Return-Path: <nwatson@google.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id B3227F07B306
	for <oauth@mail2.ietf.org>; Mon, 18 May 2026 20:23:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1779161030; bh=GA/aOcBwM1IDSasPnxAnctQhCsoArc4hzLwgbzQUzj4=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc;
	b=gndfrbtJ2NciKRDEZy8Ho7f2RIBDt4Hbmh+82hhZwUPvjdVTa1kHHAE0OtI+J0ttJ
	 U2mK2pN+SfHUq5B8QPxOunbtKSmYVMNuBaQCABj9W5FXU9jq097UtXVZLBnIq8VpXZ
	 VedCaEF31Ytw5bqkQAZYBc/k4vH0Ibot6snkJqq0=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level: 
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
	ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001,
	RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
	USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5]
	autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=google.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id oxQGerg4Sdmf for <oauth@mail2.ietf.org>;
	Mon, 18 May 2026 20:23:49 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com
 [IPv6:2a00:1450:4864:20::533])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id D80C2F07B2FB
	for <oauth@ietf.org>; Mon, 18 May 2026 20:23:49 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id
 4fb4d7f45d1cf-67f7caa33easo6436781a12.1
        for <oauth@ietf.org>; Mon, 18 May 2026 20:23:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779161029; cv=none;
        d=google.com; s=arc-20240605;
        b=izWAZ0SczP4xLyK4oVsUBdnREqamWidRnH+5Qy09Ag7OwudiA+KdGaU78Aj4gdqJ2E
         xF8ROCAUh11OpspS8aWHXNGH/OJlUETqihRj27FVgi6WvTMwaCzCLfTGjiHy+Po10saL
         uQdImgCQtciphQ6fKPyFSNZWWuGvuDscdgHTY2rLqmalJO3iZOYF1pGCZu/OPKoG/768
         1gkDYcb5QOJAv36+KxN4ThZoNYsmvBtscoM+172fYoNVPqLuP75GCm2SIHJ29lJFtNn8
         ovrToeiRGGswwGFtKB2V7uPtYmH2v+BNPE7wvPYuQ2F1Gl9KSLY078xjXTa/iH+Q8eYb
         ippA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=SNiT3ypj5EHeAfYZhmcee6Q/M2wtiOJvWB3/L8LcNws=;
        fh=RTng7dzltIlHXkTsKXerl8wd7Zkqb+X6KVh/BpQwzJU=;
        b=RMOw4lHEMk7d0UC+qCbG758oCbAKAFixUHDVbPI60jQS4oUpxBSO30HK4fGAydkYHf
         OBQV9PZxTR1/s+gp6kiVkKw0I9fN1lxHBYQ9Gsw/6lW4XGm1Eg2Hb9xOf559LcsZsPBd
         2n9lSMBc6gUgxnpFxw0xhg2X/nX6uDh+h/BWBZP8DqoB4BDT0DNNSjzA7omFZ0UUCOfA
         8tlFpTbGSq7oS088hpvBgXVecMTirIK5hhnbWEKNWDPxNpxzwefgqrTggAbIhZyuBy6M
         0VBlvNnTu9EhCDcWxGkk0AIy8wQSK6/pc2FPigdmeQJfmZlv9s0LH8OeIcOE/wonhuNV
         0A1w==;
        darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20251104; t=1779161029; x=1779765829; darn=ietf.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=SNiT3ypj5EHeAfYZhmcee6Q/M2wtiOJvWB3/L8LcNws=;
        b=oyk4/j6WZqBYAeUyvZhDsEbABSpb7GfNeeJynqRBVipzqj5EcXtetohhMrTSsEalqR
         Nl36mEPpJlyz7FurpvJdw8Id9qOGJqIBmXRkPl+UQoP8KbzYvkoppvKxMRtKlQ3Rpm14
         fze88KA5KnDKz5b7htWtmqjR32kUh9uWseG7XuzkzNzPQVEVbMO4qSHKfleFAVOYdMWt
         brUQuv8HScsDMi7msoBENP9KcI61JVlc8CgHzUvaEzU6baP1uHSJEgxKu8Zaw+gli8vt
         BYEa338mNY87ZOZi441b/D4/dVDMJcAuEECW/V+kEs0LHSli9VZ8TdKSipazrsVFhJsT
         suJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1779161029; x=1779765829;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=SNiT3ypj5EHeAfYZhmcee6Q/M2wtiOJvWB3/L8LcNws=;
        b=PJs/TIUySDAkTTp/2ur2p3xP1lD5qQaUNa4aD3KgVC8i0epuXKIWdN/RO7MCFrIR8Q
         nycDaPOJtrf8+byCaNG1d2uS48eYUyduaG8voH7qapg4Twp2UNr0dPD7viD3+4hocN5g
         ETOLEJf2AD1LWKj6yjK6F6t7bPmZVUr8lSLU4B5uLjnpyMCDn+B6UozRpKszQKyznG1n
         AKRJ/ggMBLezRv2y+Y0PVG/klj7R1qC7IpjLy0xs86waqKTEZKTM/owo6Hm3/diLMkgR
         cq5WFUFPhmt056EEGF72SfHhs3FAkL2O2MAfV1Oh3JKxQ4HJ9bqsBnQtiXpkbOuaZ887
         8tOw==
X-Forwarded-Encrypted: i=1;
 AFNElJ8RoKCbSH84L3ZrXwjIJxtLowF+gMvGJ9thNngLutl4lUs5ECG/zs0MO3AhRARA58Yuh5p9Ww==@ietf.org
X-Gm-Message-State: AOJu0Yxs+iZ5FiWRuMxAvq7s2RdE+S62db8ZjGomomZ3ZqcRGvKTnRTJ
	XY7vkhc+C9QGDHYfaTPxGPUTepbzkD5nqAEz2sPaM00gNJopLdYF2hRBFB8CBgkq2mfyAklJ0v+
	c8EeobXheVKZj7ZJrIltR1dgplTRLGAvvUOC/Pb27i+LWHCfaMRQC/J45Yb4=
X-Gm-Gg: Acq92OFWQGD9cm8rHB69ms7opywjYG/GvMSF4hyfwVdMFNeKpf3NxFh4CjnWaY+arlO
	MNCcsxLtxNReB6ly2CFGw5DLwX9lOpa8l8Mw0qmZlcKNxEIGhAqhbWYy9a0lt1ZEywqierWo0jV
	GE+qLMMayR803jYKstZ805fsXmPziup1X4fGxea8NlBfWf9ZcIFti8oevqdHNVrmXFZe/3zO+E2
	tUbS3ac5ogMWQj/YistLJ7TLoC3X01a3VfYYNMivHZsWM9cmuluDBaDew0iChOlZKyBvQ30jmOv
	FQogDM7yfFrh+4TLJgRkm8C4xSwd+SlYhugSCFB33qBpzZy7wg==
X-Received: by 2002:a17:907:8691:b0:bd2:626d:68cf with SMTP id
 a640c23a62f3a-bd517929a8cmr1031318666b.29.1779161027547; Mon, 18 May 2026
 20:23:47 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CALZ8nCuvyBB7XuRUJO0EqNxXReiaRGe69d0niTGndyvUO6PZMQ@mail.gmail.com>
 <CALAqi_-CVzF2Q+z_Xvr1ShF_mA4wnXskXHX88GaZOdNZ+HK2Dg@mail.gmail.com>
 <CAMjEm+FKAYsYuh9Q2piCFw_hqCFEdN5=U5+53nEFtDpzghKSNw@mail.gmail.com>
 <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com>
 <CAPVrLW0hme839xoVf-A4Hu_Xzwq-zdUHCm79BnuUZ-OeTj_Qhg@mail.gmail.com>
 <ME5P282MB59806F9936609237D59B69989D002@ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM>
In-Reply-To: 
 <ME5P282MB59806F9936609237D59B69989D002@ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM>
From: Nick Watson <nwatson@google.com>
Date: Mon, 18 May 2026 20:23:35 -0700
X-Gm-Features: AVHnY4JqEYhAjo0KlwrYaN6ebTXPnKjMxUWI8leUBM4PmyyYZ51-opQv5HpUeGQ
Message-ID: 
 <CALZ8nCt2JSqqbCSE80cBqz93g=kRZOH7zYueW93S+ouKCXT_fw@mail.gmail.com>
To: Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000c7b8f0652233591"
Message-ID-Hash: AMAUH4CPORMNZGPSE2EDZ55K7PGAE2ZO
X-Message-ID-Hash: AMAUH4CPORMNZGPSE2EDZ55K7PGAE2ZO
X-MailFrom: nwatson@google.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-oauth.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: Karl McGuinness <me@karlmcguinness.com>,
 Andy Barlow <0xandybarlow@gmail.com>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BOAUTH-WG=5D_Re=3A_AS_Metadata_client_id_parameter_draft?=
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/oauth/60dpC2H60jbHFltQVswa2e1DSZE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

--0000000000000c7b8f0652233591
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/is=
sues/78
is the proposal I made for CIMD.

