Supports automated OAuth key distribution
Key Bridge employs the OpenID Connect Dynamic Client Registration protocol for client registration. An OpenID Connect Relying Party can dynamically register with the Key Bridge OpenID service. Before participating in an OpenId transaction the Relying Party (RP, Client) must register with the Key Bridge OpenId service.
New registrations are placed in a disabled state until reviewed and approved by an administrator.
Client registration is indempotent and can be repeated as many times as needed. A client may re-register at any time to refresh their OAuth credentials and to receive a new shared secret.
Architecture
The authorization server acts as a trusted third party that provides session keys to clients and to resource servers. In order to obtain the session key the client interacts with the authorization server as part of the a normal grant exchange. This is shown in an abstract way below.
+---------------+ >| | // | Authorization | * * * * / | Server | Key Distribution // | (this) | (Register Client API) / | | * (I) // /+---------------+ * Access / // * Token / / * Request// // (II) Access Token * / / * // // * / v v +-----------+ Authenticate (a) +------------+ | |---------------------->| | | | [Access Token] | Relying | | End User | | Party | | (Human) | Authenticated (b) | (Client) | | |<----------------------| | +-----------+ +------------+ ****: Out-of-Band Long-Term Key Establishment ----: Dynamic Session Key Distribution
Interaction between the Client and the Authorization Server
Together with the access token the authorization server returns a session key and several other parameters.
API resources
API resources
RFC 7592 OAuth 2.0 Dynamic Registration Management Client Delete Request
To deprovision itself on the authorization server, the client makes an HTTP DELETE request to the client configuration endpoint. This request is authenticated by the registration access token issued to the client.
Headers and URI patternclientId | string | TEMPLATE | The server assigned client id value |
RFC 7592 OAuth 2.0 Dynamic Registration Management Client Read Request
To read the current configuration of the client on the authorization server, the client makes an HTTP GET request to the client configuration endpoint, authenticating with its registration access token.
Headers and URI patternclientId | string | TEMPLATE | The server assigned client id value |
OpenID Connect Dynamic Client Registration
An OpenID Connect Relying Party can dynamically register with the End-User's OpenID Provider, providing information about itself to the OpenID Provider, and obtaining information needed to use it, including the OAuth 2.0 Client ID for this Relying Party.
RequestOpenIdClientRegistrationRequest | application/json | The posted object is a fully populated, valid OpenIdClientRegistrationRequest instance configuration. |
Response | application/json | A fully populated OpenIdClientRegistrationResponse instance configuration, which include extended OpenId provider details such as the login, logout, error and access_denied URIs. |
RFC 7592 OAuth 2.0 Dynamic Registration Management Client Update Request
To update a previously registered client's registration with an authorization server, the client makes an HTTP PUT request to the client configuration endpoint. This request is authenticated by the registration access token issued to the client.
Headers and URI patternclientId | string | TEMPLATE | The server assigned client id value |
ClientUpdateRequest | application/json | The posted object is a fully populated, valid ClientUpdateRequest instance configuration. |
Response | application/json | The updated OpenId Client Registration information |