OIDC dynamic registration policy ID

Wessel, Keith kwessel at illinois.edu
Wed Apr 27 00:37:42 UTC 2022

Thanks, Scott, for both the clarification and the edit to the docs.

It's policy by reference in that anything they register going forward with that token will pick up the changes. But already registered clients that the holder of the token already registered wouldn't be updated, right? In other words, it doesn't dynamically apply to things already registered; it just applies to any future registrations. It's a reference to a template used at registration time. That right?


-----Original Message-----
From: Cantor, Scott <cantor.2 at osu.edu> 
Sent: Tuesday, April 26, 2022 7:01 PM
To: Shib Users <users at shibboleth.net>
Cc: Wessel, Keith <kwessel at illinois.edu>
Subject: Re: OIDC dynamic registration policy ID

On 4/26/22, 6:37 PM, "users on behalf of Wessel, Keith via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    The policyId parameter of the OIDC dynamic registration endpoint in 
> 4.2 says it's value: "Identifies a metadata policy by means of an identifier that maps back to a matching/named RelyingParty override."

It should really say "matching", not "named". It's referring to the "id" attribute in the override. People often don't set them, but all of them can have a unique id.

> That partly makes sense: I can configure a different policy file for 
> the OIDC registration profile in that relying party override.

It's a policy by reference where you authorize somebody to "connect" their registration request to that bean but you get to control the policy it uses, change it without re-issuing tokens, etc.

-- Scott

More information about the users mailing list