On Mon, May 18, 2026 at 8:13=E2=80=AFPM Tobias Looker <tobias.looker=3D
40mattr.global@dmarc.ietf.org> wrote:

> Also very supportive of this, including the further feature that Karl
> suggested r.e CIMD. Being able to gradually roll change by providing clie=
nt
> specific AS metadata or better still, metadata based on what the client i=
s
> known to support via CIMD, would significantly improve many OAuth
> deployments.
>
> Thanks,
> [image: MATTR website] <https://mattr.global/>
>
> *Tobias Looker*
> CTO
> +64 27 378 0461 <+64%2027%20378%200461>
> tobias.looker@mattr.global
> [image: MATTR website] <https://mattr.global/> [image: MATTR on LinkedIn]
> <https://www.linkedin.com/company/mattrglobal> [image: MATTR on Twitter]
> <https://twitter.com/mattrglobal> [image: MATTR on Github]
> <https://github.com/mattrglobal>
>
> This communication, including any attachments, is confidential. If you ar=
e
> not the intended recipient, you should not read it =E2=80=93 please conta=
ct me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
> purposes of the Electronic Transactions Act 2002.
>
> *From: *Karl McGuinness <me@karlmcguinness.com>
> *Date: *Tuesday, 19 May 2026 at 3:02=E2=80=AFPM
> *To: *Max Gerber <max=3D40stytch.com@dmarc.ietf.org>
> *Cc: *Andy Barlow <0xandybarlow@gmail.com>; Nick Watson <nwatson=3D
> 40google.com@dmarc.ietf.org>; OAuth WG <oauth@ietf.org>
> *Subject: *[OAUTH-WG] Re: AS Metadata client id parameter draft
>
> EXTERNAL EMAIL: This email originated outside of our organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
> I strongly support standardizing an approach for a per-client metadata
> mechanism to enable discovery of client-specific metadata values and redu=
ce
> change management risk as folks have indicated.  Okta shipped support for
> client_id as query param for similar reasons almost 10 years ago!
>
> I also think we need to consider the inverse for OAuth Client ID Metadata
> Document (CIMD) where the authorization server identifier is an optional
> parameter for the same reasons.
>
> -Karl
>
>
>
>
>
> On Mon, May 18, 2026 at 5:27=E2=80=AFPM Max Gerber <max=3D
> 40stytch.com@dmarc.ietf.org> wrote:
>
> It's a really interesting idea. Thanks Filip for the slides as well!
>
> > (1) do gradual rollouts of AS metadata changes client by client
>
> I 100% see the value in better-supporting gradual rollouts. Today, an AS
> can try * (emphasis on try!)* to feature flag responses based on IP
> address or User-Agent but both of those are *very* poor signals.
>
> > (2) customize metadata if necessary
>
> I am not a fan of long-lived customizations of metadata to support legacy
> clients, though I understand gradual rollouts and long-lived legacy flags
> are two sides of the same coin. I know it is not always possible or
> reasonable, but I would rather break old, insecure, and unmaintained
> clients than build tools to accommodate them.
>
> The security considerations could be worrisome; you call out that an
> attacker could enumerate which legacy features an AS still supports for a
> given client.
> This differs from observing that client's behavior=E2=80=94a client might=
 remove
> the use of the `implicit` grant from their flow, but still be permitted b=
y
> the AS to use it for legacy reasons. Using this endpoint, an attacker cou=
ld
> determine that fact and attempt to exploit it.
>
>
> On Mon, May 18, 2026 at 10:08=E2=80=AFAM Andy Barlow <0xandybarlow@gmail.=
com>
> wrote:
>
> I fully support any and all effort on this topic.
>
> On Mon, 18 May 2026 at 17:58, Filip Skokan <panva.ip@gmail.com> wrote:
>
> Hello Nick,
>
> Let me know what you all think.
