We decided to restrict the client registration and management for specific client manager which should authenticate the authorization server when performing client registration and management requests.
The way the client manager should authenticate cannot be done via Authorization header because that header preserved for the registration token of the client to perform client management requests as mentioned in RFC.
To perform such client manager authentication, we need to create new authorization header named - Authorization-Registrer which hold the clientId and the clientSecret of the client manager.
That values can be checked for authenticating the client, but how do we know that is the client manager we trust on? The client manager should have in his scopes property, special scope which indicates that he is the client manager and that will be checked when authenticating the client manager.
Todo:
Implement passport strategy of the things described above.
What for?
We decided to restrict the client registration and management for specific client manager which should authenticate the authorization server when performing client registration and management requests.
The way the client manager should authenticate cannot be done via
Authorizationheader because that header preserved for theregistration tokenof the client to perform client management requests as mentioned in RFC.To perform such client manager authentication, we need to create new authorization header named -
Authorization-Registrerwhich hold theclientIdand theclientSecretof the client manager. That values can be checked for authenticating the client, but how do we know that is the client manager we trust on? The client manager should have in hisscopesproperty, special scope which indicates that he is the client manager and that will be checked when authenticating the client manager.Todo:
Implement passport strategy of the things described above.