OAuth 2 Dynamic Client Registration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so when you start registering your oauth 2 or open id connect application with any major provider you will probably go through some sort of yeah api management dashboard for example here took a screenshot from the google platform yeah so you have to say okay how does my all screen look like what is the logo of like what logo do i want to display what text do i want to display maybe also some localized version so all of this is typically manual work however there is actually a way on how to make this registration dynamically or programmatically and this is exactly what we're going to talk about today so today we're going to talk about dynamic client registration which is rsc 7591 and yeah doing that can have quite some advantages in some cases so for example typically an application if you load it like from the app store is like a public client why because you cannot package any secret or client credentials in the package itself because otherwise people could just look at it and just extract it however there is a way on how to make a mobile app a confidential client and that is by dynamically registering the uh itself when you started yeah so instead of shipping like some client credentials in the package you download from the app store when you open the app the application is just reaching out to the authorization server is so to say programmatically filling out like this entire form here and then it's registering itself and then it could actually receive like a client secret or any credentials that are required and mobile operating systems like ios and android they have native support for securely storing client credentials so that is a way on how to make like a mobile app actually a confidential client another thing which you might do which is also recently gaining some traction is this whole idea of open banking and of dynamically registering authorization service yeah so for example suppose you are like some startup and your startup is aggregating or is like facilitating the finances for your customers yeah so you have like some server and the server connects to a hell of a lot of different banks and it aggregates like all the transactions and so on and shows you like some unified view yeah so that would be a great example where you could use this dynamic client registration simply because you have so many banks like to manage it would be like really painful to fill everything out manually and you could for example do this in the build step yeah so you might have like some file where it says okay here are the banks that i support and if you see oh i haven't registered it then you just do like this dynamic client registration and then in the end it aggregates all your transactions from all banks and then it says okay you totally spend five dollars this month so you can do this in the build step you could theoretically also register it lazily right so if someone says yeah i want to use this bank and you realize oh uh actually i haven't registered like the application with this particular bank well you could just do it in the background that would also work maybe it makes more sense to do it during the build step because yeah then you might like see problems up front because if there's like any issue with the client registration then well your customer is like not going to see anything yeah and overall how does this work well it's actually pretty simple so either the client so that means the the mobile app for example or the developer is like hitting like some specific endpoint it's like the client registration endpoint in the authorization server so obviously the authorization server has to support the spec and there you send all the things programmatically that you would normally enter in this api management dashboard yeah so what is the redirect url what are the redirect urls what grant types do i support what is the name of the application uh what scopes do i have and so on and so on so it's like a huge list i didn't show like everything in here because it would be like very long but if you want to know the details you can check out like this rfc here and can read through everything everything so you can see like all the things that you can register yeah and there's a few things that are worth mentioning so for one in this specification it says well you the authorization server might support some sort of initial access token because obviously what you don't want is you don't want anyone to just register like an application with you or to like spam you and uh yeah that is why um you might make use of some sort of initial access token so this is something that you have to obtain by other means so the spec does not say how to obtain it which kind of makes it again a manual step so that's why they recommend that you should at least offer to the client or to the developer that you don't need this initial access token however what you might need is a software statement so software statement is a json web signature token so something that is like signed and it contains all these key value pairs here as claims and if the authorization server trusts the entity that has issued like the software statement now obviously the requirement is that the issuer is specified in statement and the signature like validates then it's going to only take or it's going to prefer the values that are written in here because this is so to say confirmed by a third party entity yeah so overall like this whole client registration helps you to or would facil helps you to build these api dashboards right because in the end this is exactly what this thing is doing yeah so you enter some data you click some button and then it makes like some call to the authorization server and registers it so it helps you to build these things in principle you could also make like an application a confidential client by dynamically registering it that would also work and of course if you're dealing with a lot of different um like authorization servers then client or dynamic client registration is essential for for you to not go crazy because otherwise you're just gonna have too much bureaucracy to support all of this cool yeah so that's it pretty much i hope this explanation makes sense if you have any questions please let me know if you liked the video please give it a thumbs up and subscribe to the channel and i'll see you in the next one bye bye
Info
Channel: Jan Goebel
Views: 4,531
Rating: undefined out of 5
Keywords: oauth dynamic client registration, oauth 2 dynamic client registration, oauth 2.0 dynamic client registration, open id connect dynamic client registration, oidc dynamic client registration, oauth client registration, dynamic client registration with oauth, dynamic client registration, dynamic client registration oidc, oauth 2 explained, oauth 2 oidc dynamic client registration, open id connect oauth dynamic client registration
Id: duCN3a8fMv0
Channel Id: undefined
Length: 7min 0sec (420 seconds)
Published: Mon Mar 07 2022
Related Videos
An Illustrated Guide to OAuth and OpenID Connect
OktaDev
540K
OAuth 2.0 Implementation with Spring Security and Spring Boot | Full Example
Daily Code Buffer
162K
oAuth for Beginners - How oauth authenticationđź”’ works ?
IT k Funde
14K
OAuth 2.0 explained with examples
ByteMonk
83K
OAuth 2.0 - a dead simple explanation
Jan Goebel
10K
OAuth2 Login Made Easy in Java: A Spring Boot & Spring Security Walkthrough
Dan Vega
107K
Introduction to OAuth 2.0 and OpenID Connect By Philippe De Ryck
Devoxx
10K
OAuth 2 Token Introspection
Jan Goebel
6.5K
ID Tokens VS Access Tokens: What's the Difference?
OktaDev
132K
OAuth 2.0: An Overview
InterSystems Learning Services
1.1M
OAuth 2 Explained In Simple Terms
ByteByteGo
294K
Everything You NEED to Know About WEB APP Architecture
ForrestKnight
430K
OpenID Connect client authentication: client_secret_jwt and private_key_jwt
Jan Goebel
4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.