A "client" is a piece of software either acting autonomously or on behalf of
a person. The OAuth framework defines the term client
here. OpenId Connect
OAuth 2.0 Clients using OpenID Connect are also referred to as Relying Parties (RPs)
Don't confuse a Client with either the Person or the Browser!
OpenID allows you to use as much security as you need. To a large extent, the
security of your implemenation depends on what client features you select.
For example, let's just consider how the client authenticates itself to Jans Auth
Server, which is defined by the
token_endpoint_auth_method in OpenID Connect
|Method||Secret Not Sent in Clear||Signed||Only client has secret|
Obviously, using asynchronous secrets for authentication is more secure. The
client configuration also determines what crypto is used for signing and
encryption of tokens, what scopes are available to the client (which determines
the extent of access to APIs), what grants are available, what is a valid
redirect_uri, timeouts, whether to use a value or reference token, whether to
expire the client, and several other options that impact security.
There are a few ways clients are created and managed in Jans Auth Server:
- Jans Config API
- Command Line Tool (CLI)
- Jans Text UI (TUI)
- OpenID Connect Dynamic Client Registration
Which mechanism to use depends on the deployment requirements. For ad hoc
creation, the TUI is great. If you need to quickly script client creation (e.g.
in a bash script), use the CLI, or use
curl to call the Jans Config API. If
developers need to have the ability to register clients, then adopt OpenID
Connect Dynamic Client Registration.
OpenID Dynamic Client Registration#
Jans Auth server publishes the
registration_endpoint in the OpenID
configuration JSON response, which you can find at
in your specific deployment. Typically, it is
The OpenApi specification for /registration documents Jans Auth Server's specific implementation, which aligns with the requirements of OpenID Connect dynamic client registration. Also check the Registration Endpoint documentation for more details on the steps involved in dynamic client registration.
Below is a one liner to add a client.
./config-cli-tui.pyz --host $FQDN --client-id $MY_CLIENT_ID \ --client-secret $MY_CLIENT_SECRET --no-tui \ --operation-id=post-oauth-openid-client --data=my_client.json
For more information about how to use the Jans-CLI, see the docs
To start registering a new client, navigate to
Add Client. This brings up a screen as show below
with various sections to input client details.
To add a client via
curl, see information on the
curl documentation page.