boolean | Enables User Consent for this client. |
scope | String | Space separated string of scopes. |
sector_identifier_uri | URI | Sector identifier URI for when using PPID. |
subject_type | String | public or pairwise. Pairwise enables PPID. |
tls_client_auth_subject_dn | String | The client certificate DN. |
token_endpoint_auth_method | String | The authentication method to use on the token endpoint for client authentication. |
token_endpoint_auth_signing_alg | String | The signing algorithm to use on the token endpoint for client authentication. |
tos_uri | URI | A URI for the Terms of Service for the client. Must reside on the same domain as a redirect URI. |
userinfo_signed_response_alg | String | The signing algorithm to use for signed userinfo responses. This effectively toggles on signed responses for userinfo. |
Template Area In Non-Templatized Dynamic Client Registration#
The template area (to be used by authenticators during OAuth flows) for a non-templatized DCR client can be set using a pre-processing procedure only. Sending a template_area field in a registration request will result in the field being stored the same way as any other custom property (described below). This template_area (the one sent via a registration request) will have no effect on what template area authenticators will use during OAuth flows ran by the registered non-templatized DCR client.
In a scenario where a template_area field is sent in a registration request and it is set also in a pre-processing procedure, the template_area from the request will be stored as a custom property, and the template_area from the pre-processing procedure will be stored as well and it will be used by authenticators (so the two template areas will not overwrite one another).
Example of a pre-processing procedure that sets template area
function result(context) {
return {
template_area: 'custom-area',
}
}Custom Client Properties#
It is possible to send custom properties that should be stored as client properties. Any non-standard parameter will be recognized as a custom client property and stored as such. These are later available when issuing tokens etc.