Overview#

OAuth Clients must register with the Authorization Server before any transactions may occur.

Before an OAuth Client can request access to Protected Resource on a Resource Server, the OAuth Client must first register with the Authorization Server associated with the Resource Server.

OAuth 2.0 Client Registration is typically a one-time task. Once registered, the registration remains valid, unless the OAuth Client registration is revoked.

At OAuth 2.0 Client Registration the OAuth Client is assigned a Client_id and a Client Secret (password) by the Authorization Server.

The Client_id and Client Secret is unique to the OAuth Client on that Authorization Server.

If a OAuth Client registers with multiple Authorization Servers (e.g. both Facebook, Twitter and Google), each Authorization Server will probably issue a different and unique Client ID to the OAuth Client application.

Whenever the OAuth Client requests access to resources stored on that same Resource Server, the OAuth Client needs to Authenticate itself by sending the Client ID and the Client Secret to the Authorization Server.

During the registration the OAuth Client also registers a redirect_uri. This redirect_uri is used when a Resource Owner grants Authorization to the OAuth Client. When a Resource Owner has successfully Authorized the OAuth Client via the Authorization Server, the Resource Owner is redirected back to the OAuth Client's redirect_uri.

OAuth 2.0 Client Registration must be done outside of the The OAuth 2.0 Authorization Framework.

Open or managed registration#

Access to the client registration endpoint can be open or managed:
  • Open registration — Registration is open to all OAuth Clients. This is intended for social Login providers as well as for Identity Provider (IDP)s and services that are set up for automatic discovery. Requests should be rate limited to prevent DoS attacks.
  • Managed registration — An initial OAuth 2.0 Access Token is required for registration. The Access Token is issued after the client application has passed an approval or screening process.

Manual or Dynamic#

In addition to Open or Managed, OAuth 2.0 Client Registration can also be Manual or Dynamic:

OAuth 2.0 Client Registration specs[1]#

The importance of having a standard server endpoint for client registration was recognised early on by the WGs behind OAuth 2.0 and OpenID Connect. They have published the following documents to address this:

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-10) was last changed on 11-Sep-2016 11:00 by jim