Feature:
auth0 should implement an access_token
option for DAR; this could (should) be a paid feature.
Description:
While not a requirement of OIDC Open Registration specification,
The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.
It is incredibly useful and would allow IdP developers the ability to securely rate-limit and provision the /register
endpoint. If one were to implement a “secure” version using the current auth0 SDK and APIs, it would require creating leaving ODCR disabled, and then creating clients using the Management API. This would require (at some point) using a token related to Management API scope; a potential security vulnerability, given that access_tokens
can be provided to the /register
endpoint directly with ODCR enabled.
This feature has been requested before,
Use-case:
We want certain User roles to have the ability to provision their own clients and creation applications dynamically. Think of like a Discord bot; provisioned a developer account → create application (ODCR registration + token).