Support dynamic client registration

*This issue was originally created by [**@sandhose**](https://github.com/sandhose) at <https://github.com/matrix-org/matrix-authentication-service/issues/17>.*


Support for [RFC7591](https://datatracker.ietf.org/doc/html/rfc7591).
See [MSC2966](https://github.com/matrix-org/matrix-doc/pull/2966).

This is the step where client register themselves and provide metadata about them.

What needs to be supported according to the OIDC conformance profile:
https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf

- ID Token
   - [x] Asymmetric ID Token signature with RS256
- UserInfo Endpoint
   - [x] Can provide signed UserInfo response with RS256
- redirect_uri
   - [x] Reject request without redirect_uri when multiple registered
   - [x] Preserves query parameter in redirect_uri
   - [x] Preserves query parameter in registered redirect_uris
   - [x] Reject redirect_uri when query parameter does not match
   - [x] Reject redirect_uri when query parameter added
   - [x] Reject registration of redirect_uris with fragment
 - Discovery
     - [x] Publishes openid-configuration discovery information
     - [x] Config has issuer
     - [x] Discovered issuer matches openid-configuration path prefix
     - [x] Discovered issuer matches ID Token iss value
     - [x] Config has authorization_endpoint
     - [x] Config has token_endpoint
     - [x] Config has userinfo_endpoint
     - [x] Config has jwks_uri
     - [x] Keys in OP JWKs well formed
     - [x] Config has scopes_supported
     - [x] Config has response_types_supported
     - [x] Config has subject_types_supported
     - [x] Config has id_token_signing_alg_values_sup ported
     - [x] Config has claims_supported
     - [x] All OP endpoints use https
     - [ ] Can Discover Identifiers using E- Mail Syntax
     - [x] Support WebFinger discovery
- Dynamic Client Registration
     - [x] Config has registration_endpoint
     - [x] Enables dynamic registration
     - [ ] Support using Sector Identifier for pairwise sub values
     - [x] Displays logo_uri in login page
     - [x] Displays policy_uri in login page
     - [x] Displays tos_uri in login page
     - [x] Uses keys registered with jwks value
     - [x] Uses keys registered with jwks_uri value
     - [ ] Reject Sector Identifier not containing registered redirect_uri values
- Key Rotation
     - [x] Can rotate OP signing key
     - [x] Support RP signing key rotation
- request_uri Request Parameter
     - [ ] Support request_uri request parameter
     - [ ] Support request_uri request parameter with unsecured request
     - [ ] Support request_uri request parameter with signed request

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Support dynamic client registration #17

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Support dynamic client registration #17

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions