Protecting the OIDC dynamic client registration endpoint

Cantor, Scott cantor.2 at
Fri Apr 3 10:49:08 EDT 2020

On 4/3/20, 10:30 AM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> I certainly wouldn't want to leave my dynamic registration endpoint wide open to the world.

I think that's the question I would be interested in hearing people talk about. If one makes the analogy to CAS though, perhaps the need is to be able to express rules via regex or SAML metadata governing the URLs registered as a layer of policy around the endpoint, as a precondition to doing the registration.

> I could see wrappering it by IP address range then only allowing clients to register for public directory data back from
> the IdP which, honestly, I think that's our current configuration, anyway. So, perhaps authentication beyond IP address
> is unnecessary.

Yes, I'm really just curious how it's all meant to work. I don't know the internals enough to say what's immediately possible or not, but I don't think it's intended to be human-interactive, which makes using human sorts of credentials not really a practical direction. So putting the IdP authn layer in front of it likely wouldn't make sense.

-- Scott

More information about the users mailing list