OAuth 2.0 Dynamic Client Registration with WSO2 Identity Server

This blog post is about OAuth 2.0 Dynamic Client Registration specified in https://tools.ietf.org/html/rfc7591 and how to register your Application with the WSO2 Identity Server dynamically.

Initially, we have to discover the end user's OpenID provider using OpenID discovery before we are able to use any OAuth service in our Application.

Step 1: Discovery

In order to do that we must send a request to the OpenID Connect Discovery endpoint specified in https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery using WebFinger.

WebFinger allows to discover about any entity on the Internet that are identified by a URI that uses standard HTTP. It returns a JSON object which is referred to as JRD (JSON Resource Descriptor).

OpenID Connect Discovery is,

https://localhost:9443/.well-known/webfinger

Since we do not have an access token we can use the admin credentials to the WSO2 Identity Server to send the request as all endpoints of the Identity Server are secured with Basic Authentication.

Following information is required to make the request.

resource - Identifier for the target end user that is the subject of the discovery request.

HostServer - Where the WebFinger is hosted.

rel - URI identifying the type of service whose location is being requested.

Request -

curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer'

Response -

{"subject":"acct:admin@localhost",

"links":[{"rel":"http://openid.net/specs/connect/1.0/issuer",

"href":"https://localhost:9443/oauth2/oidcdiscovery"}]

}

Obtaining the set of Claims about the OpenID Provider

Use the above received href and append /.well-known/openid-configuration to it in order to obtain the set of Claims about the OpenID Provider's configuration, including all necessary endpoints and public key location information.

Request -

curl -v -k --user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

Response -

{

"scopes_supported":["address","phone","email","profile","openid"],

"issuer":"https://localhost:9443/oauth2/token",

"authorization_endpoint":"https://localhost:9443/oauth2/authorize",

"claims_supported":["birthdate","preferred_username","name","phone_number","profile","region","street_address","locality","zoneinfo","locale","sub","gender","formatted","email_verified","updated_at","middle_name","nickname","email","family_name","website","address","phone_number_verified","Organization","given_name","picture","postal_code","country","iss","acr"],

"token_endpoint":"https://localhost:9443/oauth2/token",

"response_types_supported":["id_token token","code","id_token","token"],

"userinfo_endpoint":"https://localhost:9443/oauth2/userinfo",

"jwks_uri":"https://localhost:9443/oauth2/jwks",

"subject_types_supported":["pairwise"],

"id_token_signing_alg_values_supported":["RS256"],

"registration_endpoint":"https://localhost:9443/identity/connect/register"

}

OpenID Connect Dynamic Client Registration

Step 2:

After discovering the Client Registration Endpoint, Application should send a HTTP POST request to the Client Registration Endpoint as below with the client details.

Request -

curl -v -k --user admin:admin -H "Content-Type: application/json" -d '{"redirect_uris": ["https://localhost:9443/callback"],"client_name": "TestApplication","ext_param_owner":"test_owner","grant_types": ["password"]}' https://localhost:9443/identity/connect/register

Here the grant types can be any of the below,


authorization_code
implicit
password
client_credentials
refresh_token

Response -

If the Client is registered successfully server will respond with a 201 CREATED.

{

"grant_types":["password"],

"client_secret_expires_at":"0",

"redirect_uris":["https:\/\/localhost:9443\/callback"],

"client_secret":"zDr1LxWx6tHWkTfmYboSoESkQzUa",

"client_name":"admin_TestApplication",

"client_id":"lBJn4yFwYy_90QQ_RUfAUgvN3lEa"

}

If the registration fails, it will return a 400 Bad Request with the error description as follows.

{

"error": "invalid_redirect_uri",

"error_description": "One or more redirect_uri values are invalid"

}

References

[1] https://tools.ietf.org/html/rfc7591

[2] https://connect2id.com/blog/oauth-openid-connect-client-registration-explained

[3] https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery

[4] https://docs.wso2.com/display/IS530/OpenID+Connect+Dynamic+Client+Registration

Calculator using PHP

This Calculator model will take inputs from the Number 1 and Number 2 fields and when the user clicks on the relevant operator the result will be displayed in the Results field. For log10(), to radian, to degree, sin, cos, tan operations only require one input. Hence, the user is instructed to input the values to the 1st field only. First, before proceeding with the calculation, we need to obtain the values from the text boxes. For that we should include all the form elements inside a form. The result is directed to the same page. Therefore we will use the form action as $_SERVER['PHP_SELF'] and the method as post. Next, we can obtain the values in the text boxes. $_POST[' form_element_name '] will give you the value of the respective element. We can write the php code as follows (in the <head>) to obtain the value from Number 1 and Number 2 fields. <?php $num1=$_POST['num1']; //num1 is the name of th

Blog of Dinuksha Ishwari

Search This Blog