OpenID Connect Simple Client Registration 1.0

In order for an OpenID client to utilize OpenID services for a user, the client needs to register with the OpenID provider to aquire a client ID and shared secret. This document describes how a new client can register with the provider, and how a client allready in posetion of a client_id can retreve updated registration information. The Client Registration endpoint may be co-resident with the token endpoint as an optimization in some deplyments.

An application obtaining authorization and making protected resource requests. A human resource owner. A human resource owner that is the target of a request in Simple Web Discovery. Authorization Servers that are able to support OpenID Connect Messages. Client and Resource Servers. The Authorization Server's endpoint capable of authenticating the End-User and obtaining authorization. An unique identifier that the client uses to identify itself to the OP. The Authorization Server's HTTP endpoint capable of issuing tokens. End-User Authentication, Authorization, and Token Endpoint. The endpoint to which the OP responses are returned through redirect. A protected resource that when presented with a token by the client returns authorized information about the current user. An Identifier is either a "http" or "https" URI, (commonly referred to as a "URL" within this document), or an account URI. This document defines various kinds of Identifiers, designed for use in different contexts.

OpenID Connect uses the registration_endpoint from the Provider Configuration Response Sec 4.2.

The Client Registration Endpoint returns registration information for the client to configure itself for the openID provider.

Clients MAY send POST requests with the following parameters form encoded in the POST body to the Client Registration Endpoint. REQUIRED values "client_associate", "client_update" OPTIONAL. used with "client_update" OPTIONAL used with "client_update" OPTIONAL comma separated list email addresses for people allowed to administer the application. OPTIONAL "native" or "web" OPTIONAL Name of the application to be presented to the user. OPTIONAL url that a logo for the application can be retreved from. OPTIONAL comma separated list of redirect URL OPTIONAL comma separated list of Java Script Origins (used for Post Message flow) OPTIONAL URL for the RP's JSON Web Key

The response is returned as a JSON object with all the paramaters as top level elements. REQUIRED The unique client identifier REQUIRED The client secret. This should change with each response. REQUIRED The number of seconds that this id and secret are good for or "0" if it does not expire. The following is an example resp[onse.

This document makes no request of IANA. Note to RFC Editor: this section may be removed on publication as an RFC.

Since requests to the client registration endpoint result in the transmission of clear-text credentials (in the HTTP request and response), the server MUST require the use of a transport-layer security mechanism when sending requests to the token endpoint. The server MUST support TLS 1.2 as defined in [RFC5246], and MAY support additional transport-layer mechanisms meeting its security requirements.