Dynamic Client Registration(DCR) with WSO2 IS
🧬 Introduction
Dynamic Client Registration is a protocol that allows OAuth2.0 client applications to register with an OAuth server. It is standardized by both the OpenID Foundation and by the IETF as RFC 7591.
🧪 How to register a client application with WSO2 IS
WSO2 Identity Server allows you to register your OAuth2.0 application as a service provider(SP). To do that, you can either use WSO2 IS’s DCR endpoint or use the management console. We will first look at how you can create an SP using the WSO2 Management Console and next look at how we can use the DCR endpoint.
🖥️ Register a Client Application with the WSO2 Management Console
First, download the WSO2 IS binary package from https://wso2.com/identity-server/ and extract the .zip file to a location you can access feasibly. Then simply open a terminal and type,
- For Linux and Unix Systems
↳sh <IS_HOME>/bin/wso2server.sh - For Windows Systems
↳<IS_HOME>/bin/wso2server.bat --run
Then open your browser and type https://localhost:9443/carbon to access the WSO2 Management Console. The default username and password are,
- username
↳admin - password
↳admin
Then find the Service Providers section from the sidebar and click on Add.
After clicking Add it will prompt you to Add New Service Provider page, where you can give a unique name to your client application.
After registering the application, go to Inbound Authentication Configuration → OAuth/OpenID Connect Configuration and click on the Configure button.
After clicking on that, you will be prompted to another page for configuring your service provider according to the OAuth2.0 and OIDC specifications. Simply provide, http://localhost:8080/playground2/oauth2client as the Callback Url and click on the Add button.
After that, you will notice Client ID and Client Secret values are added to the OAuth/OpenID Connect Configuration. What you will notice is that you cannot change the auto-generated Client ID and Client Secret values.
This is how you can add a client application/service provider using the WSO2 Management Console. But sometimes we need a way to create a custom pair of Client ID and Client Secret rather than auto-generated ones. That’s where the DCR endpoint comes to our help.
🏃🏻♂️ Dynamic Client Registration
The DCR endpoint in WSO2 IS, allows you to dynamically create, update, delete, and get information on the clients.
📌 Register an OAuth Application
To register an OAuth application you can run the following cURL command.
curl -k -X POST -H "Authorization: Basic <Base64_encoded_username:password>" -H "Content-Type: application/json" -d '{
"client_name": "<APPLICATION_NAME>",
"grant_types": ["<GRANT_TYPES>"],
"ext_param_client_id":"<CLIENT_ID>",
"ext_param_client_secret":"<CLIENT_SECRET>" }'
"https://<IS_HOST>:<IS_PORT>/api/identity/oauth2/dcr/v1.1/register"An example cURL command using the above format will be,
curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H
"Content-Type: application/json" -d '{
"client_name": "application1",
"grant_types": ["password"],
"ext_param_client_id":"provided_client_id0001",
"ext_param_client_secret":"provided_client_secret0001" }'
"https://localhost:9443/api/identity/oauth2/dcr/v1.1/register"This will generate a sample JSON response like this. Notice that we can give a custom client ID and client secret in this way so that the client ID and the client secret aren’t randomly generated values.
"HTTP/1.1 201 Created"
{
"client_name":"application1",
"client_id":"provided_client_id0001",
"client_secret":"provided_client_secret0001",
"redirect_uris":[""]
}If you want to include a redirect_uri with the cURL command, you can use the following cURL command instead.
curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H
"Content-Type: application/json" -d '{
"client_name": "application1",
"grant_types": ["password"],
"redirect_uris": ["http://localhost:8080/playground2/oauth2client"],
"ext_param_client_id":"provided_client_id0001",
"ext_param_client_secret":"provided_client_secret0001" }'
"https://localhost:9443/api/identity/oauth2/dcr/v1.1/register"📌 Update an OAuth Application
To update an already created OAuth application, you can use the following cURL command.
curl -k -X PUT -H "Authorization: Basic <Base64_encoded_username:password>" -H
"Content-Type: application/json" -d '{
"redirect_uris":["<CALLBACK_URL>"],
"client_name": "<APPLICATION_NAME>",
"grant_types": ["<GRANT_TYPES>"] }'
"https://<IS_HOST>:<IS_PORT>/api/identity/oauth2/dcr/v1.1/register/<CLIENT_ID>"An example cURL command using the above format will be,
curl -k -X PUT -H "Authorization: Basic YWRtaW46YWRtaW4=" -H
"Content-Type: application/json" -d '{
"client_name": "application1",
"grant_types": ["authorization_code","password","implicit"],
"redirect_uris":["https://client.example.org/callback"] }'
"https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/provided_client_id0001"This will generate a sample JSON response like this.
"HTTP/1.1 200 OK"
{
"client_id": "provided_client_id0001",
"client_secret": "provided_client_secret0001",
"client_secret_expires_at": 0,
"redirect_uris": ["https://client.example.org/callback"],
"grant_types": ["authorization_code", "password","implicit"],
"client_name": "application1"
}📌 Get application information
To get the application information, we can either use the Client ID or the Client Name. If we want to get application information using the Client ID, we can use the following cURL command.
curl -k -X GET -H "Authorization: Basic <Base64_encoded_username:password>" -H "Content-Type: application/json" -d '{}' "https://<IS_HOST>:<IS_PORT>/api/identity/oauth2/dcr/v1.1/register/<CLIENT_ID>"An example cURL command using the above format will be,
curl -k -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{}' "https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/provided_client_id0001"If you want to get the application information using the Client Name, you can use the following cURL command.
curl -k -X GET -H "Authorization: Basic <Base64_encoded_username:password>" -H "Content-Type: application/json" -d '{}' "https://<IS_HOST>:<IS_PORT>/api/identity/oauth2/dcr/v1.1/register?client_name=<CLIENT_NAME>"An example cURL command using the above format will be,
curl -X GET -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{}' "https://localhost:9443/api/identity/oauth2/dcr/v1.1/register?client_name=application1"Both the cURL commands will give you the following response.
"HTTP/1.1 200 OK"
{
"client_id": "provided_client_id0001",
"client_secret":"provided_client_secret0001",
"client_secret_expires_at": 1577858400,
"redirect_uris":["https://client.example.org/callback"],
"client_name":"application1"
}📌 Delete an OAuth Application
To delete an OAuth application using the DCR endpoint, you can use the following cURL command.
curl -k -X DELETE -H "Authorization: Basic <Base64_encoded_username:password>" -H "Content-Type: application/json" -d '{}' "https://<IS_HOST>:<IS_PORT>/api/identity/oauth2/dcr/v1.1/register/<CLIENT_ID>"An example cURL command using the above format will be,
curl -k -X DELETE -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{}' "https://localhost:9443/api/identity/oauth2/dcr/v1.1/register/provided_client_id0001"You can access the Postman Collection outlining the above APIs from here.
This is it for the Dynamic Client Registration. With the knowledge we acquired from this article, we will check how you can use the OAuth2.0 Grant Types from the next article onwards.
