Skip to main content

Client Credentials Service Registration

Note: A secret will expire after one year. A resource server or client credentials application with an expired secret will not work.

Authorized Stanford users could register and manage Resource Servers and Client Credentials clients via SPDB, by clicking on "Manage Resource Servers configurations" and "Manage Client Credentials configurations" respectively.

Before Registration

Stanford mailing list address

  • To register with SPDB, it is recommended that the user either uses a google group mailing address or use a Stanford mailing list address that comes with the format of @lists.stanford.edu. For mailman, please visit Stanford Mailman tools. For google group, please visit Google group and workgroup integration

    . Please make sure your contact email can receive email from saml-team@lists.stanford.edu.

Stanford workgroup

  • When registering, you will need to have a non-personal workgroup that will be associated with the Resource Server or Client Credentials application. If you are not sure or do not have a workgroup, please visit Stanford Workgroup or consult UIT.

Resource Server

Resource Server Registration

Manage your server via SPDB Resource Server Registration

  • Resource Server Name (required)
  • Information URL (required), A public website URL that describes what your service does and what scopes it provides
  • Contact Email (required)
  • Owning Workgroups (required), Members of the group will have permission to approve the clients requests for this Resource Server
  • Scope(s) (required), Scopes are permissions that limit what your service will allow a client access or do.
  • Descriptions (required), description of your service. Include who it represents and what it does in a way that an end user would understand.
 
More on Scopes

Scopes are permissions (ex: read, write, delete, etc) that limit what your service will allow a client access or do.

  • Each client credentials application is provisioned to work with one Resource Server (RFC 8707)
  • Resource Server admins do not need to worry about overlapping scopes names with other services.
  • No need to overload the scope name to convey the location or identity of the protected resource
  • Scope is typically about what access is being requested rather than where that access will be redeemed.
  • Per RFC 8707, the following is an example of scopes that convey only the type of access and not the location or identity
    • ex: email, admin:org, user_photos, channels:read, channels:write, read, write
 
Tasks managed by Resource Server Admins

The following are some of the common tasks that Resource Server admins could expect

  • Review the client requests by updating Status and provision the scopes
  • Resource Server Admins can use (RS) Comments to provide more information as why a request is not approved and/or requesting more informatino from requestor.
Email Notifications

Resource Server Admins will be notified if

  • a new resource server has been registered with them as contacts
  • a resource server that they are a member of the owning group has been deleted
  • resource server secret is about to expire (within 30 days)

Resource Server Admins will be notified if

  • a new client request has been submitted
  • a client's "Status" has been updated for a client (ex: from Pending to Approved)
  • a client has been deleted
 

Client Credentials Clients

Client Credentials Registration

Manage your client credentials applications via SPDB Client Credentials Registration

  • Client Name (required)
  • Contact Email (required)
  • Owning Workgroups (required), Members of the group will have permission to approve the clients requests for this Resource Server
  • Descriptions (required), Provide detailed information of your service in a way that the requested resource server admins will understand and approve your request.
Email Notifications

Client credentials registered members will be notified if

  • a new client credentials app has been registered with them as contacts
  • a client credentials app that they are associated with has been deleted
  • client secret is about to expire (within 30 days)
General Flow
  • Once the request has been approved by the server admin, the email contact of the client app would receive an email notification. The user can then proceed to create the client secret.
  • If there are any questions about resource servers, contact the corresponding sever admins via the registered contact email.
Client-id and secrets

The secret will expire after one year. A resource server or client credentials application with an expired secret will not work.

Last modified