Protecting the OIDC dynamic client registration endpoint

Wessel, Keith kwessel at illinois.edu
Fri Apr 3 10:29:46 EDT 2020 

I certainly wouldn't want to leave my dynamic registration endpoint wide open to the world. I could see wrappering it by IP address range then only allowing clients to register for public directory data back from the IdP which, honestly, I think that's our current configuration, anyway. So, perhaps authentication beyond IP address is unnecessary.

Are others on the list supporting dynamic client registration?

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Thursday, April 2, 2020 6:07 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Protecting the OIDC dynamic client registration endpoint

(Which isn't to say this isn't maybe a creative way of leveraging a machine-facing endpoint to implement the manual process. That seems plausible.)

On 4/2/20, 7:05 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

On 4/2/20, 6:25 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> Other than IP-based authorization, has anyone come up with any good 
> ways of protecting the dynamic client registration endpoint?

I thought the whole idea of dynamic registration was to sort of pretend to secure OIDC by having the RP software simply acquire a client_secret in real time at first point of need with no additional authentication done. I didn't think it involved a deployer/human typically interacting with it, since that's typically the manual way. I could certainly be mistaken.

-- Scott


--
For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!KGKeukY!jirTs8TNbEzQ69iO6wwr1vljFMiDY7BUS8GjGGhvt4NR-BvJPWnKVwKWq-cYzKY$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list