Implement OpenID Connect 1.0 Client Registration Endpoint

[jgrandja]

This issue will deliver the Client Registration Endpoint, which is defined in OpenID Connect Dynamic Client Registration 1.0.

NOTE: This issue should NOT implement the Client Configuration Endpoint - it MAY be implemented in a separate PR at a later point.

The Client Registration Endpoint should follow a similar implementation pattern as the Provider Configuration Endpoint gh-55.

At a minimum, the following artifacts should be produced:

• OidcClientRegistrationEndpointFilter (reference OidcProviderConfigurationEndpointFilter)
• OidcClientRegistration (reference OidcProviderConfiguration)
• OidcClientMetadataClaimAccessor (reference OidcProviderMetadataClaimAccessor)
• OidcClientMetadataClaimNames (reference OidcProviderMetadataClaimNames)
• OidcClientRegistrationHttpMessageConverter (reference OidcProviderConfigurationHttpMessageConverter)

The OidcClientMetadataClaimAccessor should only implement the REQUIRED claims and may implement the OPTIONAL claims if it's applicable to a feature that is currently implemented.

Take note of Section 3. Client Registration Endpoint:

The Client Registration Endpoint is an OAuth 2.0 Protected Resource through which a new Client registration can be requested. The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.

Initial Access Token Requirements

• Client registration is only allowed for (existing) clients that have an (initial) access token that was obtained using the client_credentials grant.
• The initial access token should contain the scope client.create and no other additional scopes.
• The initial access token should have similar attributes as OAuth2AuthorizationCode (authorization_code grant) with a time-to-live of 5 mins and can only be used once.
• The initial access token must be revoked after it is used.
• The client registration endpoint is a protected resource that requires an OAuth access token (initial access token) containing the client.create scope, therefore, we need to leverage/integrate HttpSecurity.oauth2ResourceServer().jwt().

[jgrandja]

@ovidiupopa91 Regarding timing for this feature, there is no rush to complete. But I'm thinking late Jan or sometime in Feb would be nice but again not a priority.

I'll provide detailed requirements in this issue sometime tomorrow and then I can answer any questions you have on Gitter. I can be on Gitter Friday morning anytime between 9am-12pm EST, if that timing works for you?

[ghost]

@jgrandja great. I will go through the requirements and I will contact you on Gitter (during that time frame) if I have any questions.

[ghost]

Hi @jgrandja . No questions from my side. Enjoy your days off!

[jgrandja]

Excellent @ovidiupopa91 . Enjoy your time off too and we'll chat in the new year !