[mitreid-connect] Disabling Dynamic Client Registration
Luiz Omori
luiz.omori at duke.edu
Mon Apr 25 11:50:57 EDT 2016
I kind of found a workaround: if the configuration below is commented out in application-context.xml then all calls to the dynamic registration endpoint fail as unauthorized. The only thing is that the dynamic registration UI is still displayed and will fail silently.
<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/register/**" access="permitAll"/>
</security:http>
Regards,
Luiz
From: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>
Date: Monday, April 25, 2016 at 10:49 AM
To: "Drozdetski, Stan A." <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>, Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration
Thanks. I believe my version (1.2.2) is different than yours. In my case the second option that your are referring to as “allow dynamic registration” is actually “restricted” and it looks like in this case it should be checked.
In any case, playing with scopes this way won’t work well for us.
<picture removed>
Regards,
Luiz
From: "Drozdetski, Stan A." <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>
Date: Monday, April 25, 2016 at 10:35 AM
To: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: RE: [mitreid-connect] Disabling Dynamic Client Registration
FWIW, you can curtail (not disable) dynamic client registration by unchecking BOTH “default scope” and “allow dynamic registration” on the System Scopes screen. That way, dynamically-registered clients will not be given access to useful scopes.
Stan Drozdetski
Extranet Integration Lead
Center for Information and Technology
781-271-3324
[cid:image001.png at 01D0A90C.2B5B2680]<https://www.facebook.com/MITREcorp>[cid:image002.png at 01D0A90C.2B5B2680]<https://www.linkedin.com/company/mitre>[cid:image003.png at 01D0A90C.2B5B2680]<https://twitter.com/MITREcorp>[cid:image004.png at 01D0A90C.2B5B2680]<https://www.youtube.com/user/mitrecorp>[cid:image005.png at 01D0A90C.2B5B2680]<https://plus.google.com/+MitreOrgFFRDCs/posts>
[cid:image006.png at 01D0A90C.2B5B2680]<http://www.mitre.org/>
From:mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu> [mailto:mitreid-connect-bounces at mit.edu] On Behalf Of Justin Richer
Sent: Saturday, April 23, 2016 8:44 AM
To: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>; mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration
No it has not.
-- Justin
On 4/22/2016 4:38 PM, Luiz Omori wrote:
Hi,
We would like to disable dynamic client registration. There is this somewhat old thread about it: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/15. Has the configuration switch mentioned there been created?
Regards,
Luiz
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 552 bytes
Desc: image007.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0005.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 660 bytes
Desc: image008.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0006.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image009.png
Type: image/png
Size: 660 bytes
Desc: image009.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0007.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image010.png
Type: image/png
Size: 873 bytes
Desc: image010.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image011.png
Type: image/png
Size: 784 bytes
Desc: image011.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image012.jpg
Type: image/jpeg
Size: 1615 bytes
Desc: image012.jpg
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0001.jpg
More information about the mitreid-connect
mailing list