ClientRegistration
A ClientRegistration holds information about registration with an OAuth 2.0 Authorization Server or OpenID Provider.
The configuration includes the client credentials that are used to authenticate to the identity provider. The client credentials can be included directly in the configuration, or retrieved in some other way using an expression, described in Expressions.
Usage
{
"name": string,
"type": "ClientRegistration",
"config": {
"clientId": configuration expression<string>,
"issuer": Issuer reference,
"scopes": [ configuration expression<string>, ...],
"registrationHandler": Handler reference,
"authenticatedRegistrationHandler": Handler reference,
"clientSecretUsage": configuration expression<enumeration>,
"clientSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"skipSignatureVerification": configuration expression<boolean>,
"jwtExpirationTimeout": duration, //deprecated
"privateKeyJwtSecretId": configuration expression<secret-id>, //deprecated
"tokenEndpointAuthMethod": enumeration, //deprecated
"tokenEndpointAuthSigningAlg": string //deprecated
}
}
Properties
"clientId"
: configuration expression<string>, required-
The
client_id
obtained when registering with the Authorization Server. See also Expressions.When using a login page with AuthorizationCodeOAuth2ClientFilter, the link to the
/login
endpoint must refer to a validclientId
identified by this property. "issuer"
: Issuer reference, required-
The provider configuration to use for this client registration. Provide either the name of a Issuer object defined in the heap or an inline Issuer configuration object. See also Issuer.
"scopes"
: array of configuration expression<strings>, optional-
Array of scope strings to present to the user for approval, and include in tokens so that protected resources can make decisions about access.
Default: Empty
"registrationHandler"
: Handler reference, optional-
HTTP client handler to invoke during client registration, to access endpoints that do not require client authentication. Provide either the name of a Handler object defined in the heap or an inline Handler configuration object.
Usually set this to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.
Default: ClientHandler.
"authenticatedRegistrationHandler"
: Handler reference, optional-
HTTP client handler to invoke during client registration, to access endpoints that require client authentication. Configure this property as a Chain, using one of the following filters for client authentication:
{ "name": "AuthenticatedRegistrationHandler", "type": "Chain", "config": { "handler": "ForgeRockClientHandler", "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "service-client", "clientSecretId": "client.secret.id", "secretsProvider" : "SystemAndEnvSecretStore-1" } } ] } }
Default:
registrationHandler
with no authentication filter. "clientSecretUsage"
: configuration expression<enumeration>, optional-
Specifies how to use the
"clientSecretId"
; one of:-
CLIENT_AUTHENTICATION_ONLY
-
ID_TOKEN_VALIDATION_AND_CLIENT_AUTHENTICATION
-
ID_TOKEN_VALIDATION_ONLY
Default:
CLIENT_AUTHENTICATION_ONLY
-
"clientSecretId"
: configuration expression<secret-id>, required to verify ID tokens with HMAC-based signatures-
The secret ID of the client secret.
Set this for ID token validation when the OpenID provider signs ID tokens using an HMAC algorithm. In addition, set
"clientSecretUsage"
toID_TOKEN_VALIDATION_AND_CLIENT_AUTHENTICATION
orID_TOKEN_VALIDATION_ONLY
and use a"secretsProvider"
to access the client secret.This secret ID must point to a GenericSecret.
"secretsProvider"
: SecretsProvider reference, required to verify ID tokens with HMAC-based signatures-
The SecretsProvider object to query for the client’s GenericSecret. For more information, see SecretsProvider.
When the OpenID provider signs ID tokens using an HMAC algorithm, use this provider to access the
"clientSecretId"
. "skipSignatureVerification"
: configuration expression<boolean>, optional-
A flag for signature validation of OpenID Connect ID tokens:
-
true
: Don’t validate signatures.By default, for backward compatibility in this release, the default value of this property is
true
.Before using the value
true
, consider the security impact on your deployment. Use only when the connection between the Issuer and Client is direct and well secured. -
false
: Validate signatures.
Default:
true
-
"jwtExpirationTimeout"
: duration, optional-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.When
private_key_jwt
is used for authentication, this property specifies the duration for which the JWT is valid.Default: 1 minute
"privateKeyJwtSecretId"
: configuration expression<secret-id>, required whenprivate_key_jwt
is used for client authentication-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The secret ID of the key to sign the JWT.
This secret ID must point to a CryptoKey.
"tokenEndpointAuthMethod"
: enumeration, optional-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The authentication method with which a client authenticates to the authorization server or OpenID provider at the token endpoint. For information about client authentication methods, see OpenID Client Authentication. The following client authentication methods are allowed:
-
client_secret_basic
: Clients that have received aclient_secret
value from the Authorization Server authenticate with the Authorization Server by using the HTTP Basic authentication scheme, as in the following example:POST /oauth2/token HTTP/1.1 Host: as.example.com Authorization: Basic .... Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=...
-
client_secret_post
: Clients that have received aclient_secret
value from the Authorization Server authenticate with the Authorization Server by including the client credentials in the request body, as in the following example:POST /oauth2/token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&; client_id=...& client_secret=...& code=...
-
private_key_jwt
: Clients send a signed JSON Web Token (JWT) to the Authorization Server. PingGateway builds and signs the JWT, and prepares the request as in the following example:POST /token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=...& client_id=<clientregistration_id>& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=PHNhbWxwOl ... ZT
If the Authorization Server doesn’t support
private_key_jwt
, a dynamic registration falls back on the method returned by the Authorization Server, for example,client_secret_basic
orclient_secret_post
.If
tokenEndpointAuthSigningAlg
is not configured, theRS256
signing algorithm is used forprivate_key_jwt
.
Consider these points for identity providers:
-
Some providers accept more than one authentication method.
-
If a provider strictly enforces how the client must authenticate, align the authentication method with the provider.
-
If a provider doesn’t support the authentication method, the provider sends an HTTP 400 Bad Request response with an
invalid_client
error message, according to RFC 6749 The OAuth 2.0 Authorization Framework, section 5.2 . -
If the authentication method is invalid, the provider sends an
IllegalArgumentException
.
Default:
client_secret_basic
-
"tokenEndpointAuthSigningAlg"
: string, optional-
This property is deprecated; use authenticatedRegistrationHandler
instead. For more information, refer to the Deprecated section of the Release Notes.The JSON Web Algorithm (JWA) used to sign the JWT that is used to authenticate the client at the token endpoint. The property is used when
private_key_jwt
is used for authentication.Use one of the following algorithms:
-
RS256
: RSA using SHA-256 -
ES256
: ECDSA with SHA-256 and NIST standard P-256 elliptic curve -
ES384
: ECDSA with SHA-384 and NIST standard P-384 elliptic curve -
ES512
: ECDSA with SHA-512 and NIST standard P-521 elliptic curve
Default:
RS256
-
Example
Refer to AM as a single OpenID Connect provider.