Details
-
Story
-
Resolution: Done
-
Minor
-
None
-
None
-
None
-
Sprint 12, Sprint 13, Sprint 14, Sprint 15, Sprint 16
Description
There are two general ways to register and manage OIDC "clients" (RPs), using out of band metadata and dynamically. Metadata is handled through the OIDC type in Metadata Sources ( SHIBUI-2380 ). This ticket addresses Dynamic registration.
If the SHIBUI has been configured to communicate to the Shibboleth OIDC plugin's API, then the user should be presented a screen where they can enter the following pieces of information:
- redirect_uris (required)
- response_types
- grant_types - One of "authorization_code", "implicit", and "refresh_token"
- application_type
- contacts
- subject_type
- jwks / jwks_uri
- token_endpoint_auth_method
- logo_uri
- policy_uri
- tos_uri
- scope
The details will be saved to the database (this is not a metadata source subtype and no XML is generated by SHIBUI for this).
Dynamic Registration will need to be approver following the same process as entity descriptors/metadata sources.
Users with ENABLE permissions (including admins) will be able to a[enable | activate | send to Shib] approved registrations
DB Object should also include:
- name
- modifiedDate
- createdDate
- createdBy
- activated
Additional information:
- Info at: OPDynamicClientRegistration
- Scott can't imagine using Dynamic Registration himself (OSU), but feels that if deployers were to do so, they really would need a feature to be able to do this. How many deployers would choose to want to use dynamic registration in the first place?
- This is a bit different than what the ShibUI does today, more of a "current state of the IdP" admin-type task that would probably want to use the standard API tools. (Go thru the IdP's storage API rather than directly to the "DB".)
- There are some profile settings (like relying party overrides) that can apply