4.1.3. Client Registration¶
To communicate with MojeID via OpenID Connect, it is necessary to register a client (service) at the MojeID server. It is possible to use either manual, or automatic registration. Automatic registration is suitable for dynamacially created clients (JS, mobile devices) and manual registration is suitable for server clients.
4.1.3.1. Manual registration¶
The manual registration can be done at https://mojeid.cz/consumer_admin/. In case of a MojeID test instance, at https://mojeid.regtest.nic.cz/consumer_admin/. You can then edit and delete the managed clients at the same address. The clients created this way have the validity period set to indefinite. Specifications of individual items can be found in the OpenID Connect protocol document (https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).
An example of manual registration of a client in MojeID test instance:
In any account that you create in the MojeID test instance, go to https://mojeid.regtest.nic.cz/consumer_admin/ after login.
Go to the
New service setup
link. Fill in the required filedsClient's name
,List of URIs
and clickSave
.A record with the client’s ID is created in the list of managed services.
To get
Client secret / Tajemství klienta
go to theUpdate
link in the newly created service.A page where you can edit the setup is displayed ‒
Client secret
is in the last row of the displayed form.
4.1.3.2. Automatic Registration¶
More details can be found in the OpenID Connect protocol document (https://openid.net/specs/openid-connect-registration-1_0.html). All the necessary settings should be done by the used library. Registration created this way will expire after 24 hours but it can be renewed (see Registration Change).
Caution: automatic (dynamic) registration cannot be used for Full access.
An example of registering a client using the library:
from oic.oic.consumer import Consumer
client = Consumer(SessionDB(URL), OIC_CONFIG, client_config=OIC_CLIENT_CONFIG)
client.redirect_uris = URL + client.consumer_config['authz_page']
provider_info = client.provider_config(ISSUER)
client.register(provider_info["registration_endpoint"], response_types='code', client_name=MY_CLIENT_NAME)
An example of a registration query:
POST /oidc/registration HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: mojeid.cz
{
"application_type": "web",
"redirect_uris":
["https://client.example.org/callback",
"https://client.example.org/callback2"],
"client_name": "My Example",
"logo_uri": "https://client.example.org/logo.png",
"token_endpoint_auth_method": "client_secret_post"
}
An example of the server’s response to a registration query:
HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"client_id": "s6BhdRkqt3",
"client_secret": "ZJYCqe3GGRvdrudKyZS0XhGv_Z45DuKhCUk0gBR1vZk",
"client_secret_expires_at": 1577858400,
"registration_access_token": "MY.SECRET.REGISTRATION.ACCESS.TOKEN",
"registration_client_uri": "https://mojeid.cz/oidc/registration?client_id=s6BhdRkqt3",
"token_endpoint_auth_method": "client_secret_post",
"application_type": "web",
"redirect_uris":
["https://client.example.org/callback",
"https://client.example.org/callback2"],
"client_name": "My Example",
"logo_uri": "https://client.example.org/logo.png"
}
Note
- Registration can be processed and Client ID and Client Secret can be retrieved also without the library;
you only need to send a POST query via curl.
Example:
curl --data '{"redirect_uris": "https://navratova-adresa.cz",
"client_name": "Název služby"}' https://mojeid.cz/oidc/registration/
Registration also allows to associate metadata with client registration (see Client Metadata in specification),
so the provider can define for example: service name and icon, specifically the attributes
client_name
, logo_uri
, or client_uri
.
4.1.3.2.1. Information about Registration¶
A part of the MojeID server’s response to a completed registration is a URL where it is possible to get current
information about registration (configuration endpoint registration_client_uri
),
and an access code (registration_access_token
).
When sending a GET query to this URL, it is necessary to authenticate using an access code.
It needs to be included in the header of the Authorization
HTTP request.
The server’s response has the same format as the response to registration and contains current information about your client on our server.
4.1.3.2.2. Registration Change¶
You can edit certain information about the registered client using the abovementioned configuration endpoint.
Configuration has to be done using a POST query with registration_access_token
added into the Authorization
header.
The request format is the same as with the one for registration and its processing on server is also the same,
with the following exceptions:
It is not possible to change the registered
redirect_uri
andclient_id
.The
client_secret
value is ignored. In case the item is included in the request, a newclient_secret
is generated. It is sent in the response to the configuration query.
An example of a configuration query that will ensure generation of a new
client_secret
and a change of logo_uri
and policy_uri
.
POST /oidc/registration?client_id=MYCLIENTID HTTP/1.1
Accept: application/json
Host: mojeid.cz
Authorization: Bearer MY.SECRET.REGISTRATION.ACCESS.TOKEN
{
"client_secret": null,
"logo_uri": "https://client.example.org/another-logo.png",
"policy_uri": "https://client.example.org/policy-page"
}
The server’s response to the configuration query is the same as the response to the registration query and contains current information about your client on our server.