Protecting the OIDC dynamic client registration endpoint
kwessel at illinois.edu
Thu Apr 2 18:25:22 EDT 2020
I have, up until now, been registricting access to our OIDC dynamic client registration endpoint using IP-based access rules in Apache. Nice, but not too scalable. I got the bright idea today that hey, I can just put HTTP basic auth in front of it and use Apache mod_auth_kerb to have users authenticate to register using their NetID and password. I can then restrict which NetIDs can register endpoints. If I want to get really fancy, I can switch to an LDAP auth module and get back the user's AD groups then restrict registration by group membership. That worked until... someone tried to register, Apache passed them through, the the OIDC module denied them because: "Unable to decode oidc request: Token type must be bearer". Clearly, Apache used the "Authorization" header to let the user in, but then the Shib OIDC extension chocked on it because it was basic and not bearer.
Other than IP-based authorization, has anyone come up with any good ways of protecting the dynamic client registration endpoint?
More information about the users