Add scenario for OpenID Connect Dyamic Client Registration

[thomasdarimont]

Description

The benchmark suite should cover this by default to ensure adequate performance.

Discussion

No response

Motivation

Dynamic Client Registration (DCR) is part of the OpenID Connect protocol suite, and Keycloak has supported it for many years.

Details

Securing Applications and Services Guide:Using the client registration service
OpenID Connect dynamic client registration RFC

[ahus1]

Hi @thomasdarimont - feel free to provide such a test. At the same time, I'm not so familiar with the DCR, so I assume you would create a lot of new clients as part of the process?

[thomasdarimont]

With DCR, the administrator would create a one or multiple "initial access tokes" IAT, where each IAT as an expiration time, e.g. 1 week, and is allowed to create a number of clients e.g. 10 or 100.

A test could measure the observed response times / latencies while generating 100-1k-10k clients via the client registration endpoint.
Those clients could have names with a prefix to be able to find and remove them easily later.

Dynamic client registrations can be restricted via the client registration policies, which gives the Keycloak administrator some control about the sort of clients that can be created.

We should test "Anonymous client creation" as well as "Authenticated client creation"

Yes, the test will probably create a few 100 or 1000s clients. Perhaps it might make sense to test this against a dedicated dynamically generated realm that could then be removed after the test.