Protecting the OIDC dynamic client registration endpoint
david.huebner at daasi.de
Fri Apr 3 10:58:46 EDT 2020
On 4/3/20 4:49 PM, Cantor, Scott wrote:
> On 4/3/20, 10:30 AM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
>> I certainly wouldn't want to leave my dynamic registration endpoint wide open to the world.
> I think that's the question I would be interested in hearing people talk about.
I believe most OPs allow configuration of scopes, that can be registered
with dynamic registration. So it's basically 'openid' only and all other
scopes must then be assigned manually afterwards. That certainly does
not solve all issues, of course, but it's a start.
That being said, we tend to turn of dynamic registration in almost all
cases, except for testing purposes.
More information about the users