Register Endpoint
The register
endpoint allows dynamically registering an OpenID client.
See the Configuring OpenID Client Registration tutorial for further details and samples.
The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):
https://[base-server-url]/{tenant}/authn/register [POST]/[GET]/[PUT]/[DELETE]
Register Request
Sample request to register a client with a password
POST https://[base-server-url]/{tenant}/authn/register HTTP/1.1
Content-Type: application/json
Authorization: Bearer RTp7HwAAAV6kDLkStyOElco4/XqhuFOnqCHTypGu
{
"redirect_uris": ["https://client.example.org/callback", "https://client.example.org/callback2"],
"client_name": "OpenID Client 1",
"client_id": "openid_client31",
"token_endpoint_auth_method": "client_secret_basic",
"hid_client_channel": "CH_SSP",
"hid_client_pwd_policy": "AT_SYSLOG",
"hid_client_pki_policy": "AT_CUSTPKI",
"hid_user_channel": "CH_IIS",
"hid_user_authn_policy": "AT_CUSTPW",
"hid_sessiontransfer_type": "NUM002",
"hid_client_group": "USG_SYS",
"hid_federation_audiences": "ENTERPRISE",
"hid_federation_roles": ".*",
"hid_federation_atttype": "OAUTHFEDID"
"hid_federation_channel": "CH_SSP|CH_IIS"
}
Register Response
Error Responses
Code | Label | Possible Errors |
---|---|---|
400 |
BAD REQUEST |
No client found |
401 |
UNAUTHORIZED |
Invalid_token |
403 |
FORBIDDEN |
insufficient_scope |
409 |
CONFLICT |
duplicate_client |
For sample error responses, see Client Registration Samples.
Required Parameters
Parameter | Description |
---|---|
|
Array of URIs to which the response of the authorization request will be sent, and which must match one that has been registered during client registration. For further information, see the OpenID Connect Dynamic Client Registration specification – section 3. |
Optional Parameters
Parameter | Description |
---|---|
|
This is could be description of the client. If present, and client_id is not passed as a parameter, it is used (combined with redirect_uris) to generate the unique client_id. |
|
Must be unique. If present, the client is registered with this client_id. If not present, a unique id is generated by server and returned in the response. Note: If client_id is present, it is assumed to have unicity, and the format respects the user ID constraints. Otherwise, errors will be returned in the response.
|
|
Supported values are:
|
|
If token_endpoint_auth_method is private_key_jwt, it can contain a list of public keys/certificates. The one for PKI credential should have no specified key use. It can contain key/certificate with key use “sig” or “enc”. |
|
If token_endpoint_auth_method is private_key_jwt, this parameter or jwks is required. One of the two parameters must be present and the uri present must be accessible from server. Note: The jwks_uri parameter is not supported in for OpenID request objects.
|
|
Only used when performing an UPDATE to reset a client password. |
|
Algorithm to encrypt id_token in token endpoint. If empty, id_token is not encrypted. The recommended algorithm is RSA-OAEP-256. |
|
Algorithm to encrypt the UserInfo response. If empty, the response is not encrypted. The recommended algorithm is RSA-OAEP-256. |
|
Algorithm to sign the UserInfo response:
|
Optional HID Custom Parameters
If the following parameters are not present in the request, ActivID Appliance uses the default values defined in the /usr/local/activid/ActivID_AS/applications/resources/ap/samlidp.properties file:
Parameter | Description | Default value | Property |
---|---|---|---|
hid_client_channel
|
Channel through which the client authenticates | CH_DIRECT | OpenId.DEFAULT_RP_CLIENTCHANNEL |
hid_client_pwd_policy
|
Password-based authentication policy to use to authenticate the client | AT_SYSLOG | OpenId.DEFAULT_RP_CLIENTCREDAUTHPOL |
hid_client_pki_policy
|
PKI-based authentication policy to use to authenticate the client | AT_SYSPKI | OpenId.DEFAULT_RP_CLIENTPKIAUTHPOL |
hid_client_credential_type
|
Credential type for authentication type configured for OpenID client authentication if the authentication type is configured with several credential types |
Not applicable Note: This parameter is not present by default, and does not have a default value or associated property.
|
|
hid_user_channel
|
Channel through which an end user of the client authenticates | CH_TDSPROV | OpenId.DEFAULT_RP_USERCHANNEL |
hid_user_authn_policy
|
Default authentication policy for the end user | AT_TDSOOB | OpenId.DEFAULT_RP_USERPWDAUTHPOL |
hid_sessiontransfer_type
|
Type of the transfer policy for the session's authorization code | NUM001 | OpenId.DEFAULT_RP_USERSESSIONTRANSFTYPE |
hid_client_group
|
Default user group for the client | USG_SYS | OpenId.DEFAULT_RP_USERPARENTGROUP |
hid_client_authentication_constraints
|
Whitelist of IP addresses allowed to authenticate the OpenID client The supported value is a comma-separated list containing individual, or a range of, IP addresses as a string:
The value can contain both individual and ranges. For example: "10.16.125.223,10.16.124.0/32" If the parameter is not present or undefined, no IP restriction will be applied for OpenID client authentication |
Not applicable Note: This parameter is not present by default, and does not have a default value or associated property.
|
Optional HID Custom Parameters for End-User Consent Signing
Parameter | Description |
---|---|
hid_client_scopes
|
Considered as the “openid profile”, and the default value is empty. |
hid_client_consentprompt
|
Defines whether to prompt the end user for sign their consent in the authorization flow, and the default value is true. |
Optional HID Custom Parameters for Domain Federation
These parameters are taken into account only when domain federation is required.
Parameter | Description |
---|---|
|
Defines the valid audiences (using a regular expression based on the syntax format described in https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html). If the audiences are OpenID clients and the SSO is enabled for these clients (as defined in hid_sso_session_validity), they are allowed to access the SSO session of the current client. Add the OpenID client ID of the application(s) allowed to use the user's authenticated session, where the format of the value should be a regular expression. As examples for the following use cases:
|
|
Defines the filter of roles (using a regular expression) that will be sent to the Managed Domains as part of the JWT access token. |
|
Attribute type created previously to publish dedicated identities per Oauth2 client application. |
|
Post-authentication channel(s) for domain federation. Values can be a single channel or list of channels separated by | (for example, "CH_IIS|CH_VPN"). |
Optional HID Custom Parameters for Refresh Token
Parameter | Description |
---|---|
|
Lifetime of a refresh token (in seconds) If it is not present in the request, the value of hid_sessiontransfer_type is used as the refresh token validity, (that is, if hid_sessiontransfer_type is “NUM001”, the validity is 600 seconds). |
Optional HID Custom Parameters for ID Token Signature/Encryption and Format
Parameter | Description |
---|---|
|
Defines if the ID Token in the CIBA the response should be signed (or signed/encrypted) and use the updated format that complies with the CIBA specifications. By default (or if not present), this parameter is set to false so the ID Token will be signed or signed/encrypted and use the updated format. To disable the signature or signature/encryption of the ID Token and use the plain format, set the parameter to true. Note: If you register the client using the ActivID Management Console, the corresponding parameter is Use legacy plain format in CIBA messages. For further information, see Manually Register an OpenID Client.
Optionally, you can also configure the OpenID client for ID Token encryption using the id_token_encrypted_response_alg and jwks parameters (where the currently supported algorithm is RSA-OAEP-256). |