✋ Trusted Clients

[tbsbdr]

Description

As an organization I want to restrict client registration only to trusted (predefined) clients so that I can ensure that no other clients register.

Relates to:

Enable authentication with other IDPs

like Authentik, Authelia etc.
relates to opencloud-eu/desktop#246

Improve OIDC IDP configuration discovery in our clients

"We should have some endpoint that exposes additional configuration details that the clients need to know in order to work correctly with the current OpenCloud configuration. For the start this should just expose a list of additional scopes to request (apart form the standard scopes).
As part of the discovery all our clients should query that endpoint (unauthenticated) and use the information provided in there." https://github.com/opencloud-eu/internal/issues/172

"the desktop app should pull the client ID to use from the server as well, as according to the RFC, the client ID is issued by the authorization server and doesn't have a specified format: https://www.rfc-editor.org/rfc/rfc6749#section-2.2 "

relates to
opencloud-eu/desktop#217

[butonic]

A solution proposal to this is discussed in opencloud-eu/desktop#246 (comment)

AFAICT all these issues can be solved with it:

• Native Clients JWS signing key is not known to kanidm opencloud#1713
• [BUG/FeatureRequest] [OIDC] Change native ClientID opencloud#2088
• Authelia: Problem with user roles desktop#217
• Support different OIDC issuer for desktop desktop#246