Layer7 API Management

Expand all | Collapse all

Restrict Dynamic Client Registration to known clients

Jump to Best Answer
  • 1.  Restrict Dynamic Client Registration to known clients

    Posted 12-21-2017 04:07 PM

    Trying to get my head around the OTK OIDC/OAuth for native mobile applications use case. Maybe the communities can help.


    Disclaimer: I am new to both OIDC and OAuth, so I may be missing something obvious, or completely incorrect in my understanding.


    I am researching the correct way to integrate a mobile application which uses our centralized authentication service based on CASSO, which is integrated with the OTK to support OIDC and the authorization code grant type.


    From what I have read, it appears that a mobile native client cannot be trusted to store a client secret that is shared across all instances of the application, so dynamic client registration should be used to register each instance of the mobile application as its own client. (This seems like it could result in a ton of clients, but I guess it is what it is) What I don't understand is how I would enable dynamic client registration for a first-party publicly available mobile app, while still preventing third-party developers from configuring their own application to use dynamic client registration against my OIDC service.


    Is there a standard way to white-list, or grant tokens to restrict which client applications support dynamic client registration? The OIDC spec seems to allow for this (although they do not define the method), I am wondering what mechanism is typically used for this? If there is a token that is presented, how is it that that token can be kept secret, when the client secret cannot?


    I am sure I am missing something here, if anyone can point me in the right direction, I would greatly appreciate it.


     Client Registration Endpoint

    The Client Registration Endpoint is an OAuth 2.0 Protected Resource through which a new Client registration can be requested. The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.


    Thank you-



  • 2.  Re: Restrict Dynamic Client Registration to known clients
    Best Answer

    Posted 12-21-2017 06:25 PM

    Dear JMCColorado ,

    It seems you are not aware about MAG/MAS, we provide SDK on mobile side, and solution kit on gateway side to help to implement SSO, and call gateway APIs, and so on, easier.


    The SDK encapsulate all the oauth flows, etc. required by the communication between device and gateway.


    As per my understanding, we only need one oauth client for one app, the device registration is managed by MAG(mapping the device to oauth client).


    You may start from the website:

    CA Developers, Mobile SDK for CA Mobile API Gateway - CA Technologies 




  • 3.  Re: Restrict Dynamic Client Registration to known clients

    Posted 12-21-2017 06:27 PM

    I meant, with MAG/MAS, you don't have to implement those things all by yourself.