Hi Tharika, Have you decided on the security of this endpoint?
Thanks, NuwanD. On Thu, Feb 4, 2016 at 9:52 PM, Tharika Madurapperuma <[email protected]> wrote: > Hi All, > > We are planning of $subject. > > In some use cases, it is desirable or necessary to allow OAuth clients to > obtain authorization from an authorization server without the two parties > having previously interacted. Therefore in order for the authorization > server to accurately represent to end users which client is seeking > authorization to access the end user’s resources, a method for automatic > and unique registration of clients is needed. This is where the Dynamic > Client Registration protocol comes into play. > > The RFC related to this feature can be found in [1] > > *Problem* > > Currently, we have implementations for DCR in products like WSO2 API > Manager and WSO2 Enterprise Mobility Manager. This leads to a duplication > of the functionality. Since this feature should ideally reside in the WSO2 > Identity Server, we are trying to move it to their code base so that it > will be available to the entire WSO2 platform. > > *Solution* > > We are trying to implement it so that the endpoint for registering and > unregistering an OAuth client will be available through the oauth2 web app > being deployed through the Identity Server. > > > This feature is implemented as an OSGi service. The endpoint details will > be as follows. > > > Registering an OAuth 2.0 client application will take place through a POST > request to the registration endpoint. For example see the following sample > request, > > > POST *oauth2/oauthdcr* HTTP/1.1 > Content-Type: application/json > > { > "callbackUrl": "www.google.lk", > "clientName": "MyApp", //OAuth application name > "tokenScope": "Production", > "owner": "admin", //User name of application owner > "grantType": "password refresh_token", //space separated grant-type > list > "saasApp" :true //indicates whether this is a SaaS app or not > } > > > Upon successful registration you'll receive a json payload including the > client-name, client-id, client-secret and the callback-url. > > > Similarly unregistering an OAuth 2.0 client application will take place > through a DELETE request to the registration endpoint with the > applicationName, userId(username of the application owner) and the > consumerKey taken in as query parameters in the request. > > [1] https://tools.ietf.org/html/rfc7591 > > > Tharika Madurapperuma > Intern - Software Engineering > WSO2, Inc. > Mobile : +94777-875-624 > -- Nuwan Dias Technical Lead - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
