Protecting the OIDC dynamic client registration endpoint

David Huebner david.huebner at
Fri Apr 3 10:58:46 EDT 2020

On 4/3/20 4:49 PM, Cantor, Scott wrote:
> On 4/3/20, 10:30 AM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:
>> I certainly wouldn't want to leave my dynamic registration endpoint wide open to the world.
> I think that's the question I would be interested in hearing people talk about.
I believe most OPs allow configuration of scopes, that can be registered 
with dynamic registration. So it's basically 'openid' only and all other 
scopes must then be assigned manually afterwards. That certainly does 
not solve all issues, of course, but it's a start.

That being said, we tend to turn of dynamic registration in almost all 
cases, except for testing purposes.

More information about the users mailing list