Open Dynamic Application Registration Should Accept Access Tokens

Feature:

auth0 should implement an access_token option for DAR; this could (should) be a paid feature.

Description:

While not a requirement of OIDC Open Registration specification,

The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.

It is incredibly useful and would allow IdP developers the ability to securely rate-limit and provision the /register endpoint. If one were to implement a “secure” version using the current auth0 SDK and APIs, it would require creating leaving ODCR disabled, and then creating clients using the Management API. This would require (at some point) using a token related to Management API scope; a potential security vulnerability, given that access_tokens can be provided to the /register endpoint directly with ODCR enabled.

This feature has been requested before,

Use-case:

We want certain User roles to have the ability to provision their own clients and creation applications dynamically. Think of like a Discord bot; provisioned a developer account → create application (ODCR registration + token).

Hey there @gblikas thanks for the feedback!

Our team monitors for community member engagement so let’s hope it gets some more votes! :rocket: