I've elaborated a little more on the DCR topic.

OPTIONAL. The client is pre-registered at the AS-RO as a public client – this is recommended for Single Page Applications.

If the client has been pre-registered at the RO's AS as a public client, then after the protected dynamic registration, the client is registered twice, both as a public and at the same time as a confidential client. When communicating with the AS, the client uses the registration that is more secure. If the client is a Single Page Application, the confidential registration identifier (nonce) that refers to the client credentials has to be returned from the registration endpoint in the form of a cookie with the HttpOnly and Secure attributes set. If the RqP deletes the cookies or the confidential client registration has been removed from the server, the client may re-register with the RO's AS.

Regards

-Igor

On Wed, Oct 6, 2021 at 11:11 PM Igor Zboran <izboran@gmail.com> wrote:

Hi George,

For single-page-apps the client registration endpoint may return the client secret in the form of cookies with the HttpOnly and secure flags set. Javascript will not be able to access the client secret and the front-end developer does not have to fiddle with the secret. If the user deletes the cookies, the client re-registers with the AS.

-Igor

On Wed, Oct 6, 2021 at 7:30 PM George Fletcher <george.fletcher@yahooinc.com> wrote:
For single-page-apps there is also DPoP [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04] which provides some similar capabilities using ephemeral keys. The issue I see with DCR and SPAs is maintaining the keys in the browser in a persistent way.

On Wed, Oct 6, 2021 at 7:11 AM Igor Zboran <izboran@gmail.com> wrote:
Hi everyone,

Please take a look at https://github.com/uma-email/poc#protected-dynamic-client-registration.

This may solve the single page applications and native applications problem with client secrets. I mean, the client is public with respect to the IdP, and at the same time – after dynamic registration – confidential with respect to the AS.

Regards

-Igor
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__kantarainitiative.org_mailman_listinfo_wg-2Duma&d=DwICAg&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=cl87BDJWy_Dken1-bgbUZNI3uuMUfMrWjS7cLmJhvw0&m=_EtItqJQ36olWtgJjHi0gFmdLoJJkAFELf3CKJ6dPoI&s=usuWOpY5zGwrCIUtJ1A8HoW4KcxwO41l_pZt-m1Iwh8&e=