Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

OAuth 2.0 and OpenID Connect

Dynamic client registration API

search

Dynamic client registration API

If you are building a new application, and you want to use the OneWelcome Identity Platform for authentication in a secure manner, you can use an OAuth2 client registered with the OneWelcome Identity Platform, and use that for authentication.

How does it work?

For example, you have a requirement to build a new application that should allow a user to manage their consents and provide view-only access to the primary email and primary phone number. The user should not be allowed to see other information, such as group membership and insurance policy.

To do this, you have to register an oauth2 client, and pass some information, such as the location of your application, the application name, authentication methods, and so one. To fully meet the requirements, you'll have to add the read-write consent-related scopes and read-only scopes for primary email and primary phone number.

When the oauth2 client is created, you can use it in your application to authenticate against the OneWelcome Identity Platform.

Which API do you need?

To register a new client, you have use Dynamic client registration API. An example of a client which will fulfil the requirements from above, would look like below:

    curl --request POST \
    --url https://www.onewelcome.com/onewelcome-dev/auth/oauth2.0/v1/connect/register \
    --header 'Authorization: Bearer some-access-token' \
    --header 'Content-Type: application/json' \
    --data '{
        "application_type": "web",
        "client_id": "consentApp",
        "code_challenge_method": "S256",
        "client_name": "consentApp",
        "client_type": "Public",
        "subject_type": "public",
        "token_endpoint_auth_method": "client_secret_post",
        "logo_uri": "https://client.example.org/logo.png",
        "jwks": "{\"keys\":[{\"kty\":\"RSA\",\"kid\":\"SylLC6Njt1KGQktD9Mt+0zceQSU=\",\"use\":\"sig\",\"alg\":\"RS256\",\"n\":\"AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_\",\"e\":\"AQAB\"}]}",
        "id_token_signed_response_alg": "RS256",
        "grant_types": [
            "authorization_code",
            "refresh_token",
            "implicit"
        ],
        "response_types": [
            "code",
            "token",
            "id_token",
            "code token",
            "token id_token",
            "code id_token",
            "code token id_token",
            "none"
        ],
        "scopes": [
            "openid",
            "consent:read",
            "consent:write",
            "primary-phone:read",
            "primary-email:read"
        ],
        "default_scopes": [
            "openid",
            "consent:read",
            "consent:write",
            "primary-phone:read",
            "primary-email:read"
        ],
        "contacts": [
            "ve7jtb@example.org",
            "mary@example.org"
        ],
        "redirect_uris": [
            "https://www.my-consent-app.com/profile"
        ],
        "request_uris": [
            "https: //client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"
        ]
    }'

Example response

    {
    "application_type": "web",
    "client_id": "consentApp",
    "client_name": "consentApp",
    "client_type": "Public",
    "client_secret": "4138ca8f-f6a3-46b5-926c-467be7073817",
    "code_challenge_method": "S256",
    "client_secret_expires_at": 0,
    "contacts": [
        "mary@example.org",
        "ve7jtb@example.org"
    ],
    "default_scopes": [
        "consent:read",
        "openid",
        "consent:write",
        "primary-email:read",
        "primary-phone:read"
    ],
    "default_max_age": 1,
    "id_token_signed_response_alg": "RS256",
    "jwks": "{\"keys\":[{\"kty\":\"RSA\",\"kid\":\"SylLC6Njt1KGQktD9Mt+0zceQSU=\",\"use\":\"sig\",\"alg\":\"RS256\",\"n\":\"AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_\",\"e\":\"AQAB\"}]}",
    "registration_access_token": "5d10ade8-e90a-45a5-9f0a-e4d2a81d78b9",
    "registration_client_uri": "https://www.ongo.com/bikes/login/oauth2.0/v1/connect/register?client_id=consentApp",
    "redirect_uris": [
        "https://www.my-consent-app.com/profile"
    ],
    "default_post_logout_redirect_uri": "https://www.ongo.com/bikes/login/",
    "logo_uri": "https://client.example.org/logo.png",
    "response_types": [
        "token id_token",
        "id_token",
        "code id_token",
        "code token id_token",
        "code",
        "token",
        "code token",
        "none"
    ],
    "scopes": [
        "consent:read",
        "openid",
        "consent:write",
        "primary-email:read",
        "primary-phone:read"
    ],
    "subject_type": "public",
    "token_endpoint_auth_method": "client_secret_post"
    }

To call this API, you need an oauth2 access token with the dynamic-client-registration scope. For information about how you can issue an access token, consult OAuth and OpenID Connect API documentation.

The default code challenge method is "S256". See Proof Key for Code Exchange (PKCE).

For a detailed explanation of each of the request and response attributes, see the Dynamic Client Registration API specification.

On this page