[OAUTH-WG] Re: AS Metadata client id parameter draft

Tobias Looker <tobias.looker@mattr.global> Tue, 19 May 2026 03:13 UTC

Return-Path: <tobias.looker@mattr.global>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EC449F078C88 for <oauth@mail2.ietf.org>; Mon, 18 May 2026 20:13:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779160408; bh=AH+USLbUPjChgGMlpZJZQ/Ibi1C2+2C5qEDugTtPWQ0=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=Y+HEQY6X2rBwrmo2B108yBQ/3wfI5Md7ku1tLh1whH60EbzGIjSX0dCKa28B6ZnNk nkprQWpqKh5u9Sr/zJa+2upZgEyuvhwLs9JcvUb+rvviQKWm5vENb+ITYBAHCbdrOI LA46bTnZpgBp1J9rkI50ToL7uiB0rqKABII+C2eI=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=mattr.global
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQ_ipFEoo5-z for <oauth@mail2.ietf.org>; Mon, 18 May 2026 20:13:26 -0700 (PDT)
Received: from SY5PR01CU010.outbound.protection.outlook.com (mail-australiaeastazon11022073.outbound.protection.outlook.com [40.107.40.73]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 2C709F078C6E for <oauth@ietf.org>; Mon, 18 May 2026 20:13:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dHXtLyC0/gM/qv9VzTlEJvbQbmUAYIhgzRCmoQBpt9Yftwz7SOQjScj0ORL7gCz2gr2L9v2sJQkYFVc+j3aZFtKHfx82gMc8SW4mHkvCSUvsksyTMc1jyTwW8ylLhwwK18L8MzYm0ZDiBmomPWgPnm9TplK0goXzw+ieMIls+r8bTg4dcpsWx2q6RzyjhNr/QBhede27jYGT8M/bzmE75UdsHgQ3G9VgEf5UepLHj/IjvqQF+eaK7I4qyahnwpjRbHbe70D4ZdOSMJLvHm2TLpiiI3nqdX/NPeO2jEWnSSI2aGjoNvhO6amMo9u8OFSztR765pIJ744WGJ76hBv+Xw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AH+USLbUPjChgGMlpZJZQ/Ibi1C2+2C5qEDugTtPWQ0=; b=ZgEfAjKpC0KJ0XNqPudGWL1bqSRHZ0+rlR2aiiArRVB8pE85uIUMukyDgCA2gJ/44lHhXJ+p6A/A+hWcPqNj7WHPiohezdvU91sZH5MGdHc4l5BIGAaGOrxN+yKeEQ3PzBdy0GzYpnPtwucCwlAk+jX1Av0hw3umI+yL3lLmtHowi2E8bno99HozUZdvYnUIJEZvA6xpGla19nyK6dAOqk6KrLIaIN8NCZclDJnOAlwUtBGRRkVfLrF0CpUyFJRaH34K3bhAqzRgN+3PlcB/LeQmsbWvUc/bkhA7qZdNsN44nWfIoMJSu+BhowxRr+V/gwTRA449VOw9fECaJ73x1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mattr.global; dmarc=pass action=none header.from=mattr.global; dkim=pass header.d=mattr.global; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mattr.global; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AH+USLbUPjChgGMlpZJZQ/Ibi1C2+2C5qEDugTtPWQ0=; b=QrziWqCof1hiohxxiLEK40W2TJ+ux2NMN3qAToIIJ8Aqr4uRonS0YlWTUOzL008it1QsaQQ4B8MtHhf/TILxtltKjH2d8eT+3ElRVNDTyRiESxcyLJLZTPu/bwTqr3ZQlbw85i7Eite6bnHiZQ49Kba1fHLvLAphWDh89Ji2Xl8=
Received: from ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:259::11) by ME5P282MB6017.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:25a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.24; Tue, 19 May 2026 03:13:15 +0000
Received: from ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM ([fe80::b485:1fab:3c18:a8ad]) by ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM ([fe80::b485:1fab:3c18:a8ad%4]) with mapi id 15.21.0025.023; Tue, 19 May 2026 03:13:15 +0000
