|
1 | | -# OpenID Connect Dynamic Client Registration |
| 1 | +# OpenID Connect Dynamic Client Registration (DCR) |
2 | 2 |
|
3 | | -This extension provides a mechanism to register clients with the authorization server dynamically or programmatically. |
4 | | - |
5 | | -## How does it work? |
| 3 | +[Dynamic Client Registration (DCR)](https://tools.ietf.org/html/rfc7591) allows clients to register with {{product_name}} dynamically without manual intervention. DCR suits scenarios where you have many clients or clients that require frequent creation and deletion. |
6 | 4 |
|
7 | | -To register a new client at the authorization server: |
| 5 | +You can register clients dynamically in two ways: |
8 | 6 |
|
9 | | -1. Client discovers the client registration endpoint. The registration endpoint URL is discoverable via WebFinger. |
10 | | - For more information on discovering the client registration endpoint, see [OpenID Connect Discovery](discovery.md). |
11 | | - |
12 | | -2. Client sends an HTTP POST message to the client registration endpoint with client metadata parameters that the client |
13 | | - chooses to specify for itself during the registration. |
14 | | - |
15 | | -3. The authorization server assigns an unique client identifier (client ID) and optionally, a client secret. |
| 7 | +- A client registers itself dynamically by sending a request to the client registration endpoint of {{product_name}}. |
16 | 8 |
|
17 | | -4. The authorization server associates the metadata given in the request with the issued client ID. |
| 9 | +- An admin or system registers a client using the {{product_name}} DCR REST API and manages the client via the Dynamic Client Registration Management (DCRM) REST APIs. |
18 | 10 |
|
19 | | ---- |
| 11 | +This guide explains how both methods work. |
20 | 12 |
|
21 | | -## DCR vs DCRM |
| 13 | +## How does DCR work? |
22 | 14 |
|
23 | | -### What is DCR (Dynamic Client Registration)? |
| 15 | +In the self-registration flow, the client initiates its own registration. The process consists of the following steps: |
24 | 16 |
|
25 | | -Dynamic Client Registration is a protocol that allows OAuth clients to register applications in an authorization server. |
26 | | -Before this mechanism was introduced to the [specification](https://tools.ietf.org/html/rfc7591) the client registration |
27 | | -happened manually. With this implementation, client registration can be done in two ways. |
| 17 | +### Self-registration of clients |
28 | 18 |
|
29 | | -- A client can be registered dynamically with the authorization server itself |
30 | | -- A programmer can register a client programmatically |
| 19 | +The DCR self-registration process consists of the following steps: |
31 | 20 |
|
| 21 | +1. Using WebFinger, the client discovers the client registration endpoint of the authorization server. Refer to [OpenID Connect Discovery]({{base_path}}/guides/authentication/oidc/discover-oidc-configs/) for more information on WebFinger. |
32 | 22 |
|
33 | | -### What is DCRM (Dynamic Client Registration Management)? |
| 23 | +2. The client sends an HTTP POST request to the client registration endpoint, including any client metadata parameters it chooses to specify during registration. |
34 | 24 |
|
35 | | -DCRM is an extension to the DCR, introduced from [this specification](https://tools.ietf.org/html/rfc7592). |
36 | | -The main functionalities specified are: |
| 25 | +3. {{product_name}} issues a unique client identifier (client ID) to the client and, optionally, a client secret. |
37 | 26 |
|
38 | | -- Current registration state of a client (Client Read Request) |
39 | | -- Update request to an already registered client (Client Update Request) |
40 | | -- Delete request to an already registered client (Client Delete Request) |
| 27 | +4. {{product_name}} links the metadata provided in the request to the issued client ID. |
41 | 28 |
|
42 | | -!!! info "Related topics" |
43 | | - - [API: OpenID Connect Dynamic Client Registration]({{base_path}}/apis/use-the-openid-connect-dynamic-client-registration-rest-apis) |
| 29 | +5. The client can now use the issued client ID and secret to request access tokens from the authorization server. |
| 30 | + |
| 31 | +### Register clients programmatically |
| 32 | + |
| 33 | +Administrators or automated systems can register clients programmatically using the {{product_name}} DCR REST API. Once a client is registered, it can be managed using DCRM REST APIs. |
| 34 | + |
| 35 | +[Dynamic Client Registration Management (DCRM)](https://tools.ietf.org/html/rfc7592){: target="_blank"} was introduced as an extension to DCR that defines RESTful APIs to manage already registered clients. Using DCRM APIs, you can: |
| 36 | + |
| 37 | +- Read: Retrieve information about an already registered client. |
| 38 | + |
| 39 | +- Update: Modify the metadata of an existing client. |
| 40 | + |
| 41 | +- Delete: Remove a registered client from the system. |
| 42 | + |
| 43 | +!!! note "{{product_name}} DCR REST APIs" |
| 44 | + |
| 45 | + For a comprehensive guide on using DCR REST APIs in {{product_name}}, see [Dynamic Client Registration (DCR) REST APIs]({{base_path}}/apis/dynamic-client-registration-rest-api/). |
0 commit comments