[OAUTH-WG] Re: AS Metadata client id parameter draft
"Emelia S." <emelia@brandedcode.com> Tue, 19 May 2026 04:32 UTC
Return-Path: <emelia@brandedcode.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 263A7F080C02 for <oauth@mail2.ietf.org>; Mon, 18 May 2026 21:32:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779165151; bh=K7+Ufrca7pUcuD38LdsTPpU6dZ4iGyVImTFpa7sW6LY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=ZsGwmIXhGR/ruFzQq6A05seEyo7n8cVBWGHeel51jG/QKb9MG0pgsvurEXjUcV3fq xKYxs5iOtsRAS6EvR7cWJrABaHXeTH53RdRUN5O/rwgtLmJH8kl9RqtL89lHe/k12d SwfAMI2LeyetKXvhYzN0H/XbyZOSB4DfdniBCxr8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=brandedcode.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oiupp844bNY0 for <oauth@mail2.ietf.org>; Mon, 18 May 2026 21:32:24 -0700 (PDT)
Received: from smtp-190b.mail.infomaniak.ch (smtp-190b.mail.infomaniak.ch [IPv6:2001:1600:19:b8b8::190b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 72679F080BE5 for <oauth@ietf.org>; Mon, 18 May 2026 21:32:24 -0700 (PDT)
Received: from smtp-4-0001.mail.infomaniak.ch (unknown [IPv6:2001:1600:7:10::a6c]) by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4gKMG90rgzzNZs; Tue, 19 May 2026 06:32:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brandedcode.com; s=20250226; t=1779165136; bh=Sy10MkMWy/T1u/fo51OWEvEgQkDWgp6NCLybKP2QuwI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=ARRsc8PEi3jxgY5ivlW29n3D5dwfGAnduqg9ObMX9uhWZn8BUowi18sKHiccN1T9p +3JzZQBpAzVdy/FAl/sxTJ39NftVj42pmkr4JqxT1AwbAPrqvesLdzScSeuLR+9Mq3 8j+Ae3ZHCMb4A2KnyzCKW6F0gAcKnA3swehhsCtTaICvB+X07CXM04+PyB3ibZ3rs9 PI18WJZs4wcczxSzs8sxLplN2EdtkyIfPpI1Oo0l/wCm/vY5eCn9lzvyUx+FlOSTJw RFIUivn8e4/49BIWB96NYZzle86gUVOCsNeiih2TKSW28ePM8Nsycbi8MOmTHA4Ygk etjPOTsCq6yBg==
Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4gKMG81cRZzSsl; Tue, 19 May 2026 06:32:16 +0200 (CEST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_A65F61BF-DF44-47B1-86D1-581483F7DE29"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\))
From: "Emelia S." <emelia@brandedcode.com>
In-Reply-To: <CALZ8nCt2JSqqbCSE80cBqz93g=kRZOH7zYueW93S+ouKCXT_fw@mail.gmail.com>
Date: Tue, 19 May 2026 06:32:05 +0200
Message-Id: <E41DF470-E635-4BD0-902E-CA76A93132AC@brandedcode.com>
References: <CALZ8nCuvyBB7XuRUJO0EqNxXReiaRGe69d0niTGndyvUO6PZMQ@mail.gmail.com> <CALAqi_-CVzF2Q+z_Xvr1ShF_mA4wnXskXHX88GaZOdNZ+HK2Dg@mail.gmail.com> <CAMjEm+FKAYsYuh9Q2piCFw_hqCFEdN5=U5+53nEFtDpzghKSNw@mail.gmail.com> <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com> <CAPVrLW0hme839xoVf-A4Hu_Xzwq-zdUHCm79BnuUZ-OeTj_Qhg@mail.gmail.com> <ME5P282MB59806F9936609237D59B69989D002@ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM> <CALZ8nCt2JSqqbCSE80cBqz93g=kRZOH7zYueW93S+ouKCXT_fw@mail.gmail.com>
To: Nick Watson <nwatson=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3864.500.181)
X-Infomaniak-Routing: alpha
Message-ID-Hash: TOHX4LXYXNKDE2YTSFA4IC4VYSE4Q264
X-Message-ID-Hash: TOHX4LXYXNKDE2YTSFA4IC4VYSE4Q264
X-MailFrom: emelia@brandedcode.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>, Karl McGuinness <me@karlmcguinness.com>, Andy Barlow <0xandybarlow@gmail.com>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: AS Metadata client id parameter draft
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ekpTR00xDr6s80tsaHO5uFa8FhM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I think I capture it in that issue, but CIMDs operate on ecosystems, not individual authorization servers typically, due to them targeting a decentralized way of doing oauth (AS fetches the CIMD), so CIMDs are generally static documents, and the spec discourages using query parameters to change the document contents. Servers should ignore metadata that they don't understand, usually you can't upgrade CIMDs until the ecosystem they're within upgrades their OAuth infrastructure, e.g., AS's. You may have multiple CIMDs for different ecosystems too. e.g., AT Protocol is one ecosystem, and ActivityPub is now another (probably, wordpress just shipped CIMD support for ActivityPub API yesterday). There's also the MCP ecosystem too (though afaik that varies a bit more). — Emelia > On 19 May 2026, at 05:23, Nick Watson <nwatson=40google.com@dmarc.ietf.org> wrote: > > https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/78 is the proposal I made for CIMD. > > On Mon, May 18, 2026 at 8:13 PM Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org <mailto:40mattr.global@dmarc.ietf.org>> wrote: >> Also very supportive of this, including the further feature that Karl suggested r.e CIMD. Being able to gradually roll change by providing client specific AS metadata or better still, metadata based on what the client is known to support via CIMD, would significantly improve many OAuth deployments. >> >> Thanks, >> <https://mattr.global/> >> Tobias Looker >> CTO >> +64 27 378 0461 <tel:+64%2027%20378%200461> >> tobias.looker@mattr.global >> <https://mattr.global/> <https://www.linkedin.com/company/mattrglobal> <https://twitter.com/mattrglobal> <https://github.com/mattrglobal> >> >> This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it – please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. >> >> From: Karl McGuinness <me@karlmcguinness.com <mailto:me@karlmcguinness.com>> >> Date: Tuesday, 19 May 2026 at 3:02 PM >> To: Max Gerber <max=40stytch.com@dmarc.ietf.org <mailto:40stytch.com@dmarc.ietf.org>> >> Cc: