Hi Piyush,
I know it's been a while since you posted this but I just came back to it.
There are two ways to create OAuth Clients in Verify Access:
- "static" client registration via the LMI (or admin APIs)
- "dynamic" client registration via OIDC Registration endpoint (requires OIDC to be enabled but client generated is the same)
Dynamic client registration is designed to be "self service" where authorized developers can create and manage their own client definitions. If you were to use this approach, the developer would "own" the client and would be able to retrieve the client id and secret themselves via AAC runtime screens (or your own flows around the APIs).
If you really want an approach where the administrator creates the clients, perhaps you could use APIs to embed this into a custom AAC authentication policy. A custom infomap would perform the registration and obtain the clientid and secret. These would be stored in a DMAP (indexed by a target user and UUID). You could then send an e-mail containing magic UUID to the user. A second authentication policy would perform 2FA of the target user and then validate UUID. It could then display clientid and secret. This isn't a trivial thing to set up but it might be worth investigating - personally I think getting users to self-serve is better and easier.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue May 25, 2021 08:54 AM
From: Piyush Agrawal
Subject: OAuth Client Secret Sharing idea
Hello,
We are creating some OAuth Clients via "OpenID connect and API Protection" but when it comes to sharing credentials we are using outlook emails.
It would have been a good idea if we can utilize Email and Phone number to send link to download credential with otp
Anyone has any experience or better idea of sharing credentials.
------------------------------
Piyush Agrawal
Norway
------------------------------