Provide the registration access token for dynamically registered clients

[paulmillar]

oidc-agent supports dynamic client registration, which is a very convenient feature.

Some OPs require a registration access token when reviewing changes to a client. The INDIGO IAM is an example of an OP that has this requirement.

The registration access token is returned as an (optional) element in the dynamic client registration's Client Registration Response:

https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse

It would be helpful if oidc-agent were to store the registration access token (if the OP returned one) and provide a way for a user to obtain this value later on.

[zachmann]

The registration access token is stored in the oidc-agent account configuration file. You can print the content of the configuration file with oidc-gen -p <shortname>. So this functionality is already given.

[paulmillar]

No. I don't see the registration access token in the oidc-gen -p output.

I also checked the code: the registration_access_token element from the dynamic registration JSON response seems to be ignored. Also, a simple git grep registration_access_token shows no hits.

[zachmann]

If the provider returns an registration access token when registering the client dynamically it is included in the config file and can be printed with oidc-gen -p. I just tried it with IAM (iam-test.indigo).

In the code this is not done explicitly, but all claims returned from the provider on dynamic client registration are saved.

[paulmillar]

Ah, I've just registered with https://iam-test.indigo-datacloud.eu/, too. I can see the registration_access_token value in the oidc-gen -p output.

For some reason, my earlier dynamic registration with XDC (https://iam.extreme-datacloud.eu/) failed to return a registration_access_token.

However, it's fairly clear that this isn't a problem with oidc-agent.

My only suggestion is that perhaps the docs could be updated to mention where the registration access token may be obtained.