Andy Barlow <0xandybarlow@gmail.com <mailto:0xandybarlow@gmail.com>>; Nick Watson <nwatson=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>>; OAuth WG <oauth@ietf.org <mailto:oauth@ietf.org>> >> Subject: [OAUTH-WG] Re: AS Metadata client id parameter draft >> >> EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. >> >> I strongly support standardizing an approach for a per-client metadata mechanism to enable discovery of client-specific metadata values and reduce change management risk as folks have indicated. Okta shipped support for client_id as query param for similar reasons almost 10 years ago! >> >> I also think we need to consider the inverse for OAuth Client ID Metadata Document (CIMD) where the authorization server identifier is an optional parameter for the same reasons. >> >> -Karl >> >> >> >> >> >> On Mon, May 18, 2026 at 5:27 PM Max Gerber <max=40stytch.com@dmarc.ietf.org <mailto:40stytch.com@dmarc.ietf.org>> wrote: >> It's a really interesting idea. Thanks Filip for the slides as well! >> >> > (1) do gradual rollouts of AS metadata changes client by client >> >> I 100% see the value in better-supporting gradual rollouts. Today, an AS can try (emphasis on try!) to feature flag responses based on IP address or User-Agent but both of those are very poor signals. >> >> > (2) customize metadata if necessary >> >> I am not a fan of long-lived customizations of metadata to support legacy clients, though I understand gradual rollouts and long-lived legacy flags are two sides of the same coin. I know it is not always possible or reasonable, but I would rather break old, insecure, and unmaintained clients than build tools to accommodate them. >> >> The security considerations could be worrisome; you call out that an attacker could enumerate which legacy features an AS still supports for a given client. >> This differs from observing that client's behavior—a client might remove the use of the `implicit` grant from their flow, but still be permitted by the AS to use it for legacy reasons. Using this endpoint, an attacker could determine that fact and attempt to exploit it. >> >> >> On Mon, May 18, 2026 at 10:08 AM Andy Barlow <0xandybarlow@gmail.com <mailto:0xandybarlow@gmail.com>> wrote: >> I fully support any and all effort on this topic. >> >> On Mon, 18 May 2026 at 17:58, Filip Skokan <panva.ip@gmail.com <mailto:panva.ip@gmail.com>> wrote: >> Hello Nick, >> >> Let me know what you all think. >> >> Back at IETF 121 I presented this related/similar idea: >> https://youtu.be/_kNpecjcj64?t=6354 >> https://datatracker.ietf.org/meeting/121/materials/slides-121-oauth-sessa-client-id-hint-for-authorization-server-metadata-requests-00 >> I haven't had a chance to follow up on it since >> >> S pozdravem, >> Filip Skokan >> >> >> On Mon, 18 May 2026 at 17:09, Nick Watson <nwatson=40google.com@dmarc.ietf.org <mailto:40google.com@dmarc.ietf.org>> wrote: >> https://njwatson32.github.io/as-metadata-client-id/draft-watson-oauth-as-metadata-client-id.html >> >> I've written up a quick draft on supporting a client_id parameter on AS Metadata, which would allow the AS to (1) do gradual rollouts of AS metadata changes client by client and (2) customize metadata if necessary (e.g. for clients participating in beta programs of upcoming drafts). >> >> AS can also choose to ignore the client_id parameter completely and continue serving a statically cached global AS metadata file. >> >> I had this idea recently when implementing support for 9207 (iss parameter) and running into poorly behaved clients handling these updates badly. The draft I'm proposing would have allowed me to avoid making global changes to AS metadata, and even do a synchronized rollout of returning `iss` from the authorization endpoint and declaring authorization_response_iss_parameter_supported. >> >> Let me know what you all think. >> >> Nick >> >> PS: I've also proposed the "reverse" of this for CIMD in this issue <https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/78>. >> >> -- >> Nick Watson | Software Engineer | nwatson@google.com <mailto:nwatson@google.com> | (781) 608-3352 <tel:(781)%20608-3352> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org> >> To unsubscribe send an email to oauth-leave@ietf.org <mailto:oauth-leave@ietf.org> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org> >> To unsubscribe send an email to oauth-leave@ietf.org <mailto:oauth-leave@ietf.org> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org> >> To unsubscribe send an email to oauth-leave@ietf.org <mailto:oauth-leave@ietf.org> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org> >> To unsubscribe send an email to oauth-leave@ietf.org <mailto:oauth-leave@ietf.org>_______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org
- [OAUTH-WG] AS Metadata client id parameter draft Nick Watson
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Filip Skokan
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Andy Barlow
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Max Gerber
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Karl McGuinness
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Tobias Looker
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Nick Watson
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Emelia S.
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Frederik Krogsdal Jacobsen