I figured out that Hydras /admin/clients endpoint may be used for dynamic client registration according to this section in the docs:
The administrative port should not be exposed to public internet traffic. If you want to expose certain endpoints, such as the
/clientsendpoint for OpenID Connect Dynamic Client Registry, you can do so but you need to properly secure these endpoints with an API Gateway or Authorization Proxy. Administrative endpoints include
The endpoint accepts and provides all client metadata required by the OIDC dynamic client registration spec. However it allows a client to provide a secret, which could lead to weak (human created) client secrets.
For dynamic client registration a variant of “/admin/clients” would be needed, which does not allow to provide the secret. Do I have to build that on my own in front of the /admin client API?
Probably an endpoint with more logic is needed anyway, because I may need to restrict values like “scopes” or “audience”.
is there someone who provides dynamic client registration “as is” with just some form of authentication?