We need assessment on what this 'openid-client-register" base policy looks like provided by Broadcom.  Vulnerable to server-side Request Forgery.

Could you please let us know if we can disable this Server.

Gateway 10.X OTK 4.4

Disabling two endpoints will prevent the feature of dynamic registration of openID clients.  This disabled endpoints have no effect on other OTK endpoints 

OTK-Server->DMZ->Oauth 2 -> AuthorixationServer -> 

Openid-client-register

Openid-client-register-configuration 

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/openid-connect-implementation/dynamic-registration.html 

/openid/connect/register

The /openid/connect/register API implements the Dynamic Registration feature as specified at http://openid.net/specs/openid-connect-registration-1_0.html. Clients accessing this API can register themselves as OAuth clients for this OpenID Connect Provider.

The API generates an access_token with the openid_client_registration scope. This access token can be used at the API specified as “registration_client_uri” in the response of this API.