>
>
> Back at IETF 121 I presented this related/similar idea:
>
>    - https://youtu.be/_kNpecjcj64?t=3D6354
>    -
>    https://datatracker.ietf.org/meeting/121/materials/slides-121-oauth-se=
ssa-client-id-hint-for-authorization-server-metadata-requests-00
>
> I haven't had a chance to follow up on it since
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Mon, 18 May 2026 at 17:09, Nick Watson <nwatson=3D
> 40google.com@dmarc.ietf.org> wrote:
>
>
> https://njwatson32.github.io/as-metadata-client-id/draft-watson-oauth-as-=
metadata-client-id.html
>
> I've written up a quick draft on supporting a client_id parameter on AS
> Metadata, which would allow the AS to (1) do gradual rollouts of AS
> metadata changes client by client and (2) customize metadata if necessary
> (e.g. for clients participating in beta programs of upcoming drafts).
>
> AS can also choose to ignore the client_id parameter completely and
> continue serving a statically cached global AS metadata file.
>
> I had this idea recently when implementing support for 9207 (iss
> parameter) and running into poorly behaved clients handling these updates
> badly. The draft I'm proposing would have allowed me to avoid making glob=
al
> changes to AS metadata, and even do a synchronized rollout of returning
> `iss` from the authorization endpoint and
> declaring authorization_response_iss_parameter_supported.
>
> Let me know what you all think.
>
> Nick
>
> PS: I've also proposed the "reverse" of this for CIMD in this issue
> <https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document=
/issues/78>
> .
>
> --
> Nick Watson | Software Engineer | nwatson@google.com | (781) 608-3352
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
>

--0000000000000c7b8f0652233591
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><a href=3D"https://github.com/oauth-wg/draft-ietf-oauth-cl=
ient-id-metadata-document/issues/78">https://github.com/oauth-wg/draft-ietf=
-oauth-client-id-metadata-document/issues/78</a> is the proposal I made for=
 CIMD.</div><br><div class=3D"gmail_quote gmail_quote_container"><div dir=
=3D"ltr" class=3D"gmail_attr">On Mon, May 18, 2026 at 8:13=E2=80=AFPM Tobia=
s Looker &lt;tobias.looker=3D<a href=3D"mailto:40mattr.global@dmarc.ietf.or=
g">40mattr.global@dmarc.ietf.org</a>&gt; wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">



<div>
<div style=3D"direction:ltr;font-family:Aptos,Arial,Helvetica,sans-serif;fo=
nt-size:12pt;color:rgb(0,0,0)">
Also very supportive of this, including the further feature that Karl sugge=
sted r.e CIMD. Being able to gradually roll change by providing client spec=
ific AS metadata or better still, metadata based on what the client is know=
n to support via CIMD, would significantly
 improve many OAuth deployments.</div>
<div style=3D"direction:ltr;font-family:Aptos,Arial,Helvetica,sans-serif;fo=
nt-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style=3D"direction:ltr;font-family:Aptos,Arial,Helvetica,sans-serif;fo=
nt-size:12pt;color:rgb(0,0,0)">
Thanks,</div>
<div id=3D"m_-1843788341113937848ms-outlook-mobile-signature" style=3D"colo=
r:inherit;background-color:inherit">
<table id=3D"m_-1843788341113937848table_0" cellspacing=3D"0" cellpadding=
=3D"0" border=3D"0" style=3D"text-align:left;text-transform:none;color:rgb(=
0,0,0)">
<tbody>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none;vertical-=
align:top;width:125px">
<span style=3D"font-family:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-=
serif;font-size:11px;color:rgb(15,173,225)"><a href=3D"https://mattr.global=
/" style=3D"color:rgb(15,173,225);border-width:medium;border-style:none;bor=
der-color:currentcolor" target=3D"_blank"><img src=3D"https://mattr.global/=
assets/images/MattrLogo.png" alt=3D"MATTR website" id=3D"m_-184378834111393=
7848img-6a083703-95c5-4947-9cf4-258e193e7a21" width=3D"125" style=3D"width:=
 125px; height: auto; max-width: 100%;"></a></span></td>
<td style=3D"text-align:left;line-height:16px;text-transform:none;width:16p=
x">
</td>
<td style=3D"text-align:left;line-height:16px;text-transform:none;vertical-=
align:top;color:rgb(51,49,50)">
<table id=3D"m_-1843788341113937848table_1" cellspacing=3D"0" cellpadding=
=3D"0" border=3D"0" style=3D"text-align:left;line-height:16px;text-transfor=
m:none">
<tbody>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none">
<div style=3D"text-align:left;line-height:16px;text-transform:none;font-fam=
