Concept Guides
Registration Framework
pick a registration framework to be used within the framework oauth dynamic client registration or openid federation control how client applications are registered within the data provider's authorisation servers during the creation of the trust framework docid\ orq fx71kdupt8j17ckkd , its trust framework participants docid\ zwoo4fno16xiy1mcodij5 need to provide raidiam with information on how client applications are to be registered within the data providers docid\ apm ilivcfpfft1ld0puc oauth authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd the choice between two distinct registration framework types, oauth dynamic client registration and openid federation, can significantly impact the security, flexibility, and efficiency of your ecosystem oauth dynamic client registration oauth dynamic client registration (rfc7591) enables client applications to dynamically register themselves with the data provider docid 147rb3 eqtte87enoaawn oauth authorisation servers docid\ aw0rfr 6i9dbui8sh7hkd , eliminating the need for manual intervention by administrators when requesting registration at the authorization server's dcr endpoint, clients send a list of desired information to the authorization server in response, they receive a client identifier and the registered metadata values this information allows clients to communicate with the authorization server using the oauth 2 0 framework this automated process simplifies the onboarding of new client applications, reducing administrative overhead and accelerating the deployment of services oauth dynamic client registration (dcr) offers several advantages automation dcr streamlines the process of registering client applications by allowing them to dynamically register themselves with the authorization server this automation reduces manual intervention and administrative overhead flexibility dcr accommodates the onboarding of new client applications and updates to existing ones seamlessly it adapts to evolving environments, enabling quick and efficient integration of services scalability with dcr, organizations can rapidly scale their ecosystem by adding new client applications without compromising security this scalability supports the growth and expansion of the ecosystem over time efficiency by automating the registration process, dcr improves efficiency by reducing the time and effort required for client application onboarding this allows organizations to focus resources on other critical tasks compatibility dcr ensures compatibility between client applications and the authorization server by dynamically registering metadata values this compatibility enhances interoperability and smooth communication within the ecosystem openid federation the oidc federation model, particularly as outlined in section 11 1 of the oidc federation specification https //openid net/specs/openid federation 1 0 html#name protocol key rollover , introduces an automated registration mechanism this allows data receivers docid 0icz dap0cfxtlrhddxni to initiate authentication requests directly, bypassing traditional registration with data providers docid\ apm ilivcfpfft1ld0puc upon integration into the ecosystem trust framework, data receivers are allocated a unique client id , bound to their created encryption and transport certificates these credentials are utilized to authenticate the data receiver’s requests and secure token issuance via the data provider's authorization server endpoints to enable this process, data providers must proactively acquire relevant metadata based on their client id from the trust framework, ensuring the registered data receiver metadata is always up to date openid federation can be used to mitigate some of the issues that can arise when oauth dcr is used, but it introduces an additional overhead for the data providers, especially when it comes to the requirements for the authorization server dcr issue solution varied registration requests for each client server interaction, causing interoperability issues due to misprocess or miscommunication of these requests by having servers to automatically register clients based on the participant directory's entity statements, the system eliminates individual registration requests, enhancing interoperability registration data can often be outdated as a an active put request against the registration endpoint is required for the client metadata to be updated implementing a server side cache policy for registration metadata ensures timely updates, keeping client data in line with what’s defined on the participant directory issues on the registration journey might lead to client identifiers being created without the registration access token being sent back, forcing manual recovery of tokens or removal of clients, raised using bi lateral service desk tickets an unique, standardized client id and the trust framework as the source of truth negates the need for client side maintenance, streamlining the process additionally, with openid federation as the registration framework, the trust framework can ensure responsibility spread for client registration to the fewest number of actors the responsibility for registration entirely rests with the data providers they are required to actively consult and regularly update data from the trust anchor (trust framework) this ensures they keep an up to date registry of all authorized clients in the ecosystem the standard also specifies that when data providers encounter an authentication request from an unrecognized data receiver, they must fetch the client's data from the trust anchor this is to accurately ascertain the client's access scopes, regardless of whether the regular updates have been properly conducted support cross border integration oidc federation supports the setup of unified trust network across multiple trust anchors through standardized metadata acquisition mechanisms this structure can be used to promote interoperability and trust among clients and servers across different ecosystems, fostering a seamless cross border integration framework simple registration endpoint (sre) raidiam connect offers the simple registration endpoint (sre) as a native registration framework, serving as an alternative to the models specified above sre, as with the openid federation registration framework, introduces an automated registration mechanism this enables data receivers docid 0icz dap0cfxtlrhddxni to initiate authentication requests directly, bypassing traditional registration methods with data providers docid\ apm ilivcfpfft1ld0puc such as dynamic client registration (dcr ) upon integration into the ecosystem trust framework, data receivers are allocated a unique client id , bound to their created signing and transport certificates these credentials are utilized to authenticate the data receiver’s requests and secure token issuance via the data provider's oauth compliant authorization server to facilitate this, data providers must proactively acquire relevant metadata based on their client id from the trust framework, ensuring the registered data receiver metadata is always up to date however, with sre, data providers benefit with much more streamlined client registration (discovery) the authorisation server can query the raidiam connect's get all registered clients api in order to fetch an up to date list of all client applications registered within the given trust framework registering participants ahead of time