Lesson 9 — Client Registration | Learn OpenID Federation

In a federation, a Relying Party doesn't need to manually register with every OpenID Provider. There are two approaches (§12): Automatic (no pre-registration, resolved at authorization time) and Explicit (pre-registration via a dedicated endpoint).

Step 1 of 4

1. RP discovers OP

The RP discovers the OP and resolves its trust chain, confirming they share a common Trust Anchor (§12.1).

SecuritySecurity consideration

The Request Object used in Automatic Registration MUST include a unique jti (JWT ID) claim. The OP MUST track recent jti values and reject any duplicate — Request Objects are single-use by default to prevent replay attacks. Reuse is only allowed under negotiated conditions outside this spec's scope.

§12.1.1

Side-by-Side Comparison

Feature	Automatic	Explicit
Pre-registration	No	Yes
Trust chain verified	At authorization time	At registration time
Client ID	Entity Identifier (URL)	Assigned by OP
Auth request format	Request Object (JAR) or PAR required	Standard
Cryptography	Asymmetric only	Asymmetric or symmetric
OP stores RP info	No (resolves on the fly)	Yes (persisted)
Best for	Dynamic, large federations	Stable, long-term relationships

Real-World Analogy

Automatic = walking into a government building, stating your name, and they look you up in the national registry on the spot. Explicit = walking into a private members' club, showing your credentials, filling out an application form, and receiving a membership card for future visits.