There are two parts to the client management. They are RFC 7951, which relates to creating a new client dynamically and RFC 7592 which extends that to allow for managing clients with get, update or deletion.
There is also a native facility for oa4mp that can be used. This is kept mostly for legacy purposes and can be ignored. This came in to existence well before the RFC's were finalized. Generally unless you have clients that are using it, ignore it.
All of the api elements below live in the clientManagement element of the server configuration. Note that if you omit that element, the defaults are used and the endpoint is active.
| Attribute | Required? | Default | Description |
| anonymousOK | N | false | (RFC 7591 protocol only). Allow posts to create a new client. These will not be approved automatically. |
| anonymousAllowedDomains | N | * | (RFC 7591 protocol only). If anonymous registrations are allowed, then you may specify which are permitted
to make requests. This is a comma-separate list of hosts. The default is a "*" meaning
that if not set, all hosts are allowed to make anonymous requests. E.g. anonymousAllowedDomains="localhost, ligo.bgsu.edu" |
| autoApprove | N | false | (RFC 7591 protocol only.) Whether or not to automatically approve anonymous requests. This may be required in highly automated systems with severely restricted access. Generally though setting it true is a terrible idea and a security risk. |
| autoApproveAllowedDomains | N | * | (RFC 7591 protocol only). If auto approval is enabled, then you may specify which are permitted to make requests. This is a comma-separate list of hosts. The default is a "*" meaning that if not set, all requests are auto approved. |
| autoApproverName | N | auto-approved | (RFC 7591 protocol only.) If auto approve is set to true, this will be the name of the approver in the client approval store. |
| defaultRefreshTokenLifetime | N | -1 (use server default lifetime) | RFC 7591: This value is used when there is no rt_lifetime asserted. Some installs want all
clients to have refresh tokens available and the value of -1, (use the server default) means that
the behavior is the same as not asserting the access or identity token lifetimes. RFC 7592: If the rt_lifetime is not asserted on update, this value is used. Some installs want this case to disable refresh tokens (set this to 0), some want it to behave like other token lifetimes (set to -1). |
| enabled | N | true | whether or not to enable this api. |
| endpoint | N | oidc-cm | The endpoint in this service. If your has address https://www.foo.bar/oauth2, then not specifying this means that the endpoint would be constructed as https://foo.bar/oauth2/oidc-cm |
| protocol | Y | - | The protocol for this endpoint, one of rfc7951, rfc7952 or oa4mp. |
| template | N | - | (RFC 7591 protocol only) The id of a configured client which is to be used as a template. This means that create requests will create an copy of this client and use any arguments as overrides. This allows you to have a uniform registration for all clients (e.g. all of your clients use the device flow, are auto-approved, and need identical configurations). This only applies to the rfc 7951 api. You would need to create this client (tip: never approve it) in the CLI before setting this. |
| url | N | - | If you want to completely specify an endpoint not, e.g., on this server, you must give the complete url. For instance, if you wanted a to have https://clients.foo.bar instead. |
<clientManagement>
<api protocol="rfc7951"
enabled="true"
url="https://clients.foo.bar"
anonymousOK="true"
template="template:/client/generic" />
<api protocol="rfc7952" enabled="true" endpoint="oidc-cm" />
<api protocol="oa4mp" enabled="false" />
</clientManagement>
Note that omitting a protocol means that the component will be enabled with the defaults. Therefore you must explicitly disable things you do not want.
If you don't want any sort of dynamic client registration, simply disable everything as follows:
<clientManagement enabled="false">
Any other attributes will be ignored, so you can just turn it on or off.