Re: [OAUTH-WG] Dynamic Client Registration in trusted federation

George Fletcher <> Fri, 01 June 2018 15:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E0FE812D890 for <>; Fri, 1 Jun 2018 08:21:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IsZn6QSKO6Kq for <>; Fri, 1 Jun 2018 08:21:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A136C1205F0 for <>; Fri, 1 Jun 2018 08:21:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=a2048; t=1527866480; bh=34szvtU81tIGEdfUW6JtMYOJHNiPOJity1RtkKC9PVw=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=bhNMLlHu5Yrzd9hafk+ttSYtKYYssYnWkk69kIhh9FjdtVHI1cqnrovkTSBa18krJxf34y9dyDqredIZ/JtnlT00pL7C87CF6eLLuvp17q2Hk7u7FGhhlMz0H4uimx2p1EjdDb5K0H94/TxnYNhsvi6Gr0zRyqF/MAmMpP8deIUJnCnXGOp1egN/nWhgSJ2aglELfr+UTQkkvA+31HQjPSlIym9UFn6nLHKIpcOnPTUA4eJo45cvjVLhtLtoSoF/q3f652Em/b/ftzz17J7nkLjNLibvBTIjgo8oqeSWx/CjgieuaA9QIwHO8mGkQBA/8jfA5dUCt+SbV6ARhGM/jg==
X-YMail-OSG: 9yBJun4VM1lrkLau0388NBx5o02apY7IyijRyO5yTu670ehrErgLpxxCYvvgCQ6 .IlAqgOSztfOck.d2OKU2_CRvRXX09JjtSzZOAlJGm57JgUQm4N2xMbg7um0iFJoaLjI7GQZptkl VXD_pjXRjZVS3uLm9tfNKI3wNVbsIC.5b8lplvng2PyfxhjgWUwT46BOWnLngxTKo4kKc8ga9yHw wq1we1dfz.9mCDIT4L2xkfd4yNnxctahcH49KYLChIg6EFneyA9W0Ky.HYI9WG3VvrUev21KZu5m M9ymkUfDR8dmucWIzh5dSKnNjVoNJXgwz3EO1Wh7P1c0Oa868A4vmKqzmj3oPUq9wAY5txolF.Wi tPJOjGfRnDsb51eG4fDKPyNnH2eWRdfcJGm_2dZ1LVGB0jfWDy8Jweo2KOZcMI7pRpubX8kBVnw1 IVfR8x..cv9NFRyBQaeAGAyYqFt3HE6GQUq22yS_3Bn90bY4Ys1JFGXt2MlhWi47qhV.aOe1g1EV 7x2EAI9cVxynJvQsHAzMflZylCK.cmyvYw6OqIcGo06gvn.rq1nuHV.SeV6SFSNkUhf.FXON04od O8X1RuuslVyf78dL3MGjErjn1S4Ib1OmU9LgGWCL9hOtUCjqh65u8BSKHjq7ltXfhCyw8lEXcQk5 iH6_wcgMsj6YdwkdZLf7Xs5o_9sSGTsA4R2CVZ1LrreoD7A--
Received: from by with HTTP; Fri, 1 Jun 2018 15:21:20 +0000
Received: from (EHLO []) ([]) by (Oath Hermes SMTP Server) with ESMTPA ID 130ff5da5f052be1f1b25ca9478601d9; Fri, 01 Jun 2018 15:21:20 +0000 (UTC)
To: Matt Pryor - UKRI STFC <>, "" <>
References: <> <> <>
From: George Fletcher <>
Organization: AOL LLC
Message-ID: <>
Date: Fri, 1 Jun 2018 11:21:19 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------1852B830AFA6D3FE0513CBF1"
Content-Language: en-US
Archived-At: <>
Subject: Re: [OAUTH-WG] Dynamic Client Registration in trusted federation
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Jun 2018 15:21:25 -0000

Hi Matt,

I think your use case is fully within the use cases enabled by 

A per client software-statement allows you to tighten the security model 
(if desired). For example binding the software-statement to the client 
presenting it in such a way as to have a cryptographic trust chain. 
Unfortunately, the specifications are not clear about the best way to do 
this. The Client Registration Request does allow for "extension 
parameters" so that may be a way to add what's necessary.


On 6/1/18 10:33 AM, Matt Pryor - UKRI STFC wrote:
> Hi George,
> That did occur to me. It seemed like a bit of an abuse of the software-statement system, but maybe it is partially intended for this.
> It still needs us to securely distribute the software statement as well. Would you envisage a single software-statement for all installations, with each installation specifying their own client-specific metadata, or would you issue a software-statement per installation. The second sounds like it would allow us to exert more control.
> Thanks for your help!
> Matt
> On 01/06/2018, 15:28, "George Fletcher" <> wrote:
>      Given that you have a federation, could not the federation issue the
>      signed software-statement to each of the relying parties (existing or
>      old) and the AS will trust the dynamic client registration if and only
>      if the signed software-statement is signed by the federation. This fits
>      more closely with the trust framework model.
>      Thanks,
>      George
>      On 6/1/18 9:57 AM, Matt Pryor - UKRI STFC wrote:
>      > Hi,
>      >
>      > I am working on a use case of OAuth 2.0 in a federation and am after some advice about bootstrapping trust.
>      >
>      > Each site in the federation has an OAuth 2.0 authorization server and an OAuth 2.0 relying party. The relying party at each site needs to be registered with all the authorization servers in the federation. We want to automate as much of this process as possible, but restrict client registration to trusted members of the federation. We also want to make onboarding a new federation member as easy as possible.
>      >
>      > This seems an ideal use case for the Dynamic Client Registration Protocol (RFC 7591). The RFC permits the client registration endpoint to require a pre-existing token in order to register a new client which gives us our security (only trusted federation members can register a client).
>      >
>      > The challenge seems to be in bootstrapping the initial trust. It seems cumbersome to require that a new federation member must manually obtain a token from each authorization server before registering - they may as well manually register their client. I'd be interested to know if anyone has any ideas for a solution other than securely distributing a shared secret to new federation members.
>      >
>      > One possible option is to piggy-back on the legacy authn/z we already have - users can obtain an X509 certificate from their home idp, which is then trusted by all the other sites. We can then obtain SAML assertions about their permissions based on that certificate. We could use this mechanism to maintain a list of trusted admins, requiring authentication with an X509 certificate with the correct SAML assertion for the client registration endpoint. However, we are hoping to retire the X509 support in the short-to-medium term, so I'm also looking for solutions that do not use it. I'm also not sure how the use of X509 certificates would fit in with an RFC-compliant implementation of the Dynamic Client Registration Protocol.
>      >
>      > Thanks in advance for your help,
>      > Matt
>      >
>      >
>      > _______________________________________________
>      > OAuth mailing list
>      >
>      >
>      >