Client Registration¶
Client registration defines the trust boundary between OpenASA and your application or service.
Role split¶
| Role | Responsibility |
|---|---|
| OpenASA | OAuth Provider / auth service |
| Your app or service | OAuth client / relying party |
| End user | Account owner who signs in through OpenASA |
Required Client Metadata¶
client_id- trusted
redirect_urilist - allowed scopes
- token handling policy on your backend
- local user mapping strategy keyed by stable OpenASA subject
Integration Boundary¶
If your service wants to rely on OpenASA OAuth capability, the usual split is:
- Browser redirect or app login is initiated against OpenASA.
- OpenASA authenticates the user and establishes authorization state.
- Your service receives OpenASA-issued code, token, session, or user profile.
- Your service maps the OpenASA user identity into its own local account model.
Recommended Boundary¶
- Keep user authentication and consent on the OpenASA side.
- Keep your own business authorization and tenant/resource permissions on your side.
- Treat OpenASA
subor stable user id as the external identity key.
Provider-side Agreement Surface¶
For OAuth capability itself, treat OpenASA as exposing the standard provider-side surfaces defined by the oauth agreement:
authorizetokenuserinfojwksrevoke
Notes¶
- Register redirect URIs, scopes, and client metadata against OpenASA according to your deployment process.
- Keep callback handling on your own trusted domain.
- Never couple your business authorization model to raw access-token contents alone; always keep a stable local user mapping.