Auth0 Home Blog Docs

Auth0 - Open ID Connect Dynamic Client Registration issues

Guys,

I am needing to dynamically register a client application in Auth0 from the Anypoint (MuleSoft) Integration platform, based on the “CLIENT-CREDENTIALS” grant type.

However, I have encountered 2 issues,

  1. It appears that Auth0 does not define the "grant_types_supported " in the well-known doc.
    If “grant_types_supported” is not shown in the well-known doc, it indicates that Auth0 only support the default grant types (“authorization_code” and “implicit” grant type), which does not include the required “client credentials” grant type.

  2. It appears Auth0 does not support the “response_types” when the Anypoint Platform, sends the request to Auth0 to register the client application.
    For example, below is the request sent by the Anypoint Platform to Auth0 to register the client application.

curl -X POST
https://<YOUR_DOMAIN>.auth0.com/oidc/register
-H ‘Content-Type: application/json’
-H

no-cache’
-d ‘{
“redirect_uris”:["https://<YOUR_DOMAIN>.auth0.com/callback"],
“grant_types”:[“implicit”],
“token_endpoint_auth_method”:“client_secret_basic”,
“response_types”:[“token”,“id_token”],
“client_name”:“TestApp”
}’

response:

validation error: ‘Additional properties not allowed: response_types’.",“errorCode”:“invalid_body”}

In other words, the registration of the client application fails because of Auth0 non-support for the “response_types”.

Please note, the above 2 issues are found only with Auth0. These issues were not found when trialed with other providers such as Okta.

Please advise, when is this issue expected to be solved in Auth0.

Thanks.
Savio

1 Like

Hi @savio.a.mascarenhas!

Thanks for reporting this. Quite honestly, the Dynamic Client Registration feature is not used much, so I’m guessing no one encountered this problem before.
I agree that both cases should be covered and I’ve added an internal feature request to our Product team. I can’t promise any quick outcomes on this (it will depend on prioritization of other items in the roadmap), so hopefully you can provide some kind of override in Anypoint both to convince it that the server will accept client credentials, and not to send the response_types in the payload for now.

1 Like

Hi @nicolas_sabena!

Thanks for your response. I checked with MuleSoft and received the below response from MuleSoft support team,

"MuleSoft product team has raised this to Auth0 around 2 years ago however still no progress. Anypoint Platform is a vendor-neutral platform so we do not want to risk changing for one non-compliant IDP to break others. We have a few customers hitting the issue with the Dynamic Client Registration feature, due to “response_types” not supported by Auth0. Some customers tried to work around this by building a custom proxy, so when creating a client, the request is sent to the proxy and the proxy strips the “response_types” header from the request before forwarding it to Auth0. Some customers changed to use Auth0 as an OAuth server with JWT.

However, to get it properly fixed, we recommend escalating it to Auth0 and request the implementation to be compliant with the spec."

Thanks.
Savio