feat: TUI support for OpenID Dynamic Client registration via software statement (SSA) issued by Auth Server #2981
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
It should be possible to run the client on any workstation that has access to the config api.
An SSA is a JWT which is presentyed during dynamic client registration. It is signed by the AS (i.e. Auth Server).
If the Auth Server admin generates a software statement, the admin could provide this to the person who wants to use the TUI, and then each instance of the TUI would generate distinct client credentials
This would enable the TUI to generate a cryptographic key pair, and use dynamic client registration to obtain a client_id–i.e. use asymetric client secret instead of a shared secret (like client secret)
The software statement would pre-authorize scopes–for example the scopes needed to call the config API endpoints.
If a person starts the TUI, and it detects that there are no client credential present, it should prompt for a software statement and the OpenID Connect configuration endpoint (e.g. https://example.com/.well-known/openid-configuration). With these two pieces of data, the TUI could dynamically register, and then prompt the user to start a device flow authentication.
The text was updated successfully, but these errors were encountered: