Client Registration

In a federation, a Relying Party doesn't need to manually register with every OpenID Provider. There are two approaches^[1]: Automatic (no pre-registration, resolved at authorization time) and Explicit (pre-registration via a dedicated endpoint).

Step 1 of 4

1. RP discovers OP

The RP discovers the OP and resolves its trust chain, confirming they share a common Trust Anchor.^[1]

Side-by-Side Comparison

Feature	Automatic	Explicit
Pre-registration	No	Yes
Trust chain verified	At authorization time	At registration time
Client ID	Entity Identifier (URL)	Assigned by OP
Auth request format	Request Object (JAR) or PAR required	Standard
Cryptography	Asymmetric only	Asymmetric or symmetric
OP stores RP info	No (resolves on the fly)	Yes (persisted)
Best for	Dynamic, large federations	Stable, long-term relationships

Real-World Analogy

Automatic = walking into a government building, stating your name, and they look you up in the national registry on the spot. Explicit = walking into a private members' club, showing your credentials, filling out an application form, and receiving a membership card for future visits.

🤝 Client Registration

1. RP discovers OP

Side-by-Side Comparison

Sources & References