oauth2.dev

registration_endpoint

IESG

Registry Context

registration_endpoint is optional authorization server metadata identifying the URL of the server's OAuth 2.0 Dynamic Client Registration endpoint.

Technical Summary

When present in RFC 8414 authorization server metadata, registration_endpoint identifies an RFC 7591 client registration endpoint. That endpoint must accept JSON-encoded HTTP POST requests and use transport-layer security.

When Used

Used by clients to discover where they can dynamically register with an OAuth 2.0 authorization server.

Normative Requirements

Authorization servers

OPTIONAL
1
  1. RFC 8414 - Section 2

    Include registration_endpoint metadata containing the URL of its OAuth 2.0 Dynamic Client Registration endpoint..

    OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591].

client registration endpoint

MUST
2
  1. RFC 7591 - Section 3

    Accept HTTP POST messages with request parameters encoded in the entity body using application/json..

    Condition: When implementing the advertised RFC 7591 client registration endpoint.

    The client registration endpoint MUST accept HTTP POST messages with request parameters encoded in the entity body using the "application/json" format.

  2. RFC 7591 - Section 3

    Be protected by a transport-layer security mechanism..

    Condition: When implementing the advertised RFC 7591 client registration endpoint.

    The client registration endpoint MUST be protected by a transport-layer security mechanism.

SHOULD
1
  1. RFC 7591 - Section 3

    Allow registration requests with no authorization and no initial access token..

    Condition: To support open registration and facilitate wider interoperability.

    The client registration endpoint SHOULD allow registration requests with no authorization.

MAY
3
  1. RFC 7591 - Section 3

    Be an OAuth 2.0 protected resource..

    Condition: When implementing the advertised RFC 7591 client registration endpoint.

    The client registration endpoint MAY be an OAuth 2.0 [RFC6749] protected resource.

  2. RFC 7591 - Section 3

    Accept an initial access token in the form of an OAuth 2.0 access token to restrict registration to previously authorized parties..

    Condition: When implementing the advertised RFC 7591 client registration endpoint.

    It MAY accept an initial access token in the form of an OAuth 2.0 access token to limit registration to only previously authorized parties.

  3. RFC 7591 - Section 3

    Rate-limit or otherwise limit unauthorized registration requests to prevent denial-of-service attacks..

    Condition: When accepting registration requests with no authorization.

    These requests MAY be rate-limited or otherwise limited to prevent a denial-of-service attack.

Validation Guidance

error

If registration_endpoint is present, verify that its value is a URL identifying the authorization server's OAuth 2.0 Dynamic Client Registration endpoint.

error

When actively testing the advertised endpoint, verify that it accepts HTTP POST requests whose entity bodies use application/json.

error

When actively testing the advertised endpoint, verify that it uses transport-layer security.

info

Do not require the endpoint to be unprotected or to reject initial access tokens; RFC 7591 permits both endpoint protection and initial access tokens.

warning

Warn when the endpoint does not permit registration without authorization, unless there is a documented reason for departing from the RFC 7591 recommendation.

info

Permit rate limiting or other restrictions on unauthorized registration requests intended to prevent denial-of-service attacks.

Security Notes

RFC 7591 - Section 3

Unauthorized registration requests may be rate-limited or otherwise limited to prevent denial-of-service attacks.

Reference

Details

Entry Id
registration_endpoint
Metadata Name
registration_endpoint
Metadata Description
URL of the authorization server's OAuth 2.0 Dynamic Client Registration Endpoint
Change Controller
IESG
Reference
RFC8414 - Section 2