RFC 7591 — OAuth 2.0 Dynamic Client Registration
Spec: datatracker.ietf.org/doc/html/rfc7591Status: Partial
RFC 7591 defines a standard protocol for OAuth clients to register themselves with an authorization server at runtime, without requiring a manual admin step.
Implemented
- Registration endpoint —
POST /oidc/registeraccepts a JSON client metadata document and creates a new client. - Initial Access Tokens (IATs) — registration can be gated behind a tenant-issued IAT that constrains which metadata values the caller may request (allowed grant types, scopes, redirect URI patterns, etc.).
- Client credential issuance — the server generates
client_idand, for confidential clients,client_secret. - Registration Access Token (RAT) — the response includes a RAT and a
registration_client_uri, enabling subsequent management via RFC 7592. - Metadata validation — redirect URIs, grant types, response types, and token endpoint auth methods are validated against what the tenant allows.
- Discovery —
registration_endpointis advertised in/.well-known/openid-configurationwhen dynamic registration is enabled for the tenant.
Partial / not yet implemented
- Software statements —
software_statement(signed JWT of client metadata per RFC 7591 §2.3) is not yet validated or processed. - Localized metadata — language-tagged metadata fields (e.g.
client_name#ja-Jpan-JP) are accepted but not specially parsed. - Full first-class metadata coverage — some RFC 7591 fields are preserved as extra metadata rather than being first-class columns on the client record.