Dynamic Client Profile

9. Dynamic Client Profile

IBM Verify Identity Access OIDC Provider supports the following configuration for dynamic client registration .

Name	Description	Valid Value	Mandatory
recipe	Security profile to be used, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR	No
mappingrule_id	Dynamic registration-mapping rule ID.	string	No
software_statement_validation	Software statement validation settings.	Software Statement Validation
registration_endpoint_authentication	Authentication settings for POST operation.	Registration Endpoint Authentication
management_endpoint_authentication	Authentication settings for PUT/GET/DELETE operations.	Management Endpoint Authentication
registration_access_token	Registration access token settings.	Registration Access Token

9.1. Software Statement Validation

The following table contains settings that validate the software statement signature.
Further validation of the software statement can be done in the mapping rule.

Name	Description	Valid Value
jwks_uri	Jwks URI containing the public key that is needed to validate the software statement signature.	string
signing_algs	Accepted signing algorithms.	string[]

9.2. Registration Endpoint Authentication

These settings are only applicable for POST operation.

Name	Description	Valid Value
require_mtls	Specifies whether the endpoint requires MTLS.	boolean
require_bearer_token	Specifies whether the endpoint requires bearer token.	boolean
require_software_statement	Specifies whether the endpoint requires software statement.	boolean
allow_custom_client_creds	Only for POST. Specifies whether to accept `client_id/client_secret` in the POST payload.	boolean

9.3. Management Endpoint Authentication

The following settings apply to PUT, GET, and DELETE operation, unless stated otherwise.

Name	Description	Valid Value
require_mtls	Specifies whether the endpoint requires MTLS.	boolean
require_bearer_token	Specifies whether the endpoint requires bearer token.	boolean
allow_client_secret_update	Specifies whether to accept `client_secret` in the PUT payload and update the existing client_secret. Only for PUT.	boolean
require_software_statement	Specifies whether the endpoint requires software statement. This setting applies to the PUT operation only.	boolean

9.4. Registration Access Token

Name	Description	Valid Value
generate	Specifies whether to produce registration access token as part of POST/PUT/GET operations.	boolean
lifetime	Specifies the lifetime of the registration access token.	integer
scopes	Specify the access token scopes. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.	string[]

dynamic_registration:
  recipe: FAPI_UK-OB                                        # Security profile to use, option Default, FAPI_DEFAULT, FAPI_UK-OB, FAPI_AU-CDR
  mappingrule_id: dcr                                       # Dynamic registration mapping rule ID.
  software_statement_validation:                            # Software statement validation settings.
    jwks_uri: http://172.16.123.1:3000/jwks/obdirectory     # Jwks URI containing the public key required to validate the software statement signature.
    signing_algs:                                           # Accepted signing algorithms.
      - ES256
  registration_endpoint_authentication:                     # Authentication settings for POST operation.
    require_mtls: true                                      # Specifies whether the endpoint requires MTLS.
    require_bearer_token: true                              # Specifies whether the endpoint requires bearer token.
    require_software_statement: false                       # Specifies whether the endpoint requires software statement.
    allow_custom_client_creds: true                         # Only for POST. Specifies whether to accept client_id/client_secret in the POST payload.
  management_endpoint_authentication:                       # Authentication settings for PUT/GET/DELETE operations.
    require_mtls: false                                     # Specifies whether the endpoint requires MTLS.
    require_bearer_token: true                              # Specifies whether the endpoint requires bearer token.
    require_software_statement: false                       # Specifies whether the endpoint requires software statement. This is only applicable for PUT operation.
    allow_client_secret_update: false                       # Specifies whether client_secret can be updated. This is only applicable for PUT operation.
  registration_access_token:                                # Registration access token settings.
    generate: true                                          # Specifies whether to produce registration access token as part of POST/PUT/GET operations.
    lifetime: 86400                                         # Specifies the lifetime of the registration access token.
    scopes:                                                 # Specify the scopes required by the access token. All scopes specified here are mandatory. Unauthorized if any scope is not present in the access token.
      - cdr:registration