Return-Path: <emelia@brandedcode.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id 263A7F080C02
	for <oauth@mail2.ietf.org>; Mon, 18 May 2026 21:32:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1779165151; bh=K7+Ufrca7pUcuD38LdsTPpU6dZ4iGyVImTFpa7sW6LY=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To;
	b=ZsGwmIXhGR/ruFzQq6A05seEyo7n8cVBWGHeel51jG/QKb9MG0pgsvurEXjUcV3fq
	 xKYxs5iOtsRAS6EvR7cWJrABaHXeTH53RdRUN5O/rwgtLmJH8kl9RqtL89lHe/k12d
	 SwfAMI2LeyetKXvhYzN0H/XbyZOSB4DfdniBCxr8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
	SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=brandedcode.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Oiupp844bNY0 for <oauth@mail2.ietf.org>;
	Mon, 18 May 2026 21:32:24 -0700 (PDT)
Received: from smtp-190b.mail.infomaniak.ch (smtp-190b.mail.infomaniak.ch
 [IPv6:2001:1600:19:b8b8::190b])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id 72679F080BE5
	for <oauth@ietf.org>; Mon, 18 May 2026 21:32:24 -0700 (PDT)
Received: from smtp-4-0001.mail.infomaniak.ch (unknown
 [IPv6:2001:1600:7:10::a6c])
	by smtp-4-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4gKMG90rgzzNZs;
	Tue, 19 May 2026 06:32:17 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brandedcode.com;
	s=20250226; t=1779165136;
	bh=Sy10MkMWy/T1u/fo51OWEvEgQkDWgp6NCLybKP2QuwI=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To:From;
	b=ARRsc8PEi3jxgY5ivlW29n3D5dwfGAnduqg9ObMX9uhWZn8BUowi18sKHiccN1T9p
	 +3JzZQBpAzVdy/FAl/sxTJ39NftVj42pmkr4JqxT1AwbAPrqvesLdzScSeuLR+9Mq3
	 8j+Ae3ZHCMb4A2KnyzCKW6F0gAcKnA3swehhsCtTaICvB+X07CXM04+PyB3ibZ3rs9
	 PI18WJZs4wcczxSzs8sxLplN2EdtkyIfPpI1Oo0l/wCm/vY5eCn9lzvyUx+FlOSTJw
	 RFIUivn8e4/49BIWB96NYZzle86gUVOCsNeiih2TKSW28ePM8Nsycbi8MOmTHA4Ygk
	 etjPOTsCq6yBg==
Received: from unknown by smtp-4-0001.mail.infomaniak.ch (Postfix) with ESMTPA
 id 4gKMG81cRZzSsl;
	Tue, 19 May 2026 06:32:16 +0200 (CEST)
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_A65F61BF-DF44-47B1-86D1-581483F7DE29"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\))
From: "Emelia S." <emelia@brandedcode.com>
In-Reply-To: 
 <CALZ8nCt2JSqqbCSE80cBqz93g=kRZOH7zYueW93S+ouKCXT_fw@mail.gmail.com>
Date: Tue, 19 May 2026 06:32:05 +0200
Message-Id: <E41DF470-E635-4BD0-902E-CA76A93132AC@brandedcode.com>
References: 
 <CALZ8nCuvyBB7XuRUJO0EqNxXReiaRGe69d0niTGndyvUO6PZMQ@mail.gmail.com>
 <CALAqi_-CVzF2Q+z_Xvr1ShF_mA4wnXskXHX88GaZOdNZ+HK2Dg@mail.gmail.com>
 <CAMjEm+FKAYsYuh9Q2piCFw_hqCFEdN5=U5+53nEFtDpzghKSNw@mail.gmail.com>
 <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com>
 <CAPVrLW0hme839xoVf-A4Hu_Xzwq-zdUHCm79BnuUZ-OeTj_Qhg@mail.gmail.com>
 <ME5P282MB59806F9936609237D59B69989D002@ME5P282MB5980.AUSP282.PROD.OUTLOOK.COM>
 <CALZ8nCt2JSqqbCSE80cBqz93g=kRZOH7zYueW93S+ouKCXT_fw@mail.gmail.com>
To: Nick Watson <nwatson=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3864.500.181)
X-Infomaniak-Routing: alpha
Message-ID-Hash: TOHX4LXYXNKDE2YTSFA4IC4VYSE4Q264
X-Message-ID-Hash: TOHX4LXYXNKDE2YTSFA4IC4VYSE4Q264
X-MailFrom: emelia@brandedcode.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-oauth.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: Tobias Looker <tobias.looker=40mattr.global@dmarc.ietf.org>,
 Karl McGuinness <me@karlmcguinness.com>,
 Andy Barlow <0xandybarlow@gmail.com>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BOAUTH-WG=5D_Re=3A_AS_Metadata_client_id_parameter_draft?=
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/oauth/ekpTR00xDr6s80tsaHO5uFa8FhM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>


