registration_ endpoint
Registry Context
registration_endpoint is optional authorization server metadata identifying the URL of the server's OAuth 2.0 Dynamic Client Registration endpoint.
Technical Summary
When present in RFC 8414 authorization server metadata, registration_endpoint identifies an RFC 7591 client registration endpoint. That endpoint must accept JSON-encoded HTTP POST requests and use transport-layer security.
When Used
Used by clients to discover where they can dynamically register with an OAuth 2.0 authorization server.
Normative Requirements
Authorization servers
RFC 8414 - Section 2
Include registration_endpoint metadata containing the URL of its OAuth 2.0 Dynamic Client Registration endpoint..
OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591].
client registration endpoint
RFC 7591 - Section 3
Accept HTTP POST messages with request parameters encoded in the entity body using application/json..
Condition: When implementing the advertised RFC 7591 client registration endpoint.
The client registration endpoint MUST accept HTTP POST messages with request parameters encoded in the entity body using the "application/json" format.
RFC 7591 - Section 3
Be protected by a transport-layer security mechanism..
Condition: When implementing the advertised RFC 7591 client registration endpoint.
The client registration endpoint MUST be protected by a transport-layer security mechanism.
RFC 7591 - Section 3
Allow registration requests with no authorization and no initial access token..
Condition: To support open registration and facilitate wider interoperability.
The client registration endpoint SHOULD allow registration requests with no authorization.
RFC 7591 - Section 3
Be an OAuth 2.0 protected resource..
Condition: When implementing the advertised RFC 7591 client registration endpoint.
The client registration endpoint MAY be an OAuth 2.0 [RFC6749] protected resource.
RFC 7591 - Section 3
Accept an initial access token in the form of an OAuth 2.0 access token to restrict registration to previously authorized parties..
Condition: When implementing the advertised RFC 7591 client registration endpoint.
It MAY accept an initial access token in the form of an OAuth 2.0 access token to limit registration to only previously authorized parties.
RFC 7591 - Section 3
Rate-limit or otherwise limit unauthorized registration requests to prevent denial-of-service attacks..
Condition: When accepting registration requests with no authorization.
These requests MAY be rate-limited or otherwise limited to prevent a denial-of-service attack.
Validation Guidance
If registration_endpoint is present, verify that its value is a URL identifying the authorization server's OAuth 2.0 Dynamic Client Registration endpoint.
When actively testing the advertised endpoint, verify that it accepts HTTP POST requests whose entity bodies use application/json.
When actively testing the advertised endpoint, verify that it uses transport-layer security.
Do not require the endpoint to be unprotected or to reject initial access tokens; RFC 7591 permits both endpoint protection and initial access tokens.
Warn when the endpoint does not permit registration without authorization, unless there is a documented reason for departing from the RFC 7591 recommendation.
Permit rate limiting or other restrictions on unauthorized registration requests intended to prevent denial-of-service attacks.
Security Notes
RFC 7591 - Section 3
Unauthorized registration requests may be rate-limited or otherwise limited to prevent denial-of-service attacks.
Reference
Details
- Entry Id
registration_endpoint - Metadata Name
registration_endpoint - Metadata Description
URL of the authorization server's OAuth 2.0 Dynamic Client Registration Endpoint- Change Controller
IESG- Reference
RFC8414 - Section 2