Skip to content

Client Management#

Background#

A "client" is a piece of software either acting autonomously or on behalf of a person. The OAuth framework defines the term client here. OpenId Connect clarifies that: OAuth 2.0 Clients using OpenID Connect are also referred to as Relying Parties (RPs)

Don't confuse a Client with either the Person or the Browser!

Client Security#

OpenID allows you to use as much security as you need. To a large extent, the security of your implementation depends on what client features you select. For example, let's just consider how the client authenticates itself to Jans Auth Server, which is defined by the token_endpoint_auth_method in OpenID Connect Client Metadata.

Obviously, using asynchronous secrets for authentication is more secure. The client configuration also determines what crypto is used for signing and encryption of tokens, what scopes are available to the client (which determines the extent of access to APIs), what grants are available, what is a valid redirect_uri, timeouts, whether to use a value or reference token, whether to expire the client, and several other options that impact security.

Client Management Tools#

A client can be created (and managed) by using one of the following tools offered by the Jans Auth server:

The choice of tool should be made based on your business requirement. - For ad hoc creation, the TUI is great. - If you need to quickly script client creation (e.g. in a bash script) use the CLI - Use curl to call the Jans Config API. - To allow apps to register as OIDC clients, without a manual process, the OpenID Connect Dynamic Client Registration (DCR) can be used.

A. OpenID Dynamic Client Registration#

Jans Auth server publishes the registration_endpoint in the OpenID configuration JSON response, which you can find at .well-known/openid-configuration in your specific deployment. Typically, it is https://{hostname}/jans-auth/restv1/register

The OpenApi specification for /registration documents Jans Auth Server's specific implementation, which aligns with the requirements of OpenID Connect dynamic client registration. Also, check the Registration Endpoint documentation for more details on the steps involved in dynamic client registration.

B. Jans-CLI#

Below is a one liner to add a client.

./config-cli-tui.pyz --host $FQDN --client-id $MY_CLIENT_ID \
--client-secret $MY_CLIENT_SECRET --no-tui \
--operation-id=post-oauth-openid-client  --data=my_client.json

For more information about how to use the Jans-CLI, see the docs

C. TUI#

To start registering a new client, navigate to Auth Server->Clients->Add Client. This brings up a screen as shown below with various sections to input client details.

Refer to complete documentation here

D. Using curl commands#

To add a client via curl, see the information on the curl documentation page.


Last update: 2024-09-27
Created: 2022-09-02