ily:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-serif;font-size:12px">
<b>Tobias Looker</b></div>
</td>
</tr>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none">
<div style=3D"text-align:left;line-height:16px;text-transform:none;font-fam=
ily:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px">
CTO</div>
</td>
</tr>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none;padding-t=
op:12px">
<div style=3D"text-align:left;line-height:16px;text-transform:none;font-fam=
ily:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px;co=
lor:rgb(51,49,50)">
<a href=3D"tel:+64%2027%20378%200461" value=3D"+64273780461" target=3D"_bla=
nk">+64 27 378 0461</a><br>
tobias.looker@mattr.global</div>
</td>
</tr>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none;padding-t=
op:12px">
<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" style=3D"text-align=
:left;line-height:16px;text-transform:none">
<tbody>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none;width:40p=
x">
<span style=3D"font-family:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-=
serif;font-size:11px;color:rgb(51,49,50)"><a href=3D"https://mattr.global/"=
 style=3D"color:rgb(51,49,50);margin-right:12px;border-width:medium;border-=
style:none;border-color:currentcolor" target=3D"_blank"><img src=3D"https:/=
/mattr.global/assets/images/website.png" alt=3D"MATTR website" id=3D"m_-184=
3788341113937848img-1828b526-4d63-40f6-a8e7-f11eecf9ebfc" width=3D"24" heig=
ht=3D"40" style=3D"width: 24px; height: 40px; max-width: 100%;"></a></span>=
</td>
<td style=3D"text-align:left;line-height:16px;text-transform:none;width:40p=
x">
<span style=3D"font-family:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-=
serif;font-size:11px;color:rgb(51,49,50)"><a href=3D"https://www.linkedin.c=
om/company/mattrglobal" style=3D"color:rgb(51,49,50);margin-right:12px;bord=
er-width:medium;border-style:none;border-color:currentcolor" target=3D"_bla=
nk"><img src=3D"https://mattr.global/assets/images/linkedin.png" alt=3D"MAT=
TR on LinkedIn" id=3D"m_-1843788341113937848img-2275f8aa-b867-4f15-83c5-57c=
f299e0c17" width=3D"24" height=3D"40" style=3D"width: 24px; height: 40px; m=
ax-width: 100%;"></a></span></td>
<td style=3D"text-align:left;line-height:16px;text-transform:none;width:40p=
x">
<span style=3D"font-family:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-=
serif;font-size:11px;color:rgb(51,49,50)"><a href=3D"https://twitter.com/ma=
ttrglobal" style=3D"color:rgb(51,49,50);margin-right:12px;border-width:medi=
um;border-style:none;border-color:currentcolor" target=3D"_blank"><img src=
=3D"https://mattr.global/assets/images/twitter.png" alt=3D"MATTR on Twitter=
" id=3D"m_-1843788341113937848img-d204a047-4796-4b6c-88fb-ccd3ec1f863e" wid=
th=3D"24" height=3D"40" style=3D"width: 24px; height: 40px; max-width: 100%=
;"></a></span></td>
<td style=3D"text-align:left;line-height:16px;text-transform:none;width:40p=
x">
<span style=3D"font-family:&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-=
serif;font-size:11px;color:rgb(51,49,50)"><a href=3D"https://github.com/mat=
trglobal" style=3D"color:rgb(51,49,50);margin-right:12px;border-width:mediu=
m;border-style:none;border-color:currentcolor" target=3D"_blank"><img src=
=3D"https://mattr.global/assets/images/github.png" alt=3D"MATTR on Github" =
id=3D"m_-1843788341113937848img-85dbdb2d-b3b7-4d00-80d5-3167845204c8" width=
=3D"24" height=3D"40" style=3D"width: 24px; height: 40px; max-width: 100%;"=
></a></span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div><span style=3D"color:rgb(0,0,0)"><br>
</span><span style=3D"color:rgb(118,118,118)"><small style=3D"text-decorati=
on-line:none;color:rgb(118,118,118);font-family:&quot;Helvetica Neue&quot;,=
Helvetica,Arial,sans-serif;font-size:8px;line-height:14px;background-color:=
inherit">This
 communication, including any attachments, is confidential. If you are not =
the intended recipient, you should not read it =E2=80=93 please contact me =
immediately, destroy it, and do not copy or use any part of this communicat=
ion or disclose anything about it. Thank
 you. Please note that this communication does not designate an information=
 system for the purposes of the Electronic Transactions Act 2002.</small></=
span></div>
<div style=3D"direction:ltr"><br>
</div>
</div>
<div id=3D"m_-1843788341113937848mail-editor-reference-message-container" s=
tyle=3D"color:inherit;background-color:inherit">
<div style=3D"direction:ltr">
</div>