--Apple-Mail=_A65F61BF-DF44-47B1-86D1-581483F7DE29
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I think I capture it in that issue, but CIMDs operate on ecosystems, not =
individual authorization servers typically, due to them targeting a =
decentralized way of doing oauth (AS fetches the CIMD), so CIMDs are =
generally static documents, and the spec discourages using query =
parameters to change the document contents.

Servers should ignore metadata that they don't understand, usually you =
can't upgrade CIMDs until the ecosystem they're within upgrades their =
OAuth infrastructure, e.g., AS's. You may have multiple CIMDs for =
different ecosystems too. e.g., AT Protocol is one ecosystem, and =
ActivityPub is now another (probably, wordpress just shipped CIMD =
support for ActivityPub API yesterday). There's also the MCP ecosystem =
too (though afaik that varies a bit more).

=E2=80=94 Emelia

> On 19 May 2026, at 05:23, Nick Watson =
<nwatson=3D40google.com@dmarc.ietf.org> wrote:
>=20
> =
https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/i=
ssues/78 is the proposal I made for CIMD.
>=20
> On Mon, May 18, 2026 at 8:13=E2=80=AFPM Tobias Looker =
<tobias.looker=3D40mattr.global@dmarc.ietf.org =
<mailto:40mattr.global@dmarc.ietf.org>> wrote:
>> Also very supportive of this, including the further feature that Karl =
suggested r.e CIMD. Being able to gradually roll change by providing =
client specific AS metadata or better still, metadata based on what the =
client is known to support via CIMD, would significantly improve many =
OAuth deployments.
>>=20
>> Thanks,
>>  <https://mattr.global/>	=09
>> Tobias Looker
>> CTO
>> +64 27 378 0461 <tel:+64%2027%20378%200461>
>> tobias.looker@mattr.global
>>  <https://mattr.global/>	 =
<https://www.linkedin.com/company/mattrglobal>	 =
<https://twitter.com/mattrglobal>	 =
<https://github.com/mattrglobal>
>>=20
>> This communication, including any attachments, is confidential. If =
you are not the intended recipient, you should not read it =E2=80=93 =
please contact me immediately, destroy it, and do not copy or use any =
part of this communication or disclose anything about it. Thank you. =
Please note that this communication does not designate an information =
system for the purposes of the Electronic Transactions Act 2002.
>>=20
>> From: Karl McGuinness <me@karlmcguinness.com =
<mailto:me@karlmcguinness.com>>
>> Date: Tuesday, 19 May 2026 at 3:02=E2=80=AFPM
>> To: Max Gerber <max=3D40stytch.com@dmarc.ietf.org =
<mailto:40stytch.com@dmarc.ietf.org>>
>> Cc: Andy Barlow <0xandybarlow@gmail.com =
<mailto:0xandybarlow@gmail.com>>; Nick Watson =
<nwatson=3D40google.com@dmarc.ietf.org =
<mailto:40google.com@dmarc.ietf.org>>; OAuth WG <oauth@ietf.org =
<mailto:oauth@ietf.org>>
>> Subject: [OAUTH-WG] Re: AS Metadata client id parameter draft
>>=20
>> EXTERNAL EMAIL: This email originated outside of our organisation. Do =
not click links or open attachments unless you recognise the sender and =
know the content is safe.
>>=20
>> I strongly support standardizing an approach for a per-client =
metadata mechanism to enable discovery of client-specific metadata =
values and reduce change management risk as folks have indicated.  Okta =
shipped support for client_id as query param for similar reasons almost =
10 years ago!
>>=20
>> I also think we need to consider the inverse for OAuth Client ID =
Metadata Document (CIMD) where the authorization server identifier is an =
optional parameter for the same reasons.  =20
>>=20
>> -Karl
>>=20
>>=20
>>=20
>> =20
>>=20
>> On Mon, May 18, 2026 at 5:27=E2=80=AFPM Max Gerber =
<max=3D40stytch.com@dmarc.ietf.org <mailto:40stytch.com@dmarc.ietf.org>> =
wrote:
>> It's a really interesting idea. Thanks Filip for the slides as well!
>>=20
>> > (1) do gradual rollouts of AS metadata changes client by client
>>=20
