<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>
<div>I kind of found a workaround: if the configuration below is commented out in application-context.xml then all calls to the dynamic registration endpoint fail as unauthorized. The only thing is that the dynamic registration UI is still displayed and will
fail silently.</div>
<div><br>
</div>
<div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless"></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><security:expression-handler ref="oauthWebExpressionHandler" /></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><security:intercept-url pattern="/register/**" access="permitAll"/></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span></security:http></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Luiz</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Luiz Omori <<a href="mailto:luiz.omori@duke.edu">luiz.omori@duke.edu</a>><br>
<span style="font-weight:bold">Date: </span>Monday, April 25, 2016 at 10:49 AM<br>
<span style="font-weight:bold">To: </span>"Drozdetski, Stan A." <<a href="mailto:drozdetski@mitre.org">drozdetski@mitre.org</a>>, Justin Richer <<a href="mailto:jricher@mit.edu">jricher@mit.edu</a>>, "<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>"
<<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [mitreid-connect] Disabling Dynamic Client Registration<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div>
<div>Thanks. I believe my version (1.2.2) is different than yours. In my case the second option that your are referring to as “allow dynamic registration” is actually “restricted” and it looks like in this case it should be checked.</div>
<div><br>
</div>
<div>In any case, playing with scopes this way won’t work well for us.</div>
<div><br>
</div>
<div><picture removed></div>
<div><br>
</div>
<div>Regards,</div>
<div>Luiz</div>
<div>
<div id=""></div>
</div>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>"Drozdetski, Stan A." <<a href="mailto:drozdetski@mitre.org">drozdetski@mitre.org</a>><br>
<span style="font-weight:bold">Date: </span>Monday, April 25, 2016 at 10:35 AM<br>
<span style="font-weight:bold">To: </span>Justin Richer <<a href="mailto:jricher@mit.edu">jricher@mit.edu</a>>, Luiz Omori <<a href="mailto:luiz.omori@duke.edu">luiz.omori@duke.edu</a>>, "<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>"
<<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a>><br>
<span style="font-weight:bold">Subject: </span>RE: [mitreid-connect] Disabling Dynamic Client Registration<br>
</div>
<div><br>
</div>
<div xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:#1F497D;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D">FWIW, you can curtail (not disable) dynamic client registration by unchecking BOTH “default scope” and “allow dynamic registration” on
the System Scopes screen. That way, dynamically-registered clients will not be given access to useful scopes.<o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:2.0pt;line-height:12.0pt;mso-line-height-rule:exactly">
<span style="mso-bookmark:_MailEndCompose"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#2F5496">Stan Drozdetski<o:p></o:p></span></b></span></p>
<p class="MsoNormal" style="line-height:13.0pt;mso-line-height-rule:exactly"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#7F7F7F">Extranet Integration Lead<o:p></o:p></span></span></p>
<p class="MsoNormal" style="line-height:13.0pt;mso-line-height-rule:exactly"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#7F7F7F">Center for Information and Technology<o:p></o:p></span></span></p>
<p class="MsoNormal" style="line-height:13.0pt;mso-line-height-rule:exactly"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#7F7F7F">781-271-3324
<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:#7F7F7F"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"></span><a href="https://www.facebook.com/MITREcorp"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;text-decoration:none"><img border="0" width="22" height="22" id="Picture_x0020_1" src="cid:image007.png@01D19EDE.3C6586F0" alt="cid:image001.png@01D0A90C.2B5B2680"></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"></span><a href="https://www.linkedin.com/company/mitre"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;text-decoration:none"><img border="0" width="22" height="22" id="Picture_x0020_2" src="cid:image008.png@01D19EDE.3C6586F0" alt="cid:image002.png@01D0A90C.2B5B2680"></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"></span><a href="https://twitter.com/MITREcorp"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;text-decoration:none"><img border="0" width="22" height="22" id="Picture_x0020_3" src="cid:image009.png@01D19EDE.3C6586F0" alt="cid:image003.png@01D0A90C.2B5B2680"></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"></span><a href="https://www.youtube.com/user/mitrecorp"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;text-decoration:none"><img border="0" width="22" height="22" id="Picture_x0020_4" src="cid:image010.png@01D19EDE.3C6586F0" alt="cid:image004.png@01D0A90C.2B5B2680"></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"></span><a href="https://plus.google.com/+MitreOrgFFRDCs/posts"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;text-decoration:none"><img border="0" width="22" height="22" id="Picture_x0020_5" src="cid:image011.png@01D19EDE.3C6586F0" alt="cid:image005.png@01D0A90C.2B5B2680"></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="font-size:9.0pt;font-family:"Calibri",sans-serif;color:#7F7F7F"><o:p></o:p></span></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;line-height:12.0pt">
<span style="mso-bookmark:_MailEndCompose"></span><a href="http://www.mitre.org/"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;text-decoration:none"><img border="0" width="222" height="36" id="Picture_x0020_6" src="cid:image012.jpg@01D19EDE.3C6586F0" alt="cid:image006.png@01D0A90C.2B5B2680"></span></span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></span></p>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#1F497D"><o:p> </o:p></span></span></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><a href="mailto:mitreid-connect-bounces@mit.edu">mitreid-connect-bounces@mit.edu</a>
[<a href="mailto:mitreid-connect-bounces@mit.edu">mailto:mitreid-connect-bounces@mit.edu</a>]
<b>On Behalf Of </b>Justin Richer<br>
<b>Sent:</b> Saturday, April 23, 2016 8:44 AM<br>
<b>To:</b> Luiz Omori <<a href="mailto:luiz.omori@duke.edu">luiz.omori@duke.edu</a>>;
<a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br>
<b>Subject:</b> Re: [mitreid-connect] Disabling Dynamic Client Registration<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">No it has not.<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 4/22/2016 4:38 PM, Luiz Omori wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Hi,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We would like to disable dynamic client registration. There is this somewhat old thread about it: <a href="https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/15">https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/15</a>. Has
the configuration switch mentioned there been created?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Luiz<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>mitreid-connect mailing list<o:p></o:p></pre>
<pre><a href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><o:p></o:p></pre>
<pre><a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</span></div>
</div>
</span>
</body>
</html>