<div style=3D"padding:3pt 0in 0in;border-width:1pt medium medium;border-sty=
le:solid none none;border-color:rgb(181,196,223) currentcolor currentcolor"=
>
<div style=3D"text-align:left;font-family:Aptos;font-size:12pt;color:black"=
>
<b>From: </b>Karl McGuinness &lt;<a href=3D"mailto:me@karlmcguinness.com" t=
arget=3D"_blank">me@karlmcguinness.com</a>&gt;<br>
<b>Date: </b>Tuesday, 19 May 2026 at 3:02=E2=80=AFPM<br>
<b>To: </b>Max Gerber &lt;max=3D<a href=3D"mailto:40stytch.com@dmarc.ietf.o=
rg" target=3D"_blank">40stytch.com@dmarc.ietf.org</a>&gt;<br>
<b>Cc: </b>Andy Barlow &lt;<a href=3D"mailto:0xandybarlow@gmail.com" target=
=3D"_blank">0xandybarlow@gmail.com</a>&gt;; Nick Watson &lt;nwatson=3D<a hr=
ef=3D"mailto:40google.com@dmarc.ietf.org" target=3D"_blank">40google.com@dm=
arc.ietf.org</a>&gt;; OAuth WG &lt;<a href=3D"mailto:oauth@ietf.org" target=
=3D"_blank">oauth@ietf.org</a>&gt;<br>
<b>Subject: </b>[OAUTH-WG] Re: AS Metadata client id parameter draft<br>
<br>
</div>
</div>
<div id=3D"m_-1843788341113937848footer" style=3D"background-color:rgb(255,=
235,156);width:100%;font-size:10px;border:1px solid rgb(156,101,0);padding:=
2pt;color:inherit">
EXTERNAL EMAIL: This email originated outside of our organisation. Do not c=
lick links or open attachments unless you recognise the sender and know the=
 content is safe.</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
I strongly support standardizing an approach for a per-client metadata mech=
anism to enable discovery of client-specific metadata values and reduce cha=
nge management risk as folks have indicated.=C2=A0 Okta=C2=A0shipped suppor=
t for client_id as query param for similar
 reasons almost 10 years ago!<br>
<br>
I also think we need to consider the inverse for OAuth Client ID Metadata D=
ocument (CIMD) where the=C2=A0authorization server identifier is an optiona=
l parameter for the same reasons.=C2=A0 =C2=A0</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
-Karl</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
=C2=A0</div>
<div style=3D"direction:ltr">
<br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, May 18, 2026 at 5=
:27=E2=80=AFPM Max Gerber &lt;max=3D<a href=3D"mailto:40stytch.com@dmarc.ie=
tf.org" target=3D"_blank">40stytch.com@dmarc.ietf.org</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:=
1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">It&#39;s a really intere=
sting idea. Thanks Filip for the slides as well!<br>
<br>
&gt; (1) do gradual rollouts of AS metadata changes client by client<br>
<br>
I 100% see the value in better-supporting gradual rollouts. Today, an AS ca=
n try <i>
(emphasis on try!)</i>=C2=A0to feature flag responses based on IP address o=
r User-Agent but both of those are
<i>very</i>=C2=A0poor signals.<br>
<br>
&gt;=C2=A0(2) customize metadata=C2=A0if necessary=C2=A0<br>
<br>
I am not a fan of long-lived customizations of metadata to support legacy c=
lients, though I understand gradual rollouts and long-lived legacy flags ar=
e two sides of the same coin. I know it is not always possible or reasonabl=
e, but I would rather break old,
 insecure, and unmaintained clients than build tools to accommodate them.</=
div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
The security considerations could be worrisome; you call out that an attack=
er could enumerate=C2=A0which legacy features an AS still supports for a gi=
ven client.<br>
This differs from observing that client&#39;s behavior=E2=80=94a client mig=
ht remove the use of the `implicit` grant from their flow, but still be per=
mitted by the AS to use it for legacy reasons. Using this endpoint, an atta=
cker could determine that fact and attempt to
 exploit it.<br>
<br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, May 18, 2026 at 1=
0:08=E2=80=AFAM Andy Barlow &lt;<a href=3D"mailto:0xandybarlow@gmail.com" t=
arget=3D"_blank">0xandybarlow@gmail.com</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:=
1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">I fully support any and =
all effort on this topic.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, 18 May 2026 at 17=
:58, Filip Skokan &lt;<a href=3D"mailto:panva.ip@gmail.com" target=3D"_blan=
k">panva.ip@gmail.com</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:=
1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">Hello Nick,</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:=
1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">Let me know what you all=
