[OAUTH-WG] Re: AS Metadata client id parameter draft
Karl McGuinness <me@karlmcguinness.com> Tue, 19 May 2026 03:01 UTC
Return-Path: <me@karlmcguinness.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B9A93F077853 for <oauth@mail2.ietf.org>; Mon, 18 May 2026 20:01:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779159709; bh=3MIwM2Pmz+/iMoWjTqX7UHq4cl6XDNgYJ+cDYBjxbs4=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=mGC8LyQejK9DDlmAAb9XWumMymmHWEsXL/EgIgVlVM77kEpratYTo0Haf3BA2Uc+y RMLL6NjxkQsEyiGmaukaVSwgs+NbEdH620p6mPk7J2i/xDuJQVYcH/ZjyyoiQrPe+z eGGcD5JUwqIRWlHL7z0kFKeTAcUM2VlmgqOGP99M=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=karlmcguinness.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jIRJHohw5U09 for <oauth@mail2.ietf.org>; Mon, 18 May 2026 20:01:42 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 23650F077677 for <oauth@ietf.org>; Mon, 18 May 2026 20:01:30 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-488a88aeec9so35536275e9.2 for <oauth@ietf.org>; Mon, 18 May 2026 20:01:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779159683; cv=none; d=google.com; s=arc-20240605; b=H/uEJpfW/wg3n6IDyrfRNWwafzVxoU1YeEntXzXS3kq1xKlQ6y35iQUhu2d2n8iurn 4kGGFbzNVewN4/Q8Oc03JYgsPHrOCo8BrvV1t7iJMwpR5oV3JvpbgNZ5dtQ1LXjYF7gx 0UZIezu1G1QWwvl8S29pxoBG4RzqfnsE0OCBFkjz/6x4slnbamJutKTNHI1EC/aeLJ6i 9aDElKxDXj4BHNy9mcmUrAjJ9VA8WBpD5tF82xO7q6XRLHeOLRc6TVakg/OGMnmCckSU g+TfDL0Jm0wmwqfqNR3gsNW/yQR3HWaNG/qhimNAaIMZKpOZ278Bd45Dx+s57ZPH1oEo ptNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=mPCQKSaga/AN+CLDoRHPO/sVVTKsARZ6OtjCEvuCzJE=; fh=PgCMA0Urq5klBRCPd9OaxcgUmaKWHkzW81XuDONh5iY=; b=VBahESOArTNeGK9aYPJ+C8o57NBQgQY210lRUkjlJm5zz2l3ue6dpwQKLOK5Q18iSc 0ot2ndDU9xxHfMJStaKSLYd2HIQyAxMHZ+Ab3/4FFEQHnj2o9t9U7lV+hB09LNqQwN4c 2PK0/q72pTXNBHMIH0Ag+AHbW6BRyfrjaFEuDlIcLl1fmYH+smRb1MBdj340EkQO+xtj axd+CJHbIpXQ/GHj9lAjyJnLHoJTJOR0jdO060z015ftEqHSfFebuGoGYXXIvZ8LcIkS I7yRGQYcSqJAZExQnU8MdvWGOqjbcWqQzGj/HudHcnsiYaAKc9HQyBu/oaA6do3BmXY0 HLnA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karlmcguinness.com; s=google; t=1779159683; x=1779764483; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mPCQKSaga/AN+CLDoRHPO/sVVTKsARZ6OtjCEvuCzJE=; b=giq3Dj+8p2mMrjCQO7uClfYZS0j/kqMvseVicpV5inoKwqZlBhXW1FMwn3X7iLK4pg