RFC 7592
Feature availability
Section titled “Feature availability”| Feature | Support |
|---|---|
| OAuth2/OIDC clients | ✅ Full, via RFC 7591/7592 registration endpoints |
| SAML clients | ❌ Not supported |
| Resource servers | ⚠️ Derived from existing client audiences (read-only) |
| Client cloning | ⚠️ Provider-dependent (requires re-registration) |
Use this provider for any server that speaks the standard — Keycloak, Spring Authorization Server, or a custom implementation.
-
Confirm your server exposes a registration endpoint
RFC 7592 builds on RFC 7591 (Dynamic Client Registration). Your server must expose
POST {RFC7592_BASE_URL}/registerfor creation, and support theGET/PUT/DELETEoperations on the returnedregistration_client_urifor updates and deletes. -
Choose an authentication mode for the management API
none— the registration endpoint is open (no admin credentials needed)client_credentials— Taco fetches an admin access token via the OAuth2 client credentials grant before calling the registration endpoint
-
Set environment variables
Terminal window OPENID_PROVIDER=rfc7592RFC7592_BASE_URL=https://oauth.example.comOPENID_PROVIDER_AUTH_TYPE=client_credentialsOPENID_PROVIDER_AUTH_ISSUER=https://oauth.example.comOPENID_PROVIDER_AUTH_CLIENT_ID=taco_admin_clientOPENID_PROVIDER_AUTH_CLIENT_SECRET=your_admin_client_secretOPENID_PROVIDER_AUTH_TOKEN_METHOD=client_secret_postOPENID_PROVIDER_AUTH_SCOPE=admin:clientsOPENID_PROVIDER_AUTH_AUDIENCE=https://api.example.com
Example: Keycloak
Section titled “Example: Keycloak”RFC7592_BASE_URL=https://keycloak.example.com/realms/masterOPENID_PROVIDER_AUTH_ISSUER=https://keycloak.example.com/realms/masterOPENID_PROVIDER_AUTH_CLIENT_ID=admin-cliOPENID_PROVIDER_AUTH_CLIENT_SECRET=your_admin_secretExample: open registration (no auth)
Section titled “Example: open registration (no auth)”RFC7592_BASE_URL=https://open-oauth.example.comOPENID_PROVIDER_AUTH_TYPE=noneClient management notes
Section titled “Client management notes”- Resource servers are derived from existing client audiences, same as the Ory Hydra provider — there is no native resource server concept in the spec.
- The
registration_access_tokenreturned on client creation is stored so Taco can perform later updates/deletes without re-authenticating as the client itself.
OIDC login (optional)
Section titled “OIDC login (optional)”To protect the Taco dashboard with your own server’s SSO:
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://oauth.example.com/.well-known/openid-configurationAUTH_CLIENT_ID=taco_applicationAUTH_CLIENT_SECRET=taco_application_secretAUTH_CLIENT_SCOPE="openid profile email"Add <BASE_URL>/api/auth/callback/oidc to the allowed redirect URIs of that client.