From: Tobias Looker <tobias.looker@mattr.global>
To: Karl McGuinness <me@karlmcguinness.com>, Max Gerber <max=40stytch.com@dmarc.ietf.org>
Thread-Topic: [OAUTH-WG] Re: AS Metadata client id parameter draft
Thread-Index: AQHc5uepqrSCtP6as0O6GO7beK8VfLYUBBQAgAB6WoCAACtAgIAAArLz
Date: Tue, 19 May 2026 03:13:15 +0000
Message-ID: <ME5P282MB59806F9936609237D59B69989D002@ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM>
References: <CALZ8nCuvyBB7XuRUJO0EqNxXReiaRGe69d0niTGndyvUO6PZMQ@mail.gmail.com> <CALAqi_-CVzF2Q+z_Xvr1ShF_mA4wnXskXHX88GaZOdNZ+HK2Dg@mail.gmail.com> <CAMjEm+FKAYsYuh9Q2piCFw_hqCFEdN5=U5+53nEFtDpzghKSNw@mail.gmail.com> <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com> <CAPVrLW0hme839xoVf-A4Hu_Xzwq-zdUHCm79BnuUZ-OeTj_Qhg@mail.gmail.com>
In-Reply-To: <CAPVrLW0hme839xoVf-A4Hu_Xzwq-zdUHCm79BnuUZ-OeTj_Qhg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-reactions: allow
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mattr.global;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: ME5P282MB5980:EE_|ME5P282MB6017:EE_
x-ms-office365-filtering-correlation-id: 30f52a83-411b-4035-4ed2-08deb5549154
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|7049299003|3109299003|1800799024|69100299015|366016|376014|4022899009|38070700021|13003099007|8096899003|22082099003|56012099003|18002099003|4143699003|3023799003|11063799003;
x-microsoft-antispam-message-info: TvPags+1PcRLFg0qbhdtF5cDv5Zqbw34QHWds1XPkcW4LF03iqm+A7HmPHi3cbpDKyz7aEbfPjuAFGPLOMsZ+HXWbu949ViD7nmNf/Z23rC+ykWuMcehtLL3P81fDWJHRfKFbfND4nvjDdOcnEVLD26Xx82mH1t12XLuLIfqu4LTD5OdU4W2mI2V8KpQ5YGI3KKURWqXn4G+xK/X1qd2TxYBISJ1XaF9y3kqtVbOfWRwGb5SJ90X9UiykKf/JMxBwvkV+GrUOoZ6USa32bjBT9LTPEWLqZdXnvW2UkkVRGoiZCx28p8acQkpyfvk0K7/dGeAxFJ0w+teYny4PIvJHEud3Y8oVE4xjP02lY2KdjK4s/cC7DP0w52nVHAwujU5sSzyxo6/+oX9sJGz18fPQDGjS5lpkXoq0KJehWV0bSkkdyzAPMZMQwwb05cDA/3ysh9uUy+luFMIqqKMPKOp7J92RUkRv51UEX6qUmtodRavT6hzjbnz3ZLh+hrSrDULh20NSivD9V2L0519QCB/s70+vzEr9haOuEDsa2UL16QjhGIY6xz8+OiuIKz9P1m+Sv80cA3xl1kCUlc9+rGaFs6zqNu8h5Q/bIyqfCYG69IPZ1DvRHEtZ0/EIjsTnKlyQPuA1OhGWpB2rF5NjM/w7FArboL+Zy0Fm7CjoGXCHa/HAM5svc6WByKVOGsE6gsO
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(7049299003)(3109299003)(1800799024)(69100299015)(366016)(376014)(4022899009)(38070700021)(13003099007)(8096899003)(22082099003)(56012099003)(18002099003)(4143699003)(3023799003)(11063799003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: