Skip to main content

OAuth 2.0 Dynamic Client Registration with WSO2 Identity Server

This blog post is about OAuth 2.0 Dynamic Client Registration specified in https://tools.ietf.org/html/rfc7591 and how to register your Application with the WSO2 Identity Server dynamically.

Initially, we have to discover the end user's OpenID provider using OpenID discovery before we are able to use any OAuth service in our Application.

Step 1: Discovery

In order to do that we must send a request to the OpenID Connect Discovery endpoint specified in https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery using WebFinger

WebFinger allows to discover about any entity on the Internet that are identified by a URI that uses standard HTTP. It returns a JSON object which is referred to as JRD (JSON Resource Descriptor).

OpenID Connect Discovery is,

https://localhost:9443/.well-known/webfinger

Since we do not have an access token we can use the admin credentials to the WSO2 Identity Server to send the request as all endpoints of the Identity Server are secured with Basic Authentication.

Following information is required to make the request. 

resource - Identifier for the target end user that is the subject of the discovery request. 
HostServer - Where the WebFinger is hosted.
rel - URI identifying the type of service whose location is being requested.


Request


curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer'





Response - 


{"subject":"acct:admin@localhost",
"links":[{"rel":"http://openid.net/specs/connect/1.0/issuer",
"href":"https://localhost:9443/oauth2/oidcdiscovery"}]
}


Obtaining the set of Claims about the OpenID Provider

Use the above received href and append /.well-known/openid-configuration to it in order to obtain the set of Claims about the OpenID Provider's configuration, including all necessary endpoints and public key location information.

Request -

curl -v -k --user admin:admin https://localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration


Response - 

{
"scopes_supported":["address","phone","email","profile","openid"],
"issuer":"https://localhost:9443/oauth2/token",
"authorization_endpoint":"https://localhost:9443/oauth2/authorize",
"claims_supported":["birthdate","preferred_username","name","phone_number","profile","region","street_address","locality","zoneinfo","locale","sub","gender","formatted","email_verified","updated_at","middle_name","nickname","email","family_name","website","address","phone_number_verified","Organization","given_name","picture","postal_code","country","iss","acr"],
"token_endpoint":"https://localhost:9443/oauth2/token",
"response_types_supported":["id_token token","code","id_token","token"],
"userinfo_endpoint":"https://localhost:9443/oauth2/userinfo",
"jwks_uri":"https://localhost:9443/oauth2/jwks",
"subject_types_supported":["pairwise"],
"id_token_signing_alg_values_supported":["RS256"],
"registration_endpoint":"https://localhost:9443/identity/connect/register"
}

OpenID Connect Dynamic Client Registration

Step 2:
After discovering the Client Registration Endpoint, Application should send a HTTP POST request to the Client Registration Endpoint as below with the client details.

Request -

curl -v -k --user admin:admin -H "Content-Type: application/json" -d '{"redirect_uris": ["https://localhost:9443/callback"],"client_name": "TestApplication","ext_param_owner":"test_owner","grant_types": ["password"]}' https://localhost:9443/identity/connect/register 


Here the grant types can be any of the below,

  • authorization_code
  • implicit
  • password
  • client_credentials
  • refresh_token

Response -

If the Client is registered successfully server will respond with a 201 CREATED.

{
"grant_types":["password"],
"client_secret_expires_at":"0",
"redirect_uris":["https:\/\/localhost:9443\/callback"],
"client_secret":"zDr1LxWx6tHWkTfmYboSoESkQzUa",
"client_name":"admin_TestApplication",
"client_id":"lBJn4yFwYy_90QQ_RUfAUgvN3lEa"
}

If the registration fails, it will return a 400 Bad Request with the error description as follows.

{
"error": "invalid_redirect_uri",
"error_description": "One or more redirect_uri values are invalid"
}


References


Comments

Popular posts from this blog

Fixing 'java RMI - ConnectException: Operation timed out' in WSO2 Enterprise Integrator 6.4

If you ever come across the below exception when running WSO2 Enterprise Integrator 6.4, here is the fix. This error occurs when you have multiple IP addresses from different networks configured in your etc/hosts as below. 10.xxx.x.xxx localhost 192.xxx.x.xxx localhost So simply, removing the unnecessary one and leaving the one of the network that you are currently connected to should resolve this issue. 10.xxx.x.xxx localhost

Student Information System - Java (SLIIT - ST2 PROJECT)

Student Information System (Github Project) This system is developed in Java and mySQL as a group project by me and 3 other members during a period of 1 month. The system allows the administrator to,  enroll students to the system  update enroll information  add/update course and degree program details  generate reports  create exams and edit relevant information  calculate gpa of the relevant exam  assign lecturers to courses  add lecturers/update details Lecturers to,  assign course grades  view their feedback  generate reports  view student / course / degree program details Students to,  view their profile  view their grading information  give feedback to lecturers   view lecturer / course / degree program details and other features. Below are some interfaces of the project. (Splash Screen) (Login) (Admin View) (Student Re...

SIMPLE BLACKJACK GAME IN JAVA (CONSOLE)

import java.util.Scanner; class BlackJack{     public static void main(String[] args)      {         int player_random1 = 100;         int player_random2 = 100;         while(player_random1 >= 12 || player_random2 >= 12  || player_random1 < 3 || player_random2 <3)         {             player_random1 = (int)(Math.random()*100);             player_random2 = (int)(Math.random()*100);         }                  int player_total = player_random1 + player_random2;                  System.out.println("You get a "+player_random1+" and a "+player_random2);         System.out.println("Your total is "+player_total); if(player_total==21)  ...