14.4. Registering OpenID Connect Clients

OpenID Connect Clients can register with OpenAM both statically through OpenAM console for example, and also dynamically using OpenID Connect 1.0 Dynamic Registration.

Procedure 14.1. To Register a Client With OpenAM Console

Registering a client by using the OpenAM console consists of first creating an OAuth 2.0 Client agent profile, and then editing the profile to indicate the client settings pertinent to OpenID Connect 1.0.

  1. In the OpenAM console under Access Control > Realm Name > Agents > OAuth 2.0 Client > Agent, click New..., then provide the client identifier and client password, and finally click Create to create the profile.

  2. Follow the hints in the section, Configuring OAuth 2.0 & OpenID Connect 1.0 Clients to edit the profile to match the client configuration.

    In order to read and edit the client configuration dynamically later without using OpenAM console, be sure to set an access token in the field titled, "The access token used to update the client."

Procedure 14.2. To Register a Client Dynamically

For dynamic registration you need the client configuration metadata, and an access token to write the configuration to OpenAM by HTTP POST. To obtain the access token, register an initial client statically after creating the provider, as described in Procedure 14.1, “To Register a Client With OpenAM Console”. Other clients can then use that client to obtain the access token needed to perform dynamic registration.

On successful registration, OpenAM responds with information including an access token to allow the client subsequently to read and edit its profile.

  1. Register an initial OAuth 2.0 client statically with a client ID such as masterClient and client secret such as password.

  2. Obtain an access token using the client you registered.

    For example, if you created the client as described in the previous step, and OpenAM administrator amadmin has password password, you can use the OAuth 2.0 resource owner password grant as in the following example. 

    $ curl
 --request POST
 --user "masterClient:password"
 --data "grant_type=password&username=amadmin&password=password"
 https://openam.example.com:8443/openam/oauth2/access_token
{
    "expires_in": 59,
    "token_type": "Bearer",
    "refresh_token": "26938cd0-6870-4e31-ade9-df31afc37ee1",
    "access_token": "515d6551-4512-4279-98b6-c0ef3f03a722"
}

  3. HTTP POST the client registration profile to the /oauth2/connect/register endpoint, using bearer token authorization with the access token you obtained from OpenAM.

    For an example written in JavaScript, see the registration page in the examples available online. Successful registration shows a response that includes the client ID and client secret. 

    {
  "issued_at": 1376916775,
  "expires_at": 0,
  "client_secret": "5a1f50db-ed93-4a9b-bf37-c1cb3c74ca16",
  "com.forgerock.openam.oauth2provider.redirectionURIs": [
    "https://openam.example.com:8443/openid/cb-basic.html",
    "https://openam.example.com:8443/openid/cb-implicit.html"
  ],
  "client_id": "c1e5c60a-9fd4-4780-a283-ec89580b6cc1",
  "registration_client_uri":
    "https://openam.example.com:8443/openam/oauth2/connect/register
     ?client_id=c1e5c60a-9fd4-4780-a283-ec89580b6cc1"
}