Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-232

OAuth 2.0 Dynamic Client Registration Protocol RFC 7591

    Details

    • Type: Story
    • Status: Selected for Development
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Epic/Theme:
    • Sprint:
      AS | Iteration 4, AS | Iteration 5, AS | Iteration 6, AS | Iteration 7, AS | Iteration 8, AS | Iteration 9, AS | Iteration 10, AS | Iteration 11, AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15, AS | Iteration 16

      Description

      Dynamic Client Registration Protocol RFC 7591

      RFC https://tools.ietf.org/html/rfc7591 defines how 3rd party remote clients can register themselves into OAuth2 authorization server.

      The registration can be done:
      1, Using initial access token - client must provide a valid token to be able to register the application - supported by this implementation
      2, Using software statement - client must provide cryptographically signed software statement JWT, the signed statement or its public key is trusted by the authorization server - unsupported
      3, Open - anybody can register application - unsupported
       

              +--------(A)- Initial Access Token (OPTIONAL)
              |
              |   +----(B)- Software Statement (OPTIONAL)
              |   |
              v   v
          +-----------+                                      +---------------+
          |           |--(C)- Client Registration Request -->|    Client     |
          | Client or |                                      | Registration  |
          | Developer |<-(D)- Client Information Response ---|   Endpoint    |
          |           |        or Client Error Response      +---------------+
          +-----------+
      

      1) Obtain the valid token:

      The token contains current userId that is later used to create the OAuth2 Application record.

      The token is time limited to 30 minutes and can be used only once.

      2) Send registration request

      Remote client sends client metadata in form of JSON to /o/oauth2/register endpoint and receives clientId and clientSecret.

      Note: The remote client can register the application only if the authorization token's user is granted OAuth2Application.ADD_APPLICATION permission. The user becomes owner of the OAuth 2 Application and in case of "Client Credentials" grant flow the remote client acts on behalf of the user.

      For example:

      POST http://localhost:8080/o/oauth2/register HTTP/1.1
      Host: localhost.cz:8080
      content-type: application/json
      authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1NDA0MTU5NjQsImlhdCI6MTU0MDQxNDE2NCwic3ViIjoyMDEzOX0.e1t2sJHv8vsByWcdqQRa4NweZ9EQIa70tG2ctZKFCts
      Content-Length: 522
      
      {
          "application_type": "headless_server", 
          "client_name": "Analytics Cloud"
          "client_uri": "https://analytics.liferay.com", 
          "grant_types": [
              "client_credentials"
          ], 
          "logo_uri": "https://analytics.liferay.com/o/osb-faro-web/images/email/ac-chart.png", 
          "scope": "everything.read custom_scope", 
          "redirect_uris": [], 
          "extensions": [
              "sap", 
              "token_introspection"
          ], 
          "sap": [
              {
                  "title": "do something on your behalf", 
                  "signatures": "#something*", 
                  "name": "custom_scope"
              }
          ]
      }
      

      Example response:

      {
       "application_type": "other",
       "client_id": "dynamic-client-3837c8f6-9542-c833-a772-b8c7789a8c25",
       "client_id_issued_at": "1540453190",
       "client_name": "Analytics Cloud",
       "client_secret": "secret-d13a4f50-f8d6-a140-b895-bc27b92b4b3",
       "client_secret_expires_at": "0",
       "client_uri": "https://analytics.liferay.com",
       "contacts": [],
       "extensions": ["sap"],
       "grant_types": ["client_credentials"],
       "logo_uri": "https://analytics.liferay.com/o/osb-faro-web/images/email/ac-chart.png",
       "policy_uri": "",
       "redirect_uris": [],
       "response_types": [],
       "scope": "everything.read custom_scope",
       "software_id": null,
       "software_statement": null,
       "software_version": null,
       "token_endpoint_auth_method": "client_secret_post",
       "tos_uri": null
      }
      

      Client metadata extensions

      The protocol is enhanced with extensions to support token introspection and Service Access Policy framework.

      The extensions can be specified as JSON Array:

          "extensions": [
              "sap", 
              "token_introspection"
          ]
      

      SAP Extension

      The extension enables 3rd party application to create a new scopes using Service Access Policy framework:

          "extensions": [
              "sap"
          ],
          "sap": [
              {
                  "title": "do something on your behalf", 
                  "signatures": "#something*", 
                  "name": "custom_scope"
              }
          ]

      Note: The SAPEntry is created with privileges of the user that generated the authorization token, i.e. usually only portal admin can enable 3rd party trusted applications to create SAP profiles.

      Token Introspection Extension

      Token Introspection feature can be enabled for the client by specifying "token_introspection" inside "extensions" JSON array.

          "extensions": [
              "token_introspection"
          ]
      

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas.polesovsky Tomáš Polešovský
              Reporter:
              tomas.polesovsky Tomáš Polešovský
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:

                  Packages

                  Version Package