Protecting the OIDC dynamic client registration endpoint

Cantor, Scott cantor.2 at
Thu Apr 2 19:06:55 EDT 2020

(Which isn't to say this isn't maybe a creative way of leveraging a machine-facing endpoint to implement the manual process. That seems plausible.)

On 4/2/20, 7:05 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

On 4/2/20, 6:25 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Other than IP-based authorization, has anyone come up with any good ways of protecting the dynamic client
> registration endpoint?

I thought the whole idea of dynamic registration was to sort of pretend to secure OIDC by having the RP software simply acquire a client_secret in real time at first point of need with no additional authentication done. I didn't think it involved a deployer/human typically interacting with it, since that's typically the manual way. I could certainly be mistaken.

-- Scott

For Consortium Member technical support, see;!!KGKeukY!jirTs8TNbEzQ69iO6wwr1vljFMiDY7BUS8GjGGhvt4NR-BvJPWnKVwKWq-cYzKY$ 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list