[mitreid-connect] Disabling Dynamic Client Registration

[Luiz Omori]

In our case we just want to disable the endpoint. We are not really concerned about it being listed in the discovery document and don’t care much if the UI fails. Our users (internal only) would be instructed to not use that feature.

From: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Date: Monday, April 25, 2016 at 12:09 PM
To: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>
Cc: "Stan A. Drozdetski" <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration

There are a handful of other small hooks, like publication of the registration endpoint in the discovery document. You’d want all of those, including the UI, to be tied together with the same configuration.

 — Justin

On Apr 25, 2016, at 9:04 AM, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>> wrote:

Assuming you are not talking about the UI piece, can you elaborate on the “incomplete” part?

Regards,
Luiz

From: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Date: Monday, April 25, 2016 at 11:57 AM
To: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>
Cc: "Stan A. Drozdetski" <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration

Not only is this an incomplete solution, we also don’t recommend playing with application-context.xml as it’s not designed to be overridden in local configurations.

 — Justin


On Apr 25, 2016, at 8:50 AM, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>> wrote:

I kind of found a workaround: if the configuration below is commented out in application-context.xml then all calls to the dynamic registration endpoint fail as unauthorized. The only thing is that the dynamic registration UI is still displayed and will fail silently.

<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/register/**" access="permitAll"/>
</security:http>


Regards,
Luiz

From: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>
Date: Monday, April 25, 2016 at 10:49 AM
To: "Drozdetski, Stan A." <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>, Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration

Thanks. I believe my version (1.2.2) is different than yours. In my case the second option that your are referring to as “allow dynamic registration” is actually “restricted” and it looks like in this case it should be checked.

In any case, playing with scopes this way won’t work well for us.

<picture removed>

Regards,
Luiz

From: "Drozdetski, Stan A." <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>
Date: Monday, April 25, 2016 at 10:35 AM
To: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: RE: [mitreid-connect] Disabling Dynamic Client Registration

FWIW, you can curtail (not disable) dynamic client registration by unchecking BOTH “default scope” and “allow dynamic registration” on the System Scopes screen. That way, dynamically-registered clients will not be given access to useful scopes.

Stan Drozdetski
Extranet Integration Lead
Center for Information and Technology
781-271-3324

<image007.png><https://www.facebook.com/MITREcorp><image008.png><https://www.linkedin.com/company/mitre><image009.png><https://twitter.com/MITREcorp><image010.png><https://www.youtube.com/user/mitrecorp><image011.png><https://plus.google.com/+MitreOrgFFRDCs/posts>
<image012.jpg><http://www.mitre.org/>

From:mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu> [mailto:mitreid-connect-bounces at mit.edu] On Behalf Of Justin Richer
Sent: Saturday, April 23, 2016 8:44 AM
To: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>; mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration

No it has not.

 -- Justin
On 4/22/2016 4:38 PM, Luiz Omori wrote:
Hi,

We would like to disable dynamic client registration. There is this somewhat old thread about it: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/15. Has the configuration switch mentioned there been created?

Regards,
Luiz




_______________________________________________

mitreid-connect mailing list

mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>

http://mailman.mit.edu/mailman/listinfo/mitreid-connect


<image007.png><image008.png><image009.png><image010.png><image011.png><image012.jpg>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/82685b34/attachment-0001.html