HyLgwTwFF7Z3uQQFEeE2TMqmPSdlcAoSJNvpxo1/iD/xvGBwXC/1rI1LVi2gjRAinMKvorYoti7CJuHhdXRN+p7URZ4DcRpfQ69uQZ9THYxdZ2aI1sBET93k/go6pzEGbq5qwgqTYB+9F+c1tY2rPaG6jtu3MdkGw9fwSSl08MOKO52NmispqVor0ICT/UEE3tV7wjB/+RkYDC9dKXEq7TZGLrw+J+KhZ3/kbCVA+F0UimYtzai9Xazy1pa6E817aQlQ+GaQeOEaIy/gjhc3YIlKPUNoems98o76Q5DyZqpGXNzDOIVUk06zlyVvTbRpXwqJkPmOvvYF7jTGBpxB5feIPIFvM4N2/Q4ftvwZYOCd5Aj6NUZ+RXMwA2+VZHVMpdW2vpehFk4WxAGcXy2Q7/4blR+0TO7rFy0j/UYwqsCaflYdvjVOT2u6T/ciZrDZTAB6uBXyAE1HL4quM5eFpTBNeeigbJC5R++/pMV+S+qPL1apAkKa5TbL7OH6bV0LbSyCWDdt54pk8AEUTIKse4+NoifRN6+Z0EIXXw+Z3MT6TBvxR4qBKJ4CuWy8xQFz1PFHAJ+Y3/a3nl4aQPVOpuPxpaPajUq3lsH18GDZnAxW9fo0vzi9DYGSMAhAfxdMbKkrjnMadanYc/2NjqyoY+ZfU5nKslvJL8nvFt22bBJfh2pX4FHXlZv3wDylKCleTjkPVL8mYiC43M6wm51YxZBGhpaQFRvxMydTYmyDa/nsfRo+bJ60I3Ja4OmSJdGoXcgy2Th5orI+DK+PegwmrfTZBkjwQC0MARmvZC7bcPLpon/pKjE6usGBXr+TNBDh2LJLup6PrDkRWCAr8kHD4V45SJ5QPB1AeuOqmJBWcaHhMNPql3VlTJqWCkjk4aE5xW6fYhqjXjg89v0z7aeTyZZNIxseuufMxAoc8/BcoiZHFOjIgtC9W+sBOvKEb17Ywiyyxw/pgn3VV0FLyEdKPImLJwWVjiw0pYbb2nWYHJmQz3O8elMb77Q5SS4QLMfRRtWkCSfWvOSFtGMqJbI144yrpa5UQovI9co4MkmDn+6Mr4AGYEQtltj6oeQ1Y1686QK1PSdPrmx9toqWqhsx6EF+qPRFIBZv60PEA+lwnFsGrvA359sIIjpXobW8w1ZrSEaEL/UrdAd43BXtr3MAv4jvTMXXLi9ued3yPZRYtu0ozEPBEIESgbC123uMMrcqSA2MlmGKHGJeXeL79ZHy6d4rqkS8Y3OLjWIe89T9YZXelu0kDPvYiHFZqmkein2upxwuxRRDFn2G/W2kT0opV2vp58Oev6VYZzlypetV+7g7i6ZlQZjYyhVahyq3apK9sjdfczANBcLjMDNWvtOIa/oy+/CO+e4LnxMA7l+CaHtBl2Awin4cbqjp9+1NOgEvvelm/Yqc6XsyLUXe6O5E/GrX+nts0Bisf25WifL2u+b2QTjK3P23P5jCU1VK8z05JIXOig1CS77nk11LHRhnPDPM0nsQPT1PZEoR2x0yNrdWiS1MSIsgl/FIY2WcsApMrK4wn8bOBBr9pHCE4fkvScE5JqrNnBwfYwMcxYq0nwluX3yI3JZMVTLb+KzO03vhWVxAz/2hvaN4RfjIBh9kAOqU4T8Md/Aan59gF0238Xg9osbhPYSPsgxPr5ErPec0UjZXmhEiRqBoCDyOhSEhId2rNbiY2IWvqcyrSaoiCwjZHO9jT9JuvjaJDJJHYwe+nq5rlSw6WLCL8B6BrfpfHQagz7Mp7OGr6mf6jz4KN+Y=
Content-Type: multipart/alternative; boundary="_000_ME5P282MB59806F9936609237D59B69989D002ME5P282MB5980AUSP_"
MIME-Version: 1.0
X-OriginatorOrg: mattr.global
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 30f52a83-411b-4035-4ed2-08deb5549154
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2026 03:13:15.3057 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2c9cf73-6aae-4702-9844-02adab723771
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YdOVQpfCriTbJy7FNMi/Kzsj586LTUyR+se0/dpyzodfVe9LBer3c86ROzE45rKLDIxQLSW9m2hYNNqFwbTI5qciiAnsr95BzzgimWC/SC4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME5P282MB6017
Message-ID-Hash: 2EA4POM4UEYTOOMCZDAAAZPVRTOQ2PC7
X-Message-ID-Hash: 2EA4POM4UEYTOOMCZDAAAZPVRTOQ2PC7
X-MailFrom: tobias.looker@mattr.global
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andy Barlow <0xandybarlow@gmail.com>, Nick Watson <nwatson=40google.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: AS Metadata client id parameter draft
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dgsKCYvNByABfqtT9oatXNvGpXs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Also very supportive of this, including the further feature that Karl suggested r.e CIMD. Being able to gradually roll change by providing client specific AS metadata or better still, metadata based on what the client is known to support via CIMD, would significantly improve many OAuth deployments.

