Re: [OAUTH-WG] Difference between client_update semantics in draft-ietf-oauth-dyn-reg and OpenID Connect Registration

"Richer, Justin P." <> Wed, 09 January 2013 20:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2C48A21F88B4 for <>; Wed, 9 Jan 2013 12:11:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.103
X-Spam-Status: No, score=-6.103 tagged_above=-999 required=5 tests=[AWL=0.495, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CAKYYMwKPHPi for <>; Wed, 9 Jan 2013 12:11:08 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A0D2921F884F for <>; Wed, 9 Jan 2013 12:11:07 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id C6C0D1F295A; Wed, 9 Jan 2013 15:11:03 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG ( []) by (Postfix) with ESMTP id B37DF1F2931; Wed, 9 Jan 2013 15:11:03 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([]) by IMCCAS04.MITRE.ORG ([]) with mapi id 14.02.0318.004; Wed, 9 Jan 2013 15:11:03 -0500
From: "Richer, Justin P." <>
To: John Bradley <>, Mike Jones <>
Thread-Topic: [OAUTH-WG] Difference between client_update semantics in draft-ietf-oauth-dyn-reg and OpenID Connect Registration
Thread-Index: AQHN7qVyCNLV4hp/Q0Wz+S+ZZaZ4Pw==
Date: Wed, 09 Jan 2013 20:11:02 +0000
Message-ID: <B33BFB58CCC8BE4998958016839DE27E06873F69@IMCMBX01.MITRE.ORG>
References: <>, <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B33BFB58CCC8BE4998958016839DE27E06873F69IMCMBX01MITREOR_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [OAUTH-WG] Difference between client_update semantics in draft-ietf-oauth-dyn-reg and OpenID Connect Registration
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Jan 2013 20:11:13 -0000

I prefer the DynReg style, as it keeps things simple for clients (still supports the replace-all mechanics) while making it safer for them. It's also explicit about how to handle server-asserted values that a dumb client might ignore. The partial-update is a small added bonus.

 -- Justin

On Jan 9, 2013, at 3:05 PM, Justin Richer <<>>

It's been a few days now and I haven't seen any traffic from the group about this at all, so I'll just come out and ask for opinions. The two proposals are:

 - inclusion of field replaces that field value on the server with the new value
 - omission of field deletes that field value on the server

DynReg style:
 - inclusion of field replaces that field value on the server with the new value
 - omission of field tells the server to leave its current value alone
 - inclusion of field with an empty string value deletes/clears that field value from the server

Should the OAuth2 Dyn Reg spec adopt the OIDC semantics, or keep its current semantics? Why? Is there another option that's even better?

 -- Justin

On Jan 5, 2013, at 2:36 PM, "Richer, Justin P." <<>> wrote:

Mike, John, thanks for the feedback. I hope and anticipate that this conversation will help improve both drafts.

I disagree with the assessment here that it makes things more complicated in the simple case. How? The way that DynReg is currently written, if the client simply POSTs back the entire set of information that it has about itself every time, which I anticipate the most simple clients will do, then it still behaves as expected. Doesn't it? There's nothing in the draft that REQUIRES an incomplete POST, it just ALLOWS it to happen and defines what to do when it does. Furthermore, it makes it *safer* if the client POSTs something that is incomplete from the *server's* perspective, since the semantics are now, explicitly, to leave alone any values that are left out. In other words, it's my view that this actually makes things far simpler for clients wanting to do simple things, and makes more complex things possible. This is especially in light of the requirement of the server to echo out the actual full state of the client during the transaction. Having implemented this myself, it's really not very complex from either side. The server is marginally more complex, but it leaves fewer cases undefined or "up to the server to decide".

Part of the motivation I had for changing this here was to cope with the cases where the server asserts things about the client that the client doesn't register about itself in the first place, and I wanted something that was simple and programmatic to implement from both sides. In other words, it's assuming that the *server* has the most complete picture of the client's state, not the *client*, which is the assumption made in OIDC and by Mike and John's comments below. Let's take this example as a concrete case (formatting and parameter names are notional and might be off, I'm typing from memory):

Client registers with params:


Server sends back to the client:
  client_name: Foo
  client_secret: super-secret-secret
  token_endpoint_auth_type: client_secret_basic
  scope: read open dennis
  registration_access_token: TOKEN

So the client never asked for scope restriction, but the server decided (however it wanted to, probably by a defaulting mechanism) to give the client three scopes. In the current OIDC spec, the client would never even know this happened because this information isn't ever echoed back (though this at least is changing). Even if it did know about this parameter, it didn't ask for anything in particular in that field, so it now has to keep around something that it doesn't really know what to do with. So with that in mind, the client decides to change its name and sends back all the parameters that it knows about:


Now in the OIDC definition of the semantics, this tells the server to clear out the existing "scope" value, because it's not included in the request. But the server really shouldn't do that, should it? You could argue that because it's a server-defaulted parameter and that the server should know to treat it special. But then the server would have to track which fields are still in a "defaulted" state, or keep some kind of programming logic that says "a blank on an update actually means something else". Which fields does this apply to? Neither of those are "simple".

In the current definition of the DynReg spec, the client not only knows the fields and can do something about them if it wants to, it can also *safely* ignore them in responses. If the client sends back the same set above, dealing only in the parameters that it knows and cares about, the server now has an unambiguous message when the client omits the "scope" field.

With this behavior, though, we do need the equivalent of "set to null" in order to explicitly empty out the value of an existing field. I took the approach of using a blank value -- expressed in HTTP forms as an empty string. I'm open to other suggestions if there's a better/cleaner approach to this part of it, but this was the best I could come up with.

Finally, it's not a bandwidth issue at all, so let's just ignore that particular red herring. :)

 -- Justin

From:<> [<>] on behalf of John Bradley [<>]
Sent: Friday, January 04, 2013 7:13 PM
To: Mike Jones
Subject: Re: [OAUTH-WG] Difference between client_update semantics in draft-ietf-oauth-dyn-reg and OpenID Connect Registration

We did discuss this issue in the connect WG.

The decision was made to always completely replace.   That prevents unknown states if a update fails.

I think the always replace everything rule is simpler, though admittedly more bandwidth is required.  However bandwidth is not a significant factor for this as far as I know.

John B.

On 2013-01-04, at 8:55 PM, Mike Jones <<>> wrote:

The client_update operation in does something different than the operation upon which it was based from  Specifically, while the OpenID Connect operation replaces all field values, the OAuth operation allows only selective fields to be replaced, designating fields to remain unchanged by specifying their value as the empty string (“”).

I'm personally not happy with the change to the semantics of client field inclusion.  Updating some but not all fields is a substantially more complicated operation than replacing all fields.  Is there some use case that motivates this?  I don't think it's a substantial burden on the registering party to remember all the field values from the initial registration and then selectively use them for update operations, when needed.  Then the work goes to the (I suspect rare) parties that need partial update - not to every server.  It complicates the simple case, rather than pushing the complexity to the rare case, violating the design principle “make simple things simple and make more complicated things possible”.

Is anyone opposed to updating the OAuth Registration semantics to match the Connect registration semantics?  Is so, why?

                                                                -- Mike

OAuth mailing list<>

OAuth mailing list<>