Dynamic client registration API

If you are building a new application, and you want to use OneWelcome for authentication in a secure manner, you can use an OAuth2 client registered with OneWelcome, and use that for authentication.

How does it work?

Let's assume, you have a requirement to build a new application which should allow a user to manage his/her consents and view only access to the primary email and primary phone number. Should not be allowed to see other information such as group membership and insurance policy.

In oder to do this, you have to register an oauth2 client, and pass some informations, such as the location of your application, the application name, authentication methods, etc., and to fully meet the requirements, you'll have to add the read/write consent related scopes and read scopes for primary email and primary phone number.

Once the oauth2 client is created, you can use it in your application to authenticate against OneWelcome.

What API do you need?

In order to register a new client, you have use Dynamic client registration API. An example of a client which will fulfil the requirements from above, would look like below:

CURL
    
curl --request POST \ --url https://www.onewelcome.com/onewelcome-dev/auth/oauth2.0/v1/connect/register \  --header 'Authorization: Bearer some-access-token' \  --header 'Content-Type: application/json' \  --data '{  "application_type": "web",  "client_id": "consentApp",  "code_challenge_method": "S256",  "client_name": "consentApp",  "client_type": "Public",  "subject_type": "public",  "token_endpoint_auth_method": "client_secret_post",  "logo_uri": "https://client.example.org/logo.png",  "jwks": "{\"keys\":[{\"kty\":\"RSA\",\"kid\":\"SylLC6Njt1KGQktD9Mt+0zceQSU=\",\"use\":\"sig\",\"alg\":\"RS256\",\"n\":\"AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_\",\"e\":\"AQAB\"}]}",  "id_token_signed_response_alg": "RS256",  "grant_types": [    "authorization_code",    "refresh_token",    "implicit"  ],  "response_types": [    "code",    "token",    "id_token",    "code token",    "token id_token",    "code id_token",    "code token id_token",    "none"  ],  "scopes": [    "openid",    "consent:read",    "consent:write",    "primary-phone:read",    "primary-email:read"  ],  "default_scopes": [    "openid",    "consent:read",    "consent:write",    "primary-phone:read",    "primary-email:read"  ],  "contacts": [    "ve7jtb@example.org",    "mary@example.org"  ],  "redirect_uris": [    "https://www.my-consent-app.com/profile"  ],  "request_uris": [    "https: //client.example.org/rf.txt#qpXaRLh_n93TTR9F252ValdatUQvQiJi5BDub2BeznA"  ]}'
Copy

Example of response:

JSON
    
{  "application_type": "web",  "client_id": "consentApp",  "client_name": "consentApp",  "client_type": "Public",  "client_secret": "4138ca8f-f6a3-46b5-926c-467be7073817",  "code_challenge_method": "S256",  "client_secret_expires_at": 0,  "contacts": [    "mary@example.org",    "ve7jtb@example.org"  ],  "default_scopes": [    "consent:read",    "openid",    "consent:write",    "primary-email:read",    "primary-phone:read"  ],  "default_max_age": 1,  "id_token_signed_response_alg": "RS256",  "jwks": "{\"keys\":[{\"kty\":\"RSA\",\"kid\":\"SylLC6Njt1KGQktD9Mt+0zceQSU=\",\"use\":\"sig\",\"alg\":\"RS256\",\"n\":\"AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_\",\"e\":\"AQAB\"}]}",  "registration_access_token": "5d10ade8-e90a-45a5-9f0a-e4d2a81d78b9",  "registration_client_uri": "https://www.ongo.com/bikes/login/oauth2.0/v1/connect/register?client_id=consentApp",  "redirect_uris": [    "https://www.my-consent-app.com/profile"  ],  "default_post_logout_redirect_uri": "https://www.ongo.com/bikes/login/",  "logo_uri": "https://client.example.org/logo.png",  "response_types": [    "token id_token",    "id_token",    "code id_token",    "code token id_token",    "code",    "token",    "code token",    "none"  ],  "scopes": [    "consent:read",    "openid",    "consent:write",    "primary-email:read",    "primary-phone:read"  ],  "subject_type": "public",  "token_endpoint_auth_method": "client_secret_post"}
Copy

Please note that in order to call this API, you have to have an oauth2 access token with the scope dynamic-client-registration. For information about how you can issue an access token, please consult OAuth 2.0 and OpenID Connect API documentation.

Please note that the default code challenge method is "S256" - see Proof Key for Code Exchange (PKCE)

For a detailed explanation of each of the request and response attributes, please consult the Dynamic Client Registration API specification.

Last updated on Feb 2, 2024

Was this page helpful?