[mitreid-connect] Disabling Dynamic Client Registration

Luiz Omori luiz.omori at duke.edu
Mon Apr 25 11:50:57 EDT 2016


I kind of found a workaround: if the configuration below is commented out in application-context.xml then all calls to the dynamic registration endpoint fail as unauthorized. The only thing is that the dynamic registration UI is still displayed and will fail silently.

<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/register/**" access="permitAll"/>
</security:http>


Regards,
Luiz

From: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>
Date: Monday, April 25, 2016 at 10:49 AM
To: "Drozdetski, Stan A." <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>, Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration

Thanks. I believe my version (1.2.2) is different than yours. In my case the second option that your are referring to as “allow dynamic registration” is actually “restricted” and it looks like in this case it should be checked.

In any case, playing with scopes this way won’t work well for us.

<picture removed>

Regards,
Luiz

From: "Drozdetski, Stan A." <drozdetski at mitre.org<mailto:drozdetski at mitre.org>>
Date: Monday, April 25, 2016 at 10:35 AM
To: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>, Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>, "mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>" <mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>>
Subject: RE: [mitreid-connect] Disabling Dynamic Client Registration

FWIW, you can curtail (not disable) dynamic client registration by unchecking BOTH “default scope” and “allow dynamic registration” on the System Scopes screen. That way, dynamically-registered clients will not be given access to useful scopes.

Stan Drozdetski
Extranet Integration Lead
Center for Information and Technology
781-271-3324

[cid:image001.png at 01D0A90C.2B5B2680]<https://www.facebook.com/MITREcorp>[cid:image002.png at 01D0A90C.2B5B2680]<https://www.linkedin.com/company/mitre>[cid:image003.png at 01D0A90C.2B5B2680]<https://twitter.com/MITREcorp>[cid:image004.png at 01D0A90C.2B5B2680]<https://www.youtube.com/user/mitrecorp>[cid:image005.png at 01D0A90C.2B5B2680]<https://plus.google.com/+MitreOrgFFRDCs/posts>
[cid:image006.png at 01D0A90C.2B5B2680]<http://www.mitre.org/>

From:mitreid-connect-bounces at mit.edu<mailto:mitreid-connect-bounces at mit.edu> [mailto:mitreid-connect-bounces at mit.edu] On Behalf Of Justin Richer
Sent: Saturday, April 23, 2016 8:44 AM
To: Luiz Omori <luiz.omori at duke.edu<mailto:luiz.omori at duke.edu>>; mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] Disabling Dynamic Client Registration

No it has not.

 -- Justin
On 4/22/2016 4:38 PM, Luiz Omori wrote:
Hi,

We would like to disable dynamic client registration. There is this somewhat old thread about it: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/15. Has the configuration switch mentioned there been created?

Regards,
Luiz




_______________________________________________

mitreid-connect mailing list

mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>

http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 552 bytes
Desc: image007.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0005.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image008.png
Type: image/png
Size: 660 bytes
Desc: image008.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0006.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image009.png
Type: image/png
Size: 660 bytes
Desc: image009.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0007.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image010.png
Type: image/png
Size: 873 bytes
Desc: image010.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image011.png
Type: image/png
Size: 784 bytes
Desc: image011.png
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image012.jpg
Type: image/jpeg
Size: 1615 bytes
Desc: image012.jpg
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160425/04ab24ee/attachment-0001.jpg


More information about the mitreid-connect mailing list