[OAUTH-WG] Dynamic Client Registration

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 02 November 2013 10:22 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1C4F811E81C6 for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 03:22:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2ejzKaOBkMgg for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 03:22:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net []) by ietfa.amsl.com (Postfix) with ESMTP id 98BD311E8186 for <oauth@ietf.org>; Sat, 2 Nov 2013 03:21:46 -0700 (PDT)
Received: from masham-mac.home ([]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MhNk6-1VH14d0rpa-00MZvD for <oauth@ietf.org>; Sat, 02 Nov 2013 11:21:45 +0100
Message-ID: <5274D238.8070803@gmx.net>
Date: Sat, 02 Nov 2013 11:21:44 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:pSNrfZdRfNvXoLVlsL6AG8P3EhK1V1mOYhJ0GYfOjG9yo30ZaVJ /YipArn6k9D+zLjdmxzniNYdaL9xJ0ejKV2nLmr+W+o8iSHE6TLRnSEZ2xc5Mi5IFjd8cpp AiVEjg31Wtd3Ke4ckzkWSylyq77NtYucOCDCYcM4+CiRNpEz/yH36fY1QQjyAmpJqEIhy4q nVkee9G4ZDZ2Q/7fDKNsQ==
Subject: [OAUTH-WG] Dynamic Client Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 10:22:15 -0000

Hi all,

reading througth various dynamic client registration document I get the 
impression that there is one area of potential disconnect, namely in the 
end user / developer experience.

When OpenID started this concept that a random IdP could talk to a 
random RP it seemed like a great idea. There was no need to exchange 
secrets and go through this complicated introduction process between the 
different parties, which sometimes even required business argeements. 
Those processes were known from Kerberos and also from the SAML identity 

OpenID looked at the entire step from a technical point of view in an 
attempt to exchange the necessary information and then you were done 
with it.

However, there was a bit more to this whole process, namely the entire 
notion of trust. In particular, there was the problem that the IdP would 
hand out information (personal data) to RPs only based on the user's 
consent. Of course, things could go wrong and some RPs misused the data 
given by the RP. The IdP couldn't really do anything about that since it 
knew nothing about the developer at the RP or the RP itself.

So, how does the IdP ensure that it has some way to improve security and 
privacy of their users without handing out just everything. Of course, 
the IdP had it's own interest to know to know data is being passed to.

Jumping to OAuth many deployments required developers to register and 
this registration procedure might require lots of information (such as 
credit card number, phone number, agreeing the terms of service, etc.). 
So, in many cases it wasn't purely about giving the developer a 
client-id and a shared secret for the client application.

Now, here is the challenge: there are obviously different environments 
developers produce software for (such as the Web, the mobile app 
eco-system, and enterprise environments). They might all have different 
processes and expectations about the entire process.

We have pretty much short-cut the entire story to the purely technical 
parts, namely to sending messages around and defining new attributes and 
have done very little in describing the process itself that we assume 
takes place.

I know that you have these processes in your head when you write your 
documents and in discussions I have heard about these processes. 
Unfortunately, they aren't really documented anywhere. I guess it is 
needless to say that the expectations about how enterprises plan to 
deploy software vs. how the same is done for the Web is somewhat different.

So, I believe it is useful to chat about these aspects even though they 
may just lead to a few paragraphs in our documents providing background 
information rather than actual normative specification text.