>> I 100% see the value in better-supporting gradual rollouts. Today, an =
AS can try (emphasis on try!) to feature flag responses based on IP =
address or User-Agent but both of those are very poor signals.
>>=20
>> > (2) customize metadata if necessary=20
>>=20
>> I am not a fan of long-lived customizations of metadata to support =
legacy clients, though I understand gradual rollouts and long-lived =
legacy flags are two sides of the same coin. I know it is not always =
possible or reasonable, but I would rather break old, insecure, and =
unmaintained clients than build tools to accommodate them.
>>=20
>> The security considerations could be worrisome; you call out that an =
attacker could enumerate which legacy features an AS still supports for =
a given client.
>> This differs from observing that client's behavior=E2=80=94a client =
might remove the use of the `implicit` grant from their flow, but still =
be permitted by the AS to use it for legacy reasons. Using this =
endpoint, an attacker could determine that fact and attempt to exploit =
it.
>>=20
>>=20
>> On Mon, May 18, 2026 at 10:08=E2=80=AFAM Andy Barlow =
<0xandybarlow@gmail.com <mailto:0xandybarlow@gmail.com>> wrote:
>> I fully support any and all effort on this topic.
>>=20
>> On Mon, 18 May 2026 at 17:58, Filip Skokan <panva.ip@gmail.com =
<mailto:panva.ip@gmail.com>> wrote:
>> Hello Nick,
>>=20
>> Let me know what you all think.
>>=20
>> Back at IETF 121 I presented this related/similar idea:
>> https://youtu.be/_kNpecjcj64?t=3D6354
>> =
https://datatracker.ietf.org/meeting/121/materials/slides-121-oauth-sessa-=
client-id-hint-for-authorization-server-metadata-requests-00
>> I haven't had a chance to follow up on it since
>>=20
>> S pozdravem,
>> Filip Skokan
>>=20
>>=20
>> On Mon, 18 May 2026 at 17:09, Nick Watson =
<nwatson=3D40google.com@dmarc.ietf.org =
<mailto:40google.com@dmarc.ietf.org>> wrote:
>> =
https://njwatson32.github.io/as-metadata-client-id/draft-watson-oauth-as-m=
etadata-client-id.html
>>=20
>> I've written up a quick draft on supporting a client_id parameter on =
AS Metadata, which would allow the AS to (1) do gradual rollouts of AS =
metadata changes client by client and (2) customize metadata if =
necessary (e.g. for clients participating in beta programs of upcoming =
drafts).
>>=20
>> AS can also choose to ignore the client_id parameter completely and =
continue serving a statically cached global AS metadata file.
>>=20
>> I had this idea recently when implementing support for 9207 (iss =
parameter) and running into poorly behaved clients handling these =
updates badly. The draft I'm proposing would have allowed me to avoid =
making global changes to AS metadata, and even do a synchronized rollout =
of returning `iss` from the authorization endpoint and declaring =
authorization_response_iss_parameter_supported.
>>=20
>> Let me know what you all think.
>>=20
>> Nick
>>=20
>> PS: I've also proposed the "reverse" of this for CIMD in this issue =
<https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/=
issues/78>.
>>=20
>> --
>> Nick Watson | Software Engineer | nwatson@google.com =
<mailto:nwatson@google.com> | (781) 608-3352 <tel:(781)%20608-3352>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org>
>> To unsubscribe send an email to oauth-leave@ietf.org =
<mailto:oauth-leave@ietf.org>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org>
>> To unsubscribe send an email to oauth-leave@ietf.org =
<mailto:oauth-leave@ietf.org>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org>
>> To unsubscribe send an email to oauth-leave@ietf.org =
<mailto:oauth-leave@ietf.org>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org>
>> To unsubscribe send an email to oauth-leave@ietf.org =
<mailto:oauth-leave@ietf.org>_____________________________________________=
__
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org


