Closed leastprivilege closed 1 year ago
Would really love to see this built out to support 3rd-Party Initiated Login https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin
What exactly are you looking for?
dynamic client registration or 3rd init login
Because both are completely independent and one is possible without the other.
And actually 3rd party init is really a feature of the client - and would work today already.
Looking for dynamic client registration. I think the only relation that seems to be missing in IdSrv is the built-in support for initiate_login_uri
on Client
. I've been prototyping migrating away from Auth0 to IdSrv Enterprise for my company and the org that recently acquired us.
To have a seamless integration for our mutual customers, 3rd-party-init seems like the best approach for us to achieve SSO to switch between platforms; as it somewhat resembles SAML's IdP-Initiated flow, but without the CSRF vulnerability issues - it basically just introduces an initiate-login endpoint to start the authorize request.
OK. I see. Well - as of today there is no dynamic client registration. We currently have this on the roadmap for v6.
Is this blocking you right now?
Hi, @leastprivilege ! Hope you are well.
Any news and documentation about DCR?
No - not right now.
What exactly are you looking for?
Thank you for replying. Looking for dynamic client registration or a guide/documentation to extend it in current Identity Server (6.0) to have it. If you can share any guidance would great :)
We might be adding it as part of the config API https://blog.duendesoftware.com/posts/20220204_admin_ui/
In the meantime, you could simply create an API endpoint that accepts a DCR document and talk to the config database yourself.
https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest
Hi. Is this definately planned for 6.2.0?
Best regards, Novak
no - this is our current thinking but might change.
Having a closer look - it would make sense to start with implementing an applicable subset of the DCR protocol https://datatracker.ietf.org/doc/html/rfc7591
From an implementation point of view
Probably out of scope for the initial release
https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata
other areas: device codes, CIBA, consent, refresh token details
Hi Dominick,
is this DCR definately planned for 6.2.0?
Best regards, Novak
DCR yes - DCM not.
Hi @leastprivilege, does adding the required records manually into the IS database tables (Clients, ClientRedirectUris, ClientScopes & ClientSecrets) with the IS running not allow for dynamic clients?
it does. But DCR is a protocol. See 1st entry.
DCR would be great feature - especially, that some API Managment Developer Portals are starting to implement this protocol, for example Tyk: https://tyk.io/docs/tyk-developer-portal/tyk-portal-classic/dynamic-client-registration/
@leastprivilege Any update on this feature?
Is there any progress? How certain is it that this change will be in the next release (6.3)?
We have a proof of concept implementation in this branch: https://github.com/DuendeSoftware/IdentityServer/tree/dom/dcr-poc, and releasing it in 6.3 is a top priority for me.
Skip past the indented text if you don’t want to read my intro and just get to my question.
Along the way I have had a lot to learn. I was more comfortable in the X509 space and very new to Oauth2 and OIDC.
I have many questions but will only ask one here.
Assumption: DCR included the registered scopes ahead of time and they will not be required at AuthToken request time
So, after DCR my goal was through DI, to register a ISecretParser for extracting the secret from HttpContext and second to register a ISecretValidator for validating the certificate chain. If all goes well, I could be injected into Identity Server’s “ClientSecretValidator” via the ISecretsListParser and ISecretsListValidator. At least that is what I would like.
Because the base UDAP spec does not require scopes during Access Token requests I would of course always fail in “ClientSecretValidator” because it requires them. For the time being I replaced “ClientSecretValidator” with my own copy that injects a IScopeService that would resolve default scopes in the meantime.
So, what do you think. Is this a descent pattern? If so, would you adapt something like this so I can go back to using ClientSecretValidtor in a feature request? Or should I be implementing some middleware up stream to push the scopes into the Http request parameters ahead of time. I hate to bolt on this type of thing. It doesn’t get the kind of scrutiny of being in this incredible code base knowledge from folks like you who have a better chance of doing it the best way.
Anyway thanks for taking time to consider my comments.
Reminder: license check for DCR
All done for now, I think. Yay!
https://tools.ietf.org/html/rfc7591 https://openid.net/specs/openid-connect-registration-1_0.html