Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support dynamic client registration #17

Closed
33 of 39 tasks
matrixbot opened this issue Sep 9, 2024 · 1 comment
Closed
33 of 39 tasks

Support dynamic client registration #17

matrixbot opened this issue Sep 9, 2024 · 1 comment
Labels
A-Client-Registration Related to OIDC Dynamic Client Registration

Comments

@matrixbot
Copy link
Collaborator

This issue was originally created by @sandhose at matrix-org/matrix-authentication-service#17.

Support for RFC7591.
See MSC2966.

This is the step where client register themselves and provide metadata about them.

What needs to be supported according to the OIDC conformance profile:
https://openid.net/wordpress-content/uploads/2018/06/OpenID-Connect-Conformance-Profiles.pdf

  • ID Token
    • Asymmetric ID Token signature with RS256
  • UserInfo Endpoint
    • Can provide signed UserInfo response with RS256
  • redirect_uri
    • Reject request without redirect_uri when multiple registered
    • Preserves query parameter in redirect_uri
    • Preserves query parameter in registered redirect_uris
    • Reject redirect_uri when query parameter does not match
    • Reject redirect_uri when query parameter added
    • Reject registration of redirect_uris with fragment
  • Discovery
    • Publishes openid-configuration discovery information
    • Config has issuer
    • Discovered issuer matches openid-configuration path prefix
    • Discovered issuer matches ID Token iss value
    • Config has authorization_endpoint
    • Config has token_endpoint
    • Config has userinfo_endpoint
    • Config has jwks_uri
    • Keys in OP JWKs well formed
    • Config has scopes_supported
    • Config has response_types_supported
    • Config has subject_types_supported
    • Config has id_token_signing_alg_values_sup ported
    • Config has claims_supported
    • All OP endpoints use https
    • Can Discover Identifiers using E- Mail Syntax
    • Support WebFinger discovery
  • Dynamic Client Registration
    • Config has registration_endpoint
    • Enables dynamic registration
    • Support using Sector Identifier for pairwise sub values
    • Displays logo_uri in login page
    • Displays policy_uri in login page
    • Displays tos_uri in login page
    • Uses keys registered with jwks value
    • Uses keys registered with jwks_uri value
    • Reject Sector Identifier not containing registered redirect_uri values
  • Key Rotation
    • Can rotate OP signing key
    • Support RP signing key rotation
  • request_uri Request Parameter
    • Support request_uri request parameter
    • Support request_uri request parameter with unsecured request
    • Support request_uri request parameter with signed request
@matrixbot matrixbot added the A-Client-Registration Related to OIDC Dynamic Client Registration label Sep 9, 2024
@matrixbot
Copy link
Collaborator Author

This comment was originally posted by @sandhose at matrix-org/matrix-authentication-service#17 (comment).

We've been supporting dynamic client registration for a while now. Opened other issues with the A-Client-Registration label to fill in the gap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-Client-Registration Related to OIDC Dynamic Client Registration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matrixbot