Re: [OAUTH-WG] draft-hunt-oauth-client-association-00

Phil Hunt <> Fri, 01 November 2013 19:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 244CA11E813D for <>; Fri, 1 Nov 2013 12:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.278
X-Spam-Status: No, score=-6.278 tagged_above=-999 required=5 tests=[AWL=0.321, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4jWORPiIOEQJ for <>; Fri, 1 Nov 2013 12:56:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E220521E80E8 for <>; Fri, 1 Nov 2013 12:56:32 -0700 (PDT)
Received: from ( []) by (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id rA1JuMhU012189 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 1 Nov 2013 19:56:22 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id rA1JuL1K009017 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 1 Nov 2013 19:56:22 GMT
Received: from ( []) by (8.14.4+Sun/8.14.4) with ESMTP id rA1JuLKD009002; Fri, 1 Nov 2013 19:56:21 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 01 Nov 2013 12:56:21 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Phil Hunt <>
In-Reply-To: <>
Date: Fri, 1 Nov 2013 12:56:11 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Hannes Tschofenig <>
X-Mailer: Apple Mail (2.1510)
X-Source-IP: []
Cc: " WG" <>
Subject: Re: [OAUTH-WG] draft-hunt-oauth-client-association-00
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Nov 2013 19:56:50 -0000


Great timing!

This is an aspect that I think deserves more discussion. One of the challenges was to draw a clear line of distinction between transient and dynamic.  

Transient clients are really meant for javascript clients that decide to connect to a particular end-point on the fly.  Note you can still have "static" javascript clients that are hard coded to connect and have already received a client_id through an out-of-band process.



On 2013-11-01, at 12:01 PM, Hannes Tschofenig <> wrote:

> Hi Phil, Hi Tony, Hi all,
> I re-read the document and I believe the most important concept it introduces is the classification of different associations, namely into 'static', 'dynamic', and 'transient'. This is certainly something worthwhile to discuss during the meeting and to ensure that it is well understood, and that there are only these three classes (rather than two or four).
> The description in the introduction makes the differentiation between the three concepts mostly based on how the endpoints are configured in the application.
> With the static association the endpoint is hard-coded into the software during the development time. It cannot be changed. With the two other cases the endpoint can be changed. As such, the difference between the 'dynamic', and 'transient' association seems to be in the terms of how long the lifetime of the association. Now, what exactly is the lifetime of an association? Is the lifetime of the association understood as the lifetime of the configured endpoint identifier?
> Then, when I re-read the text in Section 1 again then I suddenly get the impression that the lifetime of the association actually does not matter but instead the difference is rather whether the client is public or confidential. Is that true?
> If it isn't true that this is the feature that makes the distinction between 'dynamic', and 'transient' then the notion of "public" vs. "confidential" client isn't too important for the rest of the document.
> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list