--Apple-Mail=_A65F61BF-DF44-47B1-86D1-581483F7DE29
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html aria-label=3D"message body"><head><meta http-equiv=3D"content-type" =
content=3D"text/html; charset=3Dutf-8"></head><body =
style=3D"overflow-wrap: break-word; -webkit-nbsp-mode: space; =
line-break: after-white-space;">I think I capture it in that issue, but =
CIMDs operate on ecosystems, not individual authorization servers =
typically, due to them targeting a decentralized way of doing oauth (AS =
fetches the CIMD), so CIMDs are generally static documents, and the spec =
discourages using query parameters to change the document =
contents.<div><br></div><div>Servers should ignore metadata that they =
don't understand, usually you can't upgrade CIMDs until the ecosystem =
they're within upgrades their OAuth infrastructure, e.g., AS's. You may =
have multiple CIMDs for different ecosystems too. e.g., AT Protocol is =
one ecosystem, and ActivityPub is now another (probably, wordpress just =
shipped CIMD support for ActivityPub API yesterday). There's also the =
MCP ecosystem too (though afaik that varies a bit =
more).</div><div><br></div><div>=E2=80=94 =
Emelia<br><div><div><br><blockquote type=3D"cite"><div>On 19 May 2026, =
at 05:23, Nick Watson &lt;nwatson=3D40google.com@dmarc.ietf.org&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><div><div =
dir=3D"ltr"><a =
href=3D"https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-do=
cument/issues/78">https://github.com/oauth-wg/draft-ietf-oauth-client-id-m=
etadata-document/issues/78</a> is the proposal I made for =
CIMD.</div><br><div class=3D"gmail_quote gmail_quote_container"><div =
dir=3D"ltr" class=3D"gmail_attr">On Mon, May 18, 2026 at 8:13=E2=80=AFPM =
Tobias Looker &lt;tobias.looker=3D<a =
href=3D"mailto:40mattr.global@dmarc.ietf.org">40mattr.global@dmarc.ietf.or=
g</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">



<div>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, =
sans-serif; font-size: 12pt;">
Also very supportive of this, including the further feature that Karl =
suggested r.e CIMD. Being able to gradually roll change by providing =
client specific AS metadata or better still, metadata based on what the =
client is known to support via CIMD, would significantly
 improve many OAuth deployments.</div>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, =
sans-serif; font-size: 12pt;">
<br>
</div>
<div style=3D"direction: ltr; font-family: Aptos, Arial, Helvetica, =
sans-serif; font-size: 12pt;">
Thanks,</div>
<div id=3D"m_-1843788341113937848ms-outlook-mobile-signature" =
style=3D"color:inherit;background-color:inherit">
<table id=3D"m_-1843788341113937848table_0" cellspacing=3D"0" =
cellpadding=3D"0" border=3D"0" style=3D"text-align: left; =
text-transform: none;">
<tbody>
<tr>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;vertical-ali=
gn:top;width:125px">
<span style=3D"font-family:&quot;Helvetica =
Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px;color:rgb(15,173,225)=
"><a href=3D"https://mattr.global/" =
style=3D"color:rgb(15,173,225);border-width:medium;border-style:none;borde=
r-color:currentcolor" target=3D"_blank"><img =
src=3D"https://mattr.global/assets/images/MattrLogo.png" alt=3D"MATTR =
website" =
id=3D"m_-1843788341113937848img-6a083703-95c5-4947-9cf4-258e193e7a21" =
width=3D"125" style=3D"width: 125px; height: auto; max-width: =
100%;"></a></span></td>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;width:16px">=

</td>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;vertical-ali=
gn:top;color:rgb(51,49,50)">
<table id=3D"m_-1843788341113937848table_1" cellspacing=3D"0" =
cellpadding=3D"0" border=3D"0" =
style=3D"text-align:left;line-height:16px;text-transform:none">
<tbody>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none">
<div =
style=3D"text-align:left;line-height:16px;text-transform:none;font-family:=
&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-serif;font-size:12px">
<b>Tobias Looker</b></div>
</td>
</tr>
<tr>
<td style=3D"text-align:left;line-height:16px;text-transform:none">
<div =
style=3D"text-align:left;line-height:16px;text-transform:none;font-family:=
&quot;Helvetica Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px">
CTO</div>
</td>
</tr>
<tr>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;padding-top:=
12px">
<div =
style=3D"text-align:left;line-height:16px;text-transform:none;font-family:=
&quot;Helvetica =
Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px;color:rgb(51,49,50)">=

