Dynamic client registration configuration should include a way of providing an initial token

[travisspencer]

Section 3 of the OIDC dynamic client registration spec says that

The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.

When configuring an OP entity in the op_test tool, there is no way to provide this initial token. As a result, there is no way for an OP that requires authentication of the registration endpoint to be tested.

Something like the following mockup is needed:

If an initial access token is configured in such a way, then the test tool should send it to the OP in an Authorization header (per RFC 6750) when registering the client.

[travisspencer]

Is this what registration_access_token field is for?

[zandbelt]

I believe registration_access_token is not about the initial registration but about an access token received to manage an existing registration on the registration_client_uri. @rohe: please correct me if I'm wrong.

[rohe]

Correct!
Actually managing is a strong word in the context because the only thing you can do is 'read'.

[selfissued]

This seems like something that could be useful for testing but it's outside the scope of certification, since it's using functionality that's not interoperable. An OP must support open registration to enable certification. It's fine to also support an initial access token in the software, as long as the deployment doesn't require it when certifying the software.