 think.</div>
</blockquote>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">Back at IETF 121 I prese=
nted this related/similar idea:</div>
<ul style=3D"direction:ltr">
<li style=3D"direction:ltr"><a href=3D"https://youtu.be/_kNpecjcj64?t=3D635=
4" target=3D"_blank">https://youtu.be/_kNpecjcj64?t=3D6354</a></li><li styl=
e=3D"direction:ltr"><a href=3D"https://datatracker.ietf.org/meeting/121/mat=
erials/slides-121-oauth-sessa-client-id-hint-for-authorization-server-metad=
ata-requests-00" target=3D"_blank">https://datatracker.ietf.org/meeting/121=
/materials/slides-121-oauth-sessa-client-id-hint-for-authorization-server-m=
etadata-requests-00</a></li></ul>
<div class=3D"gmail_quote" style=3D"direction:ltr">I haven&#39;t had a chan=
ce to follow up on it since</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_signature" style=3D"direction:ltr">S pozdravem,<br>
<b>Filip Skokan</b></div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, 18 May 2026 at 17=
:09, Nick Watson &lt;nwatson=3D<a href=3D"mailto:40google.com@dmarc.ietf.or=
g" target=3D"_blank">40google.com@dmarc.ietf.org</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left:=
1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr"><a href=3D"https://njwat=
son32.github.io/as-metadata-client-id/draft-watson-oauth-as-metadata-client=
-id.html" target=3D"_blank">https://njwatson32.github.io/as-metadata-client=
-id/draft-watson-oauth-as-metadata-client-id.html</a></div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">I&#39;ve written up a qu=
ick draft on supporting a client_id parameter on AS Metadata, which would a=
llow the AS to (1) do gradual rollouts of AS metadata changes client by cli=
ent and (2) customize metadata=C2=A0if necessary
 (e.g. for clients participating in beta programs of upcoming drafts).</div=
>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">AS can also choose to ig=
nore the client_id parameter completely and continue serving a statically c=
ached global AS metadata=C2=A0file.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">I had this idea recently=
 when implementing support for 9207 (iss parameter) and running into poorly=
 behaved clients handling these updates badly. The draft I&#39;m proposing =
would have allowed me to avoid making
 global changes to AS metadata, and even do a synchronized rollout of retur=
ning `iss` from the authorization endpoint and declaring=C2=A0authorization=
_response_iss_parameter_supported.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">Let me know what you all=
 think.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">Nick</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">PS: I&#39;ve also propos=
ed the &quot;reverse&quot; of this for CIMD in this
<a href=3D"https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-=
document/issues/78" target=3D"_blank">
issue</a>.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">--</div>
<div class=3D"gmail_signature" style=3D"direction:ltr;line-height:1.5em;mar=
gin-top:10px;padding-top:10px;font-family:sans-serif;font-size:9.75pt;color=
:rgb(85,85,85)">
Nick Watson=C2=A0|=C2=A0Software Engineer | <a href=3D"mailto:nwatson@googl=
e.com" target=3D"_blank">
nwatson@google.com</a>=C2=A0|=C2=A0<a href=3D"tel:(781)%20608-3352" value=
=3D"+17816083352" target=3D"_blank">(781) 608-3352</a></div>
<div class=3D"gmail_quote">_______________________________________________<=
br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">
oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" tar=
get=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
<div class=3D"gmail_quote">_______________________________________________<=
br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">
oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" tar=
get=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
<div class=3D"gmail_quote">_______________________________________________<=
br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">
oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" tar=
get=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
<div class=3D"gmail_quote">_______________________________________________<=
br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">
oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" tar=
get=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
</div>
</div>

</blockquote></div>

--0000000000000c7b8f0652233591--

