Skip to content

RFC 7592

FeatureSupport
OAuth2/OIDC clients✅ Full, via RFC 7591/7592 registration endpoints
SAML clients❌ Not supported
Resource servers⚠️ Derived from existing client audiences (read-only)
Client cloning⚠️ Provider-dependent (requires re-registration)

Use this provider for any server that speaks the standard — Keycloak, Spring Authorization Server, or a custom implementation.

  1. Confirm your server exposes a registration endpoint

    RFC 7592 builds on RFC 7591 (Dynamic Client Registration). Your server must expose POST {RFC7592_BASE_URL}/register for creation, and support the GET/PUT/DELETE operations on the returned registration_client_uri for updates and deletes.

  2. Choose an authentication mode for the management API

    • none — the registration endpoint is open (no admin credentials needed)
    • client_credentials — Taco fetches an admin access token via the OAuth2 client credentials grant before calling the registration endpoint
  3. Set environment variables

    Terminal window
    OPENID_PROVIDER=rfc7592
    RFC7592_BASE_URL=https://oauth.example.com
    OPENID_PROVIDER_AUTH_TYPE=client_credentials
    OPENID_PROVIDER_AUTH_ISSUER=https://oauth.example.com
    OPENID_PROVIDER_AUTH_CLIENT_ID=taco_admin_client
    OPENID_PROVIDER_AUTH_CLIENT_SECRET=your_admin_client_secret
    OPENID_PROVIDER_AUTH_TOKEN_METHOD=client_secret_post
    OPENID_PROVIDER_AUTH_SCOPE=admin:clients
    OPENID_PROVIDER_AUTH_AUDIENCE=https://api.example.com
Terminal window
RFC7592_BASE_URL=https://keycloak.example.com/realms/master
OPENID_PROVIDER_AUTH_ISSUER=https://keycloak.example.com/realms/master
OPENID_PROVIDER_AUTH_CLIENT_ID=admin-cli
OPENID_PROVIDER_AUTH_CLIENT_SECRET=your_admin_secret
Terminal window
RFC7592_BASE_URL=https://open-oauth.example.com
OPENID_PROVIDER_AUTH_TYPE=none
  • Resource servers are derived from existing client audiences, same as the Ory Hydra provider — there is no native resource server concept in the spec.
  • The registration_access_token returned on client creation is stored so Taco can perform later updates/deletes without re-authenticating as the client itself.

To protect the Taco dashboard with your own server’s SSO:

Terminal window
AUTH_CLIENT_OPENID_CONFIGURATION_URL=https://oauth.example.com/.well-known/openid-configuration
AUTH_CLIENT_ID=taco_application
AUTH_CLIENT_SECRET=taco_application_secret
AUTH_CLIENT_SCOPE="openid profile email"

Add <BASE_URL>/api/auth/callback/oidc to the allowed redirect URIs of that client.