Thanks,
[MATTR website]<https://mattr.global/>
Tobias Looker
CTO
+64 27 378 0461
tobias.looker@mattr.global
[MATTR website]<https://mattr.global/>  [MATTR on LinkedIn] <https://www.linkedin.com/company/mattrglobal>      [MATTR on Twitter] <https://twitter.com/mattrglobal>    [MATTR on Github] <https://github.com/mattrglobal>

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it – please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

From: Karl McGuinness <me@karlmcguinness.com>
Date: Tuesday, 19 May 2026 at 3:02 PM
To: Max Gerber <max=40stytch.com@dmarc.ietf.org>
Cc: Andy Barlow <0xandybarlow@gmail.com>; Nick Watson <nwatson=40google.com@dmarc.ietf.org>; OAuth WG <oauth@ietf.org>
Subject: [OAUTH-WG] Re: AS Metadata client id parameter draft

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.

I strongly support standardizing an approach for a per-client metadata mechanism to enable discovery of client-specific metadata values and reduce change management risk as folks have indicated.  Okta shipped support for client_id as query param for similar reasons almost 10 years ago!

I also think we need to consider the inverse for OAuth Client ID Metadata Document (CIMD) where the authorization server identifier is an optional parameter for the same reasons.

-Karl





On Mon, May 18, 2026 at 5:27 PM Max Gerber <max=40stytch.com@dmarc.ietf.org<mailto:40stytch.com@dmarc.ietf.org>> wrote:
It's a really interesting idea. Thanks Filip for the slides as well!

> (1) do gradual rollouts of AS metadata changes client by client

I 100% see the value in better-supporting gradual rollouts. Today, an AS can try (emphasis on try!) to feature flag responses based on IP address or User-Agent but both of those are very poor signals.

> (2) customize metadata if necessary

I am not a fan of long-lived customizations of metadata to support legacy clients, though I understand gradual rollouts and long-lived legacy flags are two sides of the same coin. I know it is not always possible or reasonable, but I would rather break old, insecure, and unmaintained clients than build tools to accommodate them.

The security considerations could be worrisome; you call out that an attacker could enumerate which legacy features an AS still supports for a given client.
This differs from observing that client's behavior—a client might remove the use of the `implicit` grant from their flow, but still be permitted by the AS to use it for legacy reasons. Using this endpoint, an attacker could determine that fact and attempt to exploit it.


On Mon, May 18, 2026 at 10:08 AM Andy Barlow <0xandybarlow@gmail.com<mailto:0xandybarlow@gmail.com>> wrote:
I fully support any and all effort on this topic.

On Mon, 18 May 2026 at 17:58, Filip Skokan <panva.ip@gmail.com<mailto:panva.ip@gmail.com>> wrote:
Hello Nick,

Let me know what you all think.

Back at IETF 121 I presented this related/similar idea:

  *   https://youtu.be/_kNpecjcj64?t=6354
  *   https://datatracker.ietf.org/meeting/121/materials/slides-121-oauth-sessa-client-id-hint-for-authorization-server-metadata-requests-00

I haven't had a chance to follow up on it since

S pozdravem,
Filip Skokan


On Mon, 18 May 2026 at 17:09, Nick Watson <nwatson=40google.com@dmarc.ietf.org<mailto:40google.com@dmarc.ietf.org>> wrote:
https://njwatson32.github.io/as-metadata-client-id/draft-watson-oauth-as-metadata-client-id.html

I've written up a quick draft on supporting a client_id parameter on AS Metadata, which would allow the AS to (1) do gradual rollouts of AS metadata changes client by client and (2) customize metadata if necessary (e.g. for clients participating in beta programs of upcoming drafts).

AS can also choose to ignore the client_id parameter completely and continue serving a statically cached global AS metadata file.

I had this idea recently when implementing support for 9207 (iss parameter) and running into poorly behaved clients handling these updates badly. The draft I'm proposing would have allowed me to avoid making global changes to AS metadata, and even do a synchronized rollout of returning `iss` from the authorization endpoint and declaring authorization_response_iss_parameter_supported.

Let me know what you all think.

Nick

PS: I've also proposed the "reverse" of this for CIMD in this issue<https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/78>.

--
Nick Watson | Software Engineer | nwatson@google.com<mailto:nwatson@google.com> | (781) 608-3352
_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org>
_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org>
_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org>
_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to oauth-leave@ietf.org<mailto:oauth-leave@ietf.org>