<a href=3D"tel:+64%2027%20378%200461" value=3D"+64273780461" =
target=3D"_blank">+64 27 378 0461</a><br>
tobias.looker@mattr.global</div>
</td>
</tr>
<tr>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;padding-top:=
12px">
<table cellspacing=3D"0" cellpadding=3D"0" border=3D"0" =
style=3D"text-align:left;line-height:16px;text-transform:none">
<tbody>
<tr>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;width:40px">=

<span style=3D"font-family:&quot;Helvetica =
Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px;color:rgb(51,49,50)">=
<a href=3D"https://mattr.global/" =
style=3D"color:rgb(51,49,50);margin-right:12px;border-width:medium;border-=
style:none;border-color:currentcolor" target=3D"_blank"><img =
src=3D"https://mattr.global/assets/images/website.png" alt=3D"MATTR =
website" =
id=3D"m_-1843788341113937848img-1828b526-4d63-40f6-a8e7-f11eecf9ebfc" =
width=3D"24" height=3D"40" style=3D"width: 24px; height: 40px; =
max-width: 100%;"></a></span></td>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;width:40px">=

<span style=3D"font-family:&quot;Helvetica =
Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px;color:rgb(51,49,50)">=
<a href=3D"https://www.linkedin.com/company/mattrglobal" =
style=3D"color:rgb(51,49,50);margin-right:12px;border-width:medium;border-=
style:none;border-color:currentcolor" target=3D"_blank"><img =
src=3D"https://mattr.global/assets/images/linkedin.png" alt=3D"MATTR on =
LinkedIn" =
id=3D"m_-1843788341113937848img-2275f8aa-b867-4f15-83c5-57cf299e0c17" =
width=3D"24" height=3D"40" style=3D"width: 24px; height: 40px; =
max-width: 100%;"></a></span></td>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;width:40px">=

<span style=3D"font-family:&quot;Helvetica =
Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px;color:rgb(51,49,50)">=
<a href=3D"https://twitter.com/mattrglobal" =
style=3D"color:rgb(51,49,50);margin-right:12px;border-width:medium;border-=
style:none;border-color:currentcolor" target=3D"_blank"><img =
src=3D"https://mattr.global/assets/images/twitter.png" alt=3D"MATTR on =
Twitter" =
id=3D"m_-1843788341113937848img-d204a047-4796-4b6c-88fb-ccd3ec1f863e" =
width=3D"24" height=3D"40" style=3D"width: 24px; height: 40px; =
max-width: 100%;"></a></span></td>
<td =
style=3D"text-align:left;line-height:16px;text-transform:none;width:40px">=

