Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

More of a design principal question. If I would like to create a open source plugin for anyone to install, but I want the plugin authentication to be handled as consent flow (with kratos).

Should I just create some new Oauth2 client credentials and include those in the plugin so that they can authenticate themselves after installing, or is there some better way to do this (kinda like anonymous client).

End goal is that I don't trust my customers enough that they know how to copy &amp; paste api credentials to the plugin (old way of doing this).

or could OpenID Dynamic Client bring something to the mix?

the problem with oauth2 solution and precreated client_id is that then my options throught the API is to either reject all plugin consentsessions or reject all plugin consenssessions (client_id) for that specific subject (client_id). I don't have a way to reject a specific consent session. (allthough there is a possibility that I have misunderstood what consent sessions are, but my understanding is that they present the token that is created by that consent session and rejecting that will reject token also, but I can be wrong)