My set-up has the following:
tenant_id which uniquely identifies the tenant that the user belongs to.https://identity.example.com.https://random-number-generator-service.example.com.RandomNumberConsumer.exe. This program makes use of random-number-generator-service in the context of a tenant_id so a user needs to authenticate at some point somehow but otherwise the program does not care about the user's details, only the user's tenant's details.I understand this means that both random-number-generator-service and RandomNumberConsumer.exe are "clients".
Within IdentityServer all client software must be registered (either statically as a hardcoded list of Client object instances or with some kind of dynamic registration using a database to store client details. Obviously random-number-generator-service will have a static registration, but how should RandomNumberConsumer.exe also be registered?
Some options:
RandomNumberConsumer.exe installation (which adds a new Client registration in identity.example.com's Client database, complete with a client secret) then the user manually copies and pastes the client secret into RandomNumberConsumer.exe's configuration file. The internal database maps each client registration with the tenant_id. This has the advantage of allowing individual client access revocation, but requires the user to perform manual configuration steps which are undesirable.RandomNumberConsumer.exe without any Client Secret, but the Client application needs a GUI component with which it can authenticate the user and it stores the user's associated access_token and refresh_token in its local configuration. This has the advantage of having a much simpler user-experience (as the user would open a RandomNumberConsumerConfiguration.exe program which then opens the web-browser to access the authentication page and gets the data using a redirect_uri with a temporary localhost or custom URI scheme value) but it means the RandomNumberConsumer.exe instance is associated with an individual human user when we only want it to be associated with the tenant instead.Are there any other approaches that could be used instead?
Every instance of a client should have it's own id. random-number-generator-service should have one id (even when it runs in a web farm).
RandomNumberConsumer.exe is installed on different machines outside the domain, so should have a unique id per installation.
A client has nothing to do with a user as the sub claim is missing. The only time the client includes the sub claim is when it acts on behalf (and with consent) of the user. This can be the case for random-number-generator-service, but not for RandomNumberConsumer.exe where there is no user interaction (as it is a Windows Service) and consent is not needed as it is given when the user requested the installation.
When you are talking about a Windows Service then it is inevitable to configure the service. You can however implement configuration steps in the installer. So instead of having to build UI or hacking a configuration file, you can take the following approach:
This has the advantages you want and takes minimal steps from the user.
If the service has more configuration options and you want to give the user a UI to maintain the options then add a configuration program to the installer. This is quite common for routers and printers. There is no need for the user to login as it runs local (localhost website). You can add a link for the browser as shortcut.