[mitreid-connect] Disabling Dynamic Client Registration

Justin Richer jricher at mit.edu
Mon Apr 25 12:17:31 EDT 2016 

In that case, your easiest move will be to add a restricted security:http block to your configuration that blocks all access to the registration endpoint, above the catch-all http block in user-context.xml. I haven’t tested this but I believe that a later security:http block will override an earlier one with the same specificity. 

 — Justin

> On Apr 25, 2016, at 9:15 AM, Luiz Omori <luiz.omori at duke.edu> wrote:
> 
> In our case we just want to disable the endpoint. We are not really concerned about it being listed in the discovery document and don’t care much if the UI fails. Our users (internal only) would be instructed to not use that feature. 
> 
> From: Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>
> Date: Monday, April 25, 2016 at 12:09 PM
> To: Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>
> Cc: "Stan A. Drozdetski" <drozdetski at mitre.org <mailto:drozdetski at mitre.org>>, "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>>
> Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration
> 
> There are a handful of other small hooks, like publication of the registration endpoint in the discovery document. You’d want all of those, including the UI, to be tied together with the same configuration.
> 
>  — Justin
> 
>> On Apr 25, 2016, at 9:04 AM, Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>> wrote:
>> 
>> Assuming you are not talking about the UI piece, can you elaborate on the “incomplete” part?
>> 
>> Regards,
>> Luiz
>> 
>> From: Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>
>> Date: Monday, April 25, 2016 at 11:57 AM
>> To: Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>
>> Cc: "Stan A. Drozdetski" <drozdetski at mitre.org <mailto:drozdetski at mitre.org>>, "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>>
>> Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration
>> 
>> Not only is this an incomplete solution, we also don’t recommend playing with application-context.xml as it’s not designed to be overridden in local configurations.
>> 
>>  — Justin
>> 
>> 
>>> On Apr 25, 2016, at 8:50 AM, Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>> wrote:
>>> 
>>> I kind of found a workaround: if the configuration below is commented out in application-context.xml then all calls to the dynamic registration endpoint fail as unauthorized. The only thing is that the dynamic registration UI is still displayed and will fail silently.
>>> 
>>> <security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
>>> <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
>>> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
>>> <security:expression-handler ref="oauthWebExpressionHandler" />
>>> <security:intercept-url pattern="/register/**" access="permitAll"/>
>>> </security:http>
>>> 
>>> 
>>> Regards,
>>> Luiz
>>> 
>>> From: Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>
>>> Date: Monday, April 25, 2016 at 10:49 AM
>>> To: "Drozdetski, Stan A." <drozdetski at mitre.org <mailto:drozdetski at mitre.org>>, Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>, "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>>
>>> Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration
>>> 
>>> Thanks. I believe my version (1.2.2) is different than yours. In my case the second option that your are referring to as “allow dynamic registration” is actually “restricted” and it looks like in this case it should be checked.
>>> 
>>> In any case, playing with scopes this way won’t work well for us.
>>> 
>>> <picture removed>
>>> 
>>> Regards,
>>> Luiz
>>> 
>>> From: "Drozdetski, Stan A." <drozdetski at mitre.org <mailto:drozdetski at mitre.org>>
>>> Date: Monday, April 25, 2016 at 10:35 AM
>>> To: Justin Richer <jricher at mit.edu <mailto:jricher at mit.edu>>, Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>, "mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>>
>>> Subject: RE: [mitreid-connect] Disabling Dynamic Client Registration
>>> 
>>> FWIW, you can curtail (not disable) dynamic client registration by unchecking BOTH “default scope” and “allow dynamic registration” on the System Scopes screen. That way, dynamically-registered clients will not be given access to useful scopes. <>
>>>  
>>> Stan Drozdetski
>>> Extranet Integration Lead
>>> Center for Information and Technology
>>> 781-271-3324
>>>  
>>> <image007.png> <https://www.facebook.com/MITREcorp><image008.png> <https://www.linkedin.com/company/mitre><image009.png> <https://twitter.com/MITREcorp><image010.png> <https://www.youtube.com/user/mitrecorp><image011.png> <https://plus.google.com/+MitreOrgFFRDCs/posts>
>>> <image012.jpg> <http://www.mitre.org/>
>>>  
>>> From:mitreid-connect-bounces at mit.edu <mailto:mitreid-connect-bounces at mit.edu> [mailto:mitreid-connect-bounces at mit.edu <mailto:mitreid-connect-bounces at mit.edu>] On Behalf Of Justin Richer
>>> Sent: Saturday, April 23, 2016 8:44 AM
>>> To: Luiz Omori <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>; mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>>> Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration
>>>  
>>> No it has not.
>>> 
>>>  -- Justin
>>> 
>>> On 4/22/2016 4:38 PM, Luiz Omori wrote:
>>> Hi,
>>>  
>>> We would like to disable dynamic client registration. There is this somewhat old thread about it: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/15 <https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/15>. Has the configuration switch mentioned there been created?
>>>  
>>> Regards,
>>> Luiz
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> mitreid-connect mailing list
>>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>>>  
>>> <image007.png><image008.png><image009.png><image010.png><image011.png><image012.jpg>
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/d5d842aa/attachment-0001.html

More information about the mitreid-connect mailing list