<span style=3D"font-family:&quot;Helvetica =
Neue&quot;,Helvetica,Arial,sans-serif;font-size:11px;color:rgb(51,49,50)">=
<a href=3D"https://github.com/mattrglobal" =
style=3D"color:rgb(51,49,50);margin-right:12px;border-width:medium;border-=
style:none;border-color:currentcolor" target=3D"_blank"><img =
src=3D"https://mattr.global/assets/images/github.png" alt=3D"MATTR on =
Github" =
id=3D"m_-1843788341113937848img-85dbdb2d-b3b7-4d00-80d5-3167845204c8" =
width=3D"24" height=3D"40" style=3D"width: 24px; height: 40px; =
max-width: 100%;"></a></span></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<div><span style=3D""><br>
</span><span style=3D"color:rgb(118,118,118)"><small =
style=3D"text-decoration-line:none;color:rgb(118,118,118);font-family:&quo=
t;Helvetica =
Neue&quot;,Helvetica,Arial,sans-serif;font-size:8px;line-height:14px;backg=
round-color:inherit">This
 communication, including any attachments, is confidential. If you are =
not the intended recipient, you should not read it =E2=80=93 please =
contact me immediately, destroy it, and do not copy or use any part of =
this communication or disclose anything about it. Thank
 you. Please note that this communication does not designate an =
information system for the purposes of the Electronic Transactions Act =
2002.</small></span></div>
<div style=3D"direction:ltr"><br>
</div>
</div>
<div id=3D"m_-1843788341113937848mail-editor-reference-message-container" =
style=3D"color:inherit;background-color:inherit">
<div style=3D"direction:ltr">
</div>
<div style=3D"padding:3pt 0in 0in;border-width:1pt medium =
medium;border-style:solid none none;border-color:rgb(181,196,223) =
currentcolor currentcolor">
<div style=3D"text-align: left; font-family: Aptos; font-size: 12pt;">
<b>From: </b>Karl McGuinness &lt;<a href=3D"mailto:me@karlmcguinness.com" =
target=3D"_blank">me@karlmcguinness.com</a>&gt;<br>
<b>Date: </b>Tuesday, 19 May 2026 at 3:02=E2=80=AFPM<br>
<b>To: </b>Max Gerber &lt;max=3D<a =
href=3D"mailto:40stytch.com@dmarc.ietf.org" =
target=3D"_blank">40stytch.com@dmarc.ietf.org</a>&gt;<br>
<b>Cc: </b>Andy Barlow &lt;<a href=3D"mailto:0xandybarlow@gmail.com" =
target=3D"_blank">0xandybarlow@gmail.com</a>&gt;; Nick Watson =
&lt;nwatson=3D<a href=3D"mailto:40google.com@dmarc.ietf.org" =
target=3D"_blank">40google.com@dmarc.ietf.org</a>&gt;; OAuth WG &lt;<a =
href=3D"mailto:oauth@ietf.org" =
target=3D"_blank">oauth@ietf.org</a>&gt;<br>
<b>Subject: </b>[OAUTH-WG] Re: AS Metadata client id parameter draft<br>
<br>
</div>
</div>
<div id=3D"m_-1843788341113937848footer" =
style=3D"background-color:rgb(255,235,156);width:100%;font-size:10px;borde=
r:1px solid rgb(156,101,0);padding:2pt;color:inherit">
EXTERNAL EMAIL: This email originated outside of our organisation. Do =
not click links or open attachments unless you recognise the sender and =
know the content is safe.</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
I strongly support standardizing an approach for a per-client metadata =
mechanism to enable discovery of client-specific metadata values and =
reduce change management risk as folks have indicated.&nbsp; =
Okta&nbsp;shipped support for client_id as query param for similar
 reasons almost 10 years ago!<br>
<br>
I also think we need to consider the inverse for OAuth Client ID =
Metadata Document (CIMD) where the&nbsp;authorization server identifier =
is an optional parameter for the same reasons.&nbsp; &nbsp;</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
-Karl</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
<br>
</div>
<div style=3D"direction:ltr">
&nbsp;</div>
<div style=3D"direction:ltr">
<br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, May 18, 2026 =
at 5:27=E2=80=AFPM Max Gerber &lt;max=3D<a =
href=3D"mailto:40stytch.com@dmarc.ietf.org" =
target=3D"_blank">40stytch.com@dmarc.ietf.org</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px =
0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">It's a really =
interesting idea. Thanks Filip for the slides as well!<br>
<br>
&gt; (1) do gradual rollouts of AS metadata changes client by client<br>
<br>
I 100% see the value in better-supporting gradual rollouts. Today, an AS =
can try <i>
(emphasis on try!)</i>&nbsp;to feature flag responses based on IP =
address or User-Agent but both of those are
<i>very</i>&nbsp;poor signals.<br>
<br>
&gt;&nbsp;(2) customize metadata&nbsp;if necessary&nbsp;<br>
<br>
I am not a fan of long-lived customizations of metadata to support =
legacy clients, though I understand gradual rollouts and long-lived =
legacy flags are two sides of the same coin. I know it is not always =
possible or reasonable, but I would rather break old,
 insecure, and unmaintained clients than build tools to accommodate =
them.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
The security considerations could be worrisome; you call out that an =
attacker could enumerate&nbsp;which legacy features an AS still supports =
for a given client.<br>
This differs from observing that client's behavior=E2=80=94a client =
might remove the use of the `implicit` grant from their flow, but still =
be permitted by the AS to use it for legacy reasons. Using this =
endpoint, an attacker could determine that fact and attempt to
 exploit it.<br>
<br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, May 18, 2026 =
at 10:08=E2=80=AFAM Andy Barlow &lt;<a =
href=3D"mailto:0xandybarlow@gmail.com" =
