Dynamic Client Registration
Ce contenu n’est pas encore disponible dans votre langue.
Dynamic client registration lets any service register its own OAuth 2.0 client at runtime — no server restart, no shared config file. This makes stubIdP suitable as a single, shared OIDC server for a team or a multi-service test environment.
stubIdP implements:
- RFC 7591 — OAuth 2.0 Dynamic Client Registration Protocol (
POST /register) - RFC 7592 — OAuth 2.0 Dynamic Client Registration Management Protocol (
GET/PUT/DELETE /register/:id)
Start with registration enabled
Section titled “Start with registration enabled”# Open registration — any caller may register a clientnpx @cerberauth/stubidp --enable-registration
# Protected registration — callers must present a bearer tokennpx @cerberauth/stubidp --enable-registration --registration-initial-access-token mysecretThe startup table will show the registration endpoint:
| Registration URL | http://localhost:8484/register |Register a client
Section titled “Register a client”-
Send a registration request
Terminal window curl -X POST http://localhost:8484/register \-H 'Content-Type: application/json' \-d '{"client_name": "my-service","redirect_uris": ["http://localhost:3000/callback"],"grant_types": ["authorization_code", "refresh_token"],"response_types": ["code"]}'If you started with
--registration-initial-access-token mysecret, add:-H 'Authorization: Bearer mysecret' -
Save the response
{"client_id": "abc123","client_secret": "s3cr3t","registration_access_token": "rat_xyz...","registration_client_uri": "http://localhost:8484/register/abc123","redirect_uris": ["http://localhost:3000/callback"],...}Store
client_id,client_secret, andregistration_access_token— you will need them later. -
Configure your application
Use the returned
client_idandclient_secretexactly as you would with a statically configured client. The issuer and discovery URL remain unchanged:Setting Value Issuer http://localhost:8484Discovery URL http://localhost:8484/.well-known/openid-configurationClient ID value from registration response Client Secret value from registration response
Manage a registered client
Section titled “Manage a registered client”Use the registration_access_token from the registration response to read, update, or delete the client.
curl http://localhost:8484/register/<client_id> \ -H 'Authorization: Bearer <registration_access_token>'Update
Section titled “Update”PUT replaces the full client object — supply all fields, not just the ones that changed.
curl -X PUT http://localhost:8484/register/<client_id> \ -H 'Authorization: Bearer <registration_access_token>' \ -H 'Content-Type: application/json' \ -d '{ "client_id": "<client_id>", "redirect_uris": ["http://localhost:3001/callback"], "grant_types": ["authorization_code", "refresh_token"], "response_types": ["code"] }'Delete
Section titled “Delete”curl -X DELETE http://localhost:8484/register/<client_id> \ -H 'Authorization: Bearer <registration_access_token>'Multi-service test environments
Section titled “Multi-service test environments”Each service in your stack can register its own client at startup and tear it down afterward, with no coordination needed:
# service-a bootstrapCLIENT=$(curl -sX POST http://stubidp:8484/register \ -H 'Content-Type: application/json' \ -d '{"redirect_uris":["http://service-a/cb"],"grant_types":["authorization_code"]}')
CLIENT_ID=$(echo $CLIENT | jq -r .client_id)CLIENT_SECRET=$(echo $CLIENT | jq -r .client_secret)RAT=$(echo $CLIENT | jq -r .registration_access_token)
# ... run tests ...
# cleanupcurl -sX DELETE http://stubidp:8484/register/$CLIENT_ID \ -H "Authorization: Bearer $RAT"