Status: Selected for Development
Affects Version/s: None
Fix Version/s: None
Sprint:AS | Iteration 4, AS | Iteration 5, AS | Iteration 6, AS | Iteration 7, AS | Iteration 8, AS | Iteration 9, AS | Iteration 10, AS | Iteration 11, AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15, AS | Iteration 16
Git Pull Request:
RFC https://tools.ietf.org/html/rfc7591 defines how 3rd party remote clients can register themselves into OAuth2 authorization server.
The registration can be done:
1, Using initial access token - client must provide a valid token to be able to register the application - supported by this implementation
2, Using software statement - client must provide cryptographically signed software statement JWT, the signed statement or its public key is trusted by the authorization server - unsupported
3, Open - anybody can register application - unsupported
The token contains current userId that is later used to create the OAuth2 Application record.
The token is time limited to 30 minutes and can be used only once.
Remote client sends client metadata in form of JSON to /o/oauth2/register endpoint and receives clientId and clientSecret.
Note: The remote client can register the application only if the authorization token's user is granted OAuth2Application.ADD_APPLICATION permission. The user becomes owner of the OAuth 2 Application and in case of "Client Credentials" grant flow the remote client acts on behalf of the user.
The protocol is enhanced with extensions to support token introspection and Service Access Policy framework.
The extensions can be specified as JSON Array:
The extension enables 3rd party application to create a new scopes using Service Access Policy framework:
Note: The SAPEntry is created with privileges of the user that generated the authorization token, i.e. usually only portal admin can enable 3rd party trusted applications to create SAP profiles.
Token Introspection feature can be enabled for the client by specifying "token_introspection" inside "extensions" JSON array.