Rtk9v/118YqaWh+0d3ZeEUcDAR3yIwbTwYHWP748W5p/R0Fnwh6c/VZl8WIPVq8IwVEa 6Zx1WMxdgLVBK6nEjaHX7EoVMXho8TLWOj6sMunajfjgrqZPk/Ibip+7C0Ffnxspvm36 DwCl5Qg+YrrF7GGsSMNDvgLKhx4WJV0TsjBRKK3YQAc96W3Xiayj2XzQvLQq7Krr2DuN C0bBkJDywQTS76LS8yz3i+u4jjhbUVs+v1k1oT5DBQo46rLHinhqY2kKNrOCfgXXKB8M lD2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779159683; x=1779764483; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mPCQKSaga/AN+CLDoRHPO/sVVTKsARZ6OtjCEvuCzJE=; b=i6/MubGeVl8U42t5SwGTciHsBZcytaxx+3iS1t0WtDOyU9cxQmu9fDjje3s7FELTw5 1yG4pO7TMek/r94gtvkEiH5IJM0haFDARGkQDeBwOGE+8LIDzYeK6MMOYXbw+DcPC0hw 66MbNFvj/2sLOB7dymZo//DmlM1DmCQREApQBc/zxkzeeErNCJVbbyaURNOj2jKyho9B 5RtXt/bdasRRBcpExESEvnQwoM4zYzydQWlMI6AhebNIqe2uHKg9Bs3+AyN/idTtspFc MSrk3wW9JEfLS7jDl4vjRha1WcCCJ9l6S1Emm8PJKzfeYJv5rPaYL+DmhyhcYjBKu/rJ jtYA==
X-Forwarded-Encrypted: i=1; AFNElJ/58Kuyo6oiJsHhT4C8mGQZZ4w4sQjmH1SPVzxt2sjZ/fPV4dSVP+t0wfwxHs67tO78zavvQw==@ietf.org
X-Gm-Message-State: AOJu0YwzHGLymZm/I3F6k/D6dUFsrrpKzqHBhCFw68yLCdueG7c+dHJy kQoFiQBn7Nav1hQeW27WGnBseAEtDWpsC/Q3G8ZmYEWLlWn5ZDYjDlgaFcd5inRSZe75/H8zXid TLGMqVb7Ir2nVgNTk0w16liioKjx0qHO27G/7E67qaQ==
X-Gm-Gg: Acq92OHjjwoN6+E2pGLbrYbhvpnduBa8GJXx9bqBC5/RTqxRmcSCrrZvDXSfK5CG3Rs x2J38mmD2ElJoSK9AyTqsp3j/Rpvxi0AqRlN7eKyI0Ffcj+0XzWJ4mpHiQn/Ap6fFEbXQ/RCC0o tCNT8DqQmQ1yZZGmIqg0+Q1ASFZYqLoTX56LwYrnN6qQeIvuC+tXDnAbYG57duLJiswot1tNScE 0/G7YOfGBj6hDknTlkS/GvbjkC+Ko3pRmETsl0UJ2+it4Kv8FAQUNTnxAGxPxFib0zUumIemH62 Axx5H0ya9FSgochbjZjH44BUwrSEcbSRqPY4YkiTMxpErx+PLuR7070TMM1JZN645kaiMCc=
X-Received: by 2002:a05:600c:46cf:b0:48f:d5a0:284e with SMTP id 5b1f17b1804b1-48fe66267eemr261926935e9.28.1779159682945; Mon, 18 May 2026 20:01:22 -0700 (PDT)
MIME-Version: 1.0
References: <CALZ8nCuvyBB7XuRUJO0EqNxXReiaRGe69d0niTGndyvUO6PZMQ@mail.gmail.com> <CALAqi_-CVzF2Q+z_Xvr1ShF_mA4wnXskXHX88GaZOdNZ+HK2Dg@mail.gmail.com> <CAMjEm+FKAYsYuh9Q2piCFw_hqCFEdN5=U5+53nEFtDpzghKSNw@mail.gmail.com> <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com>
In-Reply-To: <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com>
From: Karl McGuinness <me@karlmcguinness.com>
Date: Mon, 18 May 2026 20:01:11 -0700
X-Gm-Features: AVHnY4J88eEluJmzHHdZS3RtU5AFNARphn0pf-aiYxLBVf-5URT8akK19Yt42-g
Message-ID: <CAPVrLW0hme839xoVf-A4Hu_Xzwq