OpenID Connect Dynamic Client Registration Guide

This guide provides detailed information about OpenID Connect Dynamic Client Registration and the key attributes used in registration requests and responses.

Overview

The OpenID Connect Dynamic Registration standard (based on OAuth 2.0 Dynamic Client Registration Protocol - RFC 7591) specifies how applications can dynamically register themselves with an authorization server without manual configuration.

Registration Flow

sequenceDiagram
    participant Client
    participant AuthServer as Authorization Server

    Client->>AuthServer: Registration Request
    Note right of AuthServer: Validates request
Generates credentials
    AuthServer->>Client: Registration Response
    Note left of Client: client_id, client_secret,
registration_access_token

1. Client sends registration request to the provider’s registration endpoint
2. Provider validates the request and generates client credentials
3. Provider returns registration response with client_id, client_secret, and registration management token

Example Registration Request

{
  "client_name": "My Example Application",
  "redirect_uris": [
    "https://example.com/callback"
  ],
  "token_endpoint_auth_method": "client_secret_basic",
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "scope": "openid profile email"
}

Example Registration Response

{
  "client_id": "s6BhdRkqt3",
  "client_secret": "ZJYCqe3GGRvdrudKyZS0XhGv_Z45DuKhCUk0gBR1vZk",
  "client_id_issued_at": 2893256800,
  "client_secret_expires_at": 2893276800,
  "registration_access_token": "this.is.an.access.token.value.ffx83",
  "registration_client_uri": "https://platform.example.org/connect/register?client_id=s6BhdRkqt3",
  "client_name": "My Example Application",
  "redirect_uris": ["https://example.com/callback"],
  "token_endpoint_auth_method": "client_secret_basic",
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "scope": "openid profile email"
}

Key Attributes

This guide covers three critical attributes in detail:

Token Endpoint Auth Method

How the client authenticates when requesting tokens from the token endpoint.

Common values: client_secret_basic, client_secret_post, private_key_jwt, none

Grant Types

The OAuth 2.0 grant types (flows) the client is allowed to use.

Common values: authorization_code, refresh_token, client_credentials

Response Types

What the authorization endpoint returns in the authorization response.

Common values: code, token, id_token

Modern Best Practices (2025+)

For Web Applications

{
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "token_endpoint_auth_method": "private_key_jwt"
}

For Single Page Applications (SPAs)

{
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "token_endpoint_auth_method": "none"
}

Note: Must use PKCE (Proof Key for Code Exchange)

For Backend Services

{
  "grant_types": ["client_credentials"],
  "response_types": [],
  "token_endpoint_auth_method": "private_key_jwt"
}

References

• OpenID Connect Dynamic Client Registration 1.0
• OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)
• OAuth 2.0 Authorization Framework (RFC 6749)
• OAuth 2.1 (Draft)