4.1.3. Client Registration

To communicate with MojeID via OpenID Connect, it is necessary to register a client (service) at the MojeID server. It is possible to use either manual, or automatic registration. Automatic registration is suitable for dynamacially created clients (JS, mobile devices) and manual registration is suitable for server clients.

4.1.3.1. Manual registration

The manual registration can be done at https://mojeid.cz/consumer_admin/. In case of a MojeID test instance, at https://mojeid.regtest.nic.cz/consumer_admin/. You can then edit and delete the managed clients at the same address. The clients created this way have the validity period set to indefinite. Specifications of individual items can be found in the OpenID Connect protocol document (https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata).

An example of manual registration of a client in MojeID test instance:

  1. In any account that you create in the MojeID test instance, go to https://mojeid.regtest.nic.cz/consumer_admin/ after login.

  2. Go to the New service setup link. Fill in the required fileds Client's name, List of URIs and click Save.

    • A record with the client’s ID is created in the list of managed services.

  3. To get Client secret / Tajemství klienta go to the Update link in the newly created service.

    • A page where you can edit the setup is displayed ‒ Client secret is in the last row of the displayed form.

4.1.3.2. Automatic Registration

More details can be found in the OpenID Connect protocol document (https://openid.net/specs/openid-connect-registration-1_0.html). All the necessary settings should be done by the used library. Registration created this way will expire after 24 hours but it can be renewed (see Registration Change).

Caution: automatic (dynamic) registration cannot be used for Full access.

An example of registering a client using the library:

from oic.oic.consumer import Consumer

client = Consumer(SessionDB(URL), OIC_CONFIG, client_config=OIC_CLIENT_CONFIG)
client.redirect_uris = URL + client.consumer_config['authz_page']
provider_info = client.provider_config(ISSUER)
client.register(provider_info["registration_endpoint"], response_types='code', client_name=MY_CLIENT_NAME)

An example of a registration query:

POST /oidc/registration HTTP/1.1
Content-Type: application/json
Accept: application/json
Host: mojeid.cz

{
 "application_type": "web",
 "redirect_uris":
     ["https://client.example.org/callback",
      "https://client.example.org/callback2"],
 "client_name": "My Example",
 "logo_uri": "https://client.example.org/logo.png",
 "token_endpoint_auth_method": "client_secret_post"
}

An example of the server’s response to a registration query:

HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{
 "client_id": "s6BhdRkqt3",
 "client_secret": "ZJYCqe3GGRvdrudKyZS0XhGv_Z45DuKhCUk0gBR1vZk",
 "client_secret_expires_at": 1577858400,
 "registration_access_token": "MY.SECRET.REGISTRATION.ACCESS.TOKEN",
 "registration_client_uri": "https://mojeid.cz/oidc/registration?client_id=s6BhdRkqt3",
 "token_endpoint_auth_method": "client_secret_post",
 "application_type": "web",
 "redirect_uris":
     ["https://client.example.org/callback",
      "https://client.example.org/callback2"],
 "client_name": "My Example",
 "logo_uri": "https://client.example.org/logo.png"
}

Note

Registration can be processed and Client ID and Client Secret can be retrieved also without the library;

you only need to send a POST query via curl.

Example:

curl --data '{"redirect_uris": "https://navratova-adresa.cz",
  "client_name": "Název služby"}' https://mojeid.cz/oidc/registration/

Registration also allows to associate metadata with client registration (see Client Metadata in specification), so the provider can define for example: service name and icon, specifically the attributes client_name, logo_uri, or client_uri.

4.1.3.2.1. Information about Registration

A part of the MojeID server’s response to a completed registration is a URL where it is possible to get current information about registration (configuration endpoint registration_client_uri), and an access code (registration_access_token). When sending a GET query to this URL, it is necessary to authenticate using an access code. It needs to be included in the header of the Authorization HTTP request.

The server’s response has the same format as the response to registration and contains current information about your client on our server.

4.1.3.2.2. Registration Change

You can edit certain information about the registered client using the abovementioned configuration endpoint. Configuration has to be done using a POST query with registration_access_token added into the Authorization header. The request format is the same as with the one for registration and its processing on server is also the same, with the following exceptions:

  • It is not possible to change the registered redirect_uri and client_id.

  • The client_secret value is ignored. In case the item is included in the request, a new client_secret is generated. It is sent in the response to the configuration query.

An example of a configuration query that will ensure generation of a new client_secret and a change of logo_uri and policy_uri.

POST /oidc/registration?client_id=MYCLIENTID HTTP/1.1
Accept: application/json
Host: mojeid.cz
Authorization: Bearer MY.SECRET.REGISTRATION.ACCESS.TOKEN

{
 "client_secret": null,
 "logo_uri": "https://client.example.org/another-logo.png",
 "policy_uri": "https://client.example.org/policy-page"
}

The server’s response to the configuration query is the same as the response to the registration query and contains current information about your client on our server.