This chapter covers
- Reasons for registering OAuth clients dynamically
- Registering OAuth clients dynamically
- Managing a client registration over time
- Security considerations concerning dynamic OAuth clients
- Protecting dynamic registration with software statements
In OAuth, the client is identified to the authorization server by a client identifier that is, generally speaking, unique to the software application functioning as the OAuth client. This client ID is passed in the front end to the authorization endpoint during the authorization request stage of interactive OAuth flows, such as the authorization code grant type that we implemented in chapters 3 through 5. From this client ID, the authorization server can make decisions about which redirect URIs to allow, which scopes to allow, and what information to display to the end user. The client ID is also presented at the token endpoint, and when combined with a client secret the client ID can authenticate the client throughout the authorization delegation process of OAuth.