Dynamic Client Profile
9. Dynamic Client Profile
IBM Security Verify Access OIDC Provider supports the following configuration for dynamic client registration .
| Name | Description | Valid Value | Mandatory | Default |
|---|---|---|---|---|
| recipe | Security profile to be used, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR | No | ||
| mappingrule_id | Dynamic registration-mapping rule ID. | string | No | |
| software_statement_validation | Software statement validation settings. | Software Statement Validation | ||
| registration_endpoint_authentication | Authentication settings for POST operation. | Registration Endpoint Authentication | ||
| management_endpoint_authentication | Authentication settings for PUT/GET/DELETE operations. | Management Endpoint Authentication | ||
| registration_access_token | Registration access token settings. | Registration Access Token |
9.1. Software Statement Validation
The following table contains settings that validate the software statement signature.
Further validation of the software statement can be done in the mapping rule.
| Name | Description | Valid Value |
|---|---|---|
| jwks_uri | Jwks URI containing the public key that is needed to validate the software statement signature. | string |
| signing_algs | Accepted signing algorithms. | string[] |
9.2. Registration Endpoint Authentication
These settings are only applicable for POST operation.
| Name | Description | Valid Value |
|---|---|---|
| require_mtls | Specifies whether the endpoint requires MTLS. | boolean |
| require_bearer_token | Specifies whether the endpoint requires bearer token. | boolean |
| require_software_statement | Specifies whether the endpoint requires software statement. | boolean |
| allow_custom_client_creds | Only for POST. Specifies whether to accept client_id/client_secret in the POST payload. | boolean |
9.3. Management Endpoint Authentication
The following settings apply to PUT, GET, and DELETE operation, unless stated otherwise.
| Name | Description | Valid Value |
|---|---|---|
| require_mtls | Specifies whether the endpoint requires MTLS. | boolean |
| require_bearer_token | Specifies whether the endpoint requires bearer token. | boolean |
| require_software_statement | Specifies whether the endpoint requires software statement. This setting applies to the PUT operation only. | boolean |
9.4. Registration Access Token
| Name | Description | Valid Value |
|---|---|---|
| generate | Specifies whether to produce registration access token as part of POST/PUT/GET operations. | boolean |
| lifetime | Specifies the lifetime of the registration access token. | integer |
| scopes | Specify the access token scopes. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token. | string[] |
dynamic_registration:
recipe: FAPI_UK-OB # Security profile to use, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR
mappingrule_id: dcr # Dynamic registration mapping rule ID.
software_statement_validation: # Software statement validation settings.
jwks_uri: http://172.16.123.1:3000/jwks/obdirectory # Jwks URI containing the public key required to validate the software statement signature.
signing_algs: # Accepted signing algorithms.
- ES256
registration_endpoint_authentication: # Authentication settings for POST operation.
require_mtls: true # Specifies whether the endpoint requires MTLS.
require_bearer_token: true # Specifies whether the endpoint requires bearer token.
require_software_statement: false # Specifies whether the endpoint requires software statement.
allow_custom_client_creds: true # Only for POST. Specifies whether to accept client_id/client_secret in the POST payload.
management_endpoint_authentication: # Authentication settings for PUT/GET/DELETE operations.
require_mtls: false # Specifies whether the endpoint requires MTLS.
require_bearer_token: true # Specifies whether the endpoint requires bearer token.
require_software_statement: false # Specifies whether the endpoint requires software statement. This is only applicable for PUT operation.
registration_access_token: # Registration access token settings.
generate: true # Specifies whether to produce registration access token as part of POST/PUT/GET operations.
lifetime: 86400 # Specifies the lifetime of the registration access token.
scopes: # Specify the scopes required by the access token. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.
- cdr:registration
Updated about 2 years ago