WORKERS AHEAD!

You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.

Dynamic Client Registration - OpenID Connect Authentication

Please study the specification to learn more about dynamic client registration.

The registration endpoint accepts POST requests where the body of the request is to contain the application registration record. By default, CAS operates in a PROTECTED mode where the registration endpoint requires user authentication.

The following settings and properties are available from the CAS configuration catalog:

_{The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.}

_{The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This
flag indicates that the presence of the setting
is not immediately necessary in the end-user CAS configuration, because a default value is assigned or
the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your
configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.}


`cas.authn.oidc.registration.client-secret-expiration=0` When client secret is issued by CAS, this is the period that gets added to the current time measured in UTC to determine the client secret's expiration date. An example value would be `P14D` forcing client applications to expire their client secret in 2 weeks after the registration date. Expired client secrets can be updated using the client configuration endpoint. A value of `0` indicates that client secrets would never expire. This settings supports the `java.time.Duration` syntax ^[?]. `org.apereo.cas.configuration.model.support.oidc.OidcClientRegistrationProperties.`
`cas.authn.oidc.registration.dynamic-client-registration-mode=PROTECTED` Whether dynamic registration operates in `OPEN` or `PROTECTED` mode. Available values are as follows: `OPEN`: Registration is open to all. In a situation where CAS is supporting open Client registration, it will check to see if the `logo_uri` and `policy_uri` have the same host as the hosts defined in the array of `redirect_uris`. `PROTECTED`: registration is protected for all. `org.apereo.cas.configuration.model.support.oidc.OidcClientRegistrationProperties.`
`cas.authn.oidc.registration.initial-access-token-password=` The password used in a basic-auth scheme to request an initial access token that would then be used to dynamically register clients in `DynamicClientRegistrationModes#PROTECTED` mode. `org.apereo.cas.configuration.model.support.oidc.OidcClientRegistrationProperties.`
`cas.authn.oidc.registration.initial-access-token-user=` The username used in a basic-auth scheme to request an initial access token that would then be used to dynamically register clients in `DynamicClientRegistrationModes#PROTECTED` mode. `org.apereo.cas.configuration.model.support.oidc.OidcClientRegistrationProperties.`