DCR VS DCRM with WSO2 Identity server

Dynamic Client registration is a protocol which allows OAuth clients to register applications in an authorization server. Before this mechanism which is introduced from the spec [1] the client registration happened manually. With this implementation the client registration could be done in two ways.

- A client can be registered dynamically with the authorization server itself

- A programmer can register a client programmatically.

Following is the protocol flow of DCR

1. A client sends a registration request with as follows. This should be a post request.

2. Server sends information response with 201 created.

Image for post
Image for post

Authorization: Basic YWRtaW46YWRtaW4=

Content-Type: application/json

"client_name": "client_test",

Response :

HTTP/1.1 201 Created

Content-Type: application/json

"client_id": "3701c489-3e03-4f2b-a125-ee3f8d25a501",

"client_secret": "4bff3ec0-a5ab-4252-8768-126633278333",

"redirect_uris": ["http://localhost"],

"client_name": "client_test"

The main finctionalities introduced form this specification [2] are :

  1. Current registration state of a client (Client Read Request)
  2. Update request to an already registered client (Client Update Request)
  3. Delete request to unregister a client (Client Delete Request)

This specification is an extension of DCR specification. Following is the protocol flow of DCRM.

Image for post
Image for post

Following is a sample client read request and response using WSO2 identity server.

Request :

Host:localhost:9443

Response:

Content-Type: application/json

"client_id": "3701c489-3e03-4f2b-a125-ee3f8d25a501",

"client_secret": "4bff3ec0-a5ab-4252-8768-126633278333",

"redirect_uris": ["http://localhost"],

This request is made from concatenating a client identifier ti the DCR register EP. This client identifier is the client key of the application.

This is used to update an already registerd client application. This update request is a HTTP put request.
Few considerations are there when doing the DCRM update request.

  1. This request MUST include all client metadata field which is obtained from previos read / registration request.
  2. The fields which are not specified in the request should be filled with null values
  3. The ‘client_id’ in the should be included in the request and it MUST be the same as its currently issued client identifier.
  4. The ‘client_secret’ value can be included in the request, but the value should be matched with the currency issued ‘client_secret’.
  5. The ‘client_secret’ of the request can not override the existing one of the application.

Following is a sample request and response using WSO2 identity server.

Content-Type: application/json

}

Content-Type: application/json

"client_id": "3701c489-3e03-4f2b-a125-ee3f8d25a501",

"client_secret": "4bff3ec0-a5ab-4252-8768-126633278333",

"redirect_uris": ["http://localhost"],

By doing HTTP DELETE request the client can delete itself from the authorization server.
A delete request will invalidate all ‘client_id’ ,’client_secret’ and ‘registration_access_token’ of the client.

Following is a sample request and response using WSO2 identity server.

Originally published at hasanthipurnima.blogspot.com.

Written by

Associate Technical Lead @ WSO2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store