OAuth 2.0 Dynamic Client Registration with WSO2 Identity Server

This blog post is about OAuth 2.0 Dynamic Client Registration specified in https://tools.ietf.org/html/rfc7591 and how to register your Application with the WSO2 Identity Server dynamically.

Initially, we have to discover the end user's OpenID provider using OpenID discovery before we are able to use any OAuth service in our Application.

Step 1: Discovery

In order to do that we must send a request to the OpenID Connect Discovery endpoint specified in https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery using WebFinger.

WebFinger allows to discover about any entity on the Internet that are identified by a URI that uses standard HTTP. It returns a JSON object which is referred to as JRD (JSON Resource Descriptor).

OpenID Connect Discovery is,

https://localhost:9443/.well-known/webfinger

Since we do not have an access token we can use the admin credentials to the WSO2 Identity Server to send the request as all endpoints of the Identity Server are secured with Basic Authentication.

Following information is required to make the request.

resource - Identifier for the target end user that is the subject of the discovery request.

HostServer - Where the WebFinger is hosted.

rel - URI identifying the type of service whose location is being requested.

Request -

curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer'

Response -

{"subject":"acct:admin@localhost",

"links":[{"rel":"http://openid.net/specs/connect/1.0/issuer",

"href":"https://localhost:9443/oauth2/oidcdiscovery"}]

}

Obtaining the set of Claims about the OpenID Provider

Use the above received href and append /.well-known/openid-configuration to it in order to obtain the set of Claims about the OpenID Provider's configuration, including all necessary endpoints and public key location information.

Request -

curl -v -k --user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

Response -

{

"scopes_supported":["address","phone","email","profile","openid"],

"issuer":"https://localhost:9443/oauth2/token",

"authorization_endpoint":"https://localhost:9443/oauth2/authorize",

"claims_supported":["birthdate","preferred_username","name","phone_number","profile","region","street_address","locality","zoneinfo","locale","sub","gender","formatted","email_verified","updated_at","middle_name","nickname","email","family_name","website","address","phone_number_verified","Organization","given_name","picture","postal_code","country","iss","acr"],

"token_endpoint":"https://localhost:9443/oauth2/token",

"response_types_supported":["id_token token","code","id_token","token"],

"userinfo_endpoint":"https://localhost:9443/oauth2/userinfo",

"jwks_uri":"https://localhost:9443/oauth2/jwks",

"subject_types_supported":["pairwise"],

"id_token_signing_alg_values_supported":["RS256"],

"registration_endpoint":"https://localhost:9443/identity/connect/register"

}

OpenID Connect Dynamic Client Registration

Step 2:

After discovering the Client Registration Endpoint, Application should send a HTTP POST request to the Client Registration Endpoint as below with the client details.

Request -

curl -v -k --user admin:admin -H "Content-Type: application/json" -d '{"redirect_uris": ["https://localhost:9443/callback"],"client_name": "TestApplication","ext_param_owner":"test_owner","grant_types": ["password"]}' https://localhost:9443/identity/connect/register

Here the grant types can be any of the below,


authorization_code
implicit
password
client_credentials
refresh_token

Response -

If the Client is registered successfully server will respond with a 201 CREATED.

{

"grant_types":["password"],

"client_secret_expires_at":"0",

"redirect_uris":["https:\/\/localhost:9443\/callback"],

"client_secret":"zDr1LxWx6tHWkTfmYboSoESkQzUa",

"client_name":"admin_TestApplication",

"client_id":"lBJn4yFwYy_90QQ_RUfAUgvN3lEa"

}

If the registration fails, it will return a 400 Bad Request with the error description as follows.

{

"error": "invalid_redirect_uri",

"error_description": "One or more redirect_uri values are invalid"

}

References

[1] https://tools.ietf.org/html/rfc7591

[2] https://connect2id.com/blog/oauth-openid-connect-client-registration-explained

[3] https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery

[4] https://docs.wso2.com/display/IS530/OpenID+Connect+Dynamic+Client+Registration

Student Information System - Java (SLIIT - ST2 PROJECT)

Student Information System (Github Project) This system is developed in Java and mySQL as a group project by me and 3 other members during a period of 1 month. The system allows the administrator to, enroll students to the system update enroll information add/update course and degree program details generate reports create exams and edit relevant information calculate gpa of the relevant exam assign lecturers to courses add lecturers/update details Lecturers to, assign course grades view their feedback generate reports view student / course / degree program details Students to, view their profile view their grading information give feedback to lecturers view lecturer / course / degree program details and other features. Below are some interfaces of the project. (Splash Screen) (Login) (Admin View) (Student Registration) (Update Student Record) (Add Exam) ` (Assign Gr

Blog of Dinuksha Ishwari

Search This Blog