Skip to content

Dynamic Client Registration

Jump to bottom Edit New page
Kenta Ishizaki edited this page Jun 15, 2026 · 1 revision

Dynamic Client Registration

This gem supports OpenID Connect Dynamic Client Registration 1.0 based on RFC 7591.

To enable dynamic client registration, add the following to config/initializers/doorkeeper_openid_connect.rb:

Doorkeeper::OpenidConnect.configure do
  # ...
  dynamic_client_registration true
  # ...
end

This exposes a POST /oauth/registration endpoint where OAuth clients can register themselves.

Supported parameters

The registration endpoint currently accepts the following RFC 7591 §2 parameters:

Parameter Description
client_name Human-readable name of the client
redirect_uris Array of redirection URIs
scope Space-delimited list of requested scopes
token_endpoint_auth_method Requested authentication method. Defaults to client_secret_basic. none is always allowed (and registers a public client); other allowed values depend on the host application's Doorkeeper client_credentials_methods configuration. Unsupported values are rejected with invalid_client_metadata.
application_type Client type: web (default) or native, per OpenID Connect Discovery 1.0. Unsupported values are rejected with invalid_client_metadata.
response_types Array of OAuth 2.0 response types the client will use (e.g. ["code"]). Must be a subset of the server's supported response types. Defaults to the server's full set when omitted.
grant_types Array of OAuth 2.0 grant types the client will use (e.g. ["authorization_code"]). Must be a subset of the server's supported grant types. Defaults to the server's full set when omitted.

When token_endpoint_auth_method is set to none, the client is registered as public (i.e. confidential: false). For all other values — or when the parameter is omitted — the client is registered as confidential, matching the RFC 7591 default of client_secret_basic.

Other RFC 7591 parameters (e.g. client_uri, logo_uri, contacts) require schema additions to oauth_applications and are not yet supported.

Authorization

By default, the registration endpoint is open to any request. To require authorization (e.g. an Initial Access Token per RFC 7591 §3.1), configure authorize_dynamic_client_registration:

Doorkeeper::OpenidConnect.configure do
  # ...
  dynamic_client_registration true
  authorize_dynamic_client_registration do
    provided = request.headers["Authorization"].to_s
    expected = "Bearer #{ENV['DCR_INITIAL_ACCESS_TOKEN']}"
    # Use a constant-time comparison to avoid leaking the token via timing.
    # Digesting first keeps the comparison fixed-length so the token's length
    # isn't leaked either.
    ActiveSupport::SecurityUtils.secure_compare(
      Digest::SHA256.hexdigest(provided),
      Digest::SHA256.hexdigest(expected),
    )
  end
  # ...
end

The block is evaluated in the controller scope (with access to request, params, request.headers, etc.). Return a truthy value to allow the request, or a falsy value to reject it with 401 invalid_token.

When not configured (default), the endpoint remains open for backward compatibility.

Add a custom footer
Add a custom sidebar

Clone this wiki locally