target=3D"_blank">0xandybarlow@gmail.com</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px =
0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">I fully support any =
and all effort on this topic.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, 18 May 2026 at =
17:58, Filip Skokan &lt;<a href=3D"mailto:panva.ip@gmail.com" =
target=3D"_blank">panva.ip@gmail.com</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px =
0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">Hello Nick,</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<blockquote style=3D"margin:0px 0px 0px =
0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr">Let me know what you =
all think.</div>
</blockquote>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">Back at IETF 121 I =
presented this related/similar idea:</div>
<ul style=3D"direction:ltr">
<li style=3D"direction:ltr"><a =
href=3D"https://youtu.be/_kNpecjcj64?t=3D6354" =
target=3D"_blank">https://youtu.be/_kNpecjcj64?t=3D6354</a></li><li =
style=3D"direction:ltr"><a =
href=3D"https://datatracker.ietf.org/meeting/121/materials/slides-121-oaut=
h-sessa-client-id-hint-for-authorization-server-metadata-requests-00" =
target=3D"_blank">https://datatracker.ietf.org/meeting/121/materials/slide=
s-121-oauth-sessa-client-id-hint-for-authorization-server-metadata-request=
s-00</a></li></ul>
<div class=3D"gmail_quote" style=3D"direction:ltr">I haven't had a =
chance to follow up on it since</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_signature" style=3D"direction:ltr">S pozdravem,<br>
<b>Filip Skokan</b></div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_attr" style=3D"direction:ltr">On Mon, 18 May 2026 at =
17:09, Nick Watson &lt;nwatson=3D<a =
href=3D"mailto:40google.com@dmarc.ietf.org" =
target=3D"_blank">40google.com@dmarc.ietf.org</a>&gt; wrote:</div>
<blockquote style=3D"margin:0px 0px 0px =
0.8ex;padding-left:1ex;border-left:1px solid rgb(204,204,204)">
<div class=3D"gmail_quote" style=3D"direction:ltr"><a =
href=3D"https://njwatson32.github.io/as-metadata-client-id/draft-watson-oa=
uth-as-metadata-client-id.html" =
target=3D"_blank">https://njwatson32.github.io/as-metadata-client-id/draft=
-watson-oauth-as-metadata-client-id.html</a></div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">I've written up a =
quick draft on supporting a client_id parameter on AS Metadata, which =
would allow the AS to (1) do gradual rollouts of AS metadata changes =
client by client and (2) customize metadata&nbsp;if necessary
 (e.g. for clients participating in beta programs of upcoming =
drafts).</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">AS can also choose to =
ignore the client_id parameter completely and continue serving a =
statically cached global AS metadata&nbsp;file.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">I had this idea =
recently when implementing support for 9207 (iss parameter) and running =
into poorly behaved clients handling these updates badly. The draft I'm =
proposing would have allowed me to avoid making
 global changes to AS metadata, and even do a synchronized rollout of =
returning `iss` from the authorization endpoint and =
declaring&nbsp;authorization_response_iss_parameter_supported.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">Let me know what you =
all think.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">Nick</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">PS: I've also =
proposed the "reverse" of this for CIMD in this
<a =
href=3D"https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-do=
cument/issues/78" target=3D"_blank">
issue</a>.</div>
<div class=3D"gmail_quote" style=3D"direction:ltr"><br>
</div>
<div class=3D"gmail_quote" style=3D"direction:ltr">--</div>
<div class=3D"gmail_signature" =
style=3D"direction:ltr;line-height:1.5em;margin-top:10px;padding-top:10px;=
font-family:sans-serif;font-size:9.75pt;color:rgb(85,85,85)">
Nick Watson&nbsp;|&nbsp;Software Engineer | <a =
href=3D"mailto:nwatson@google.com" target=3D"_blank">
nwatson@google.com</a>&nbsp;|&nbsp;<a href=3D"tel:(781)%20608-3352" =
value=3D"+17816083352" target=3D"_blank">(781) 608-3352</a></div>
<div =
class=3D"gmail_quote">_______________________________________________<br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">=

oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" =
target=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
<div =
class=3D"gmail_quote">_______________________________________________<br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">=

oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" =
target=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
<div =
class=3D"gmail_quote">_______________________________________________<br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">=

oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" =
target=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
<div =
class=3D"gmail_quote">_______________________________________________<br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">=

oauth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" =
target=3D"_blank">
oauth-leave@ietf.org</a></div>
</blockquote>
</div>
</div>

</blockquote></div>
_______________________________________________<br>OAuth mailing list -- =
oauth@ietf.org<br>To unsubscribe send an email to =
oauth-leave@ietf.org<br></div></blockquote></div><br></div></div></body></=
html>=

--Apple-Mail=_A65F61BF-DF44-47B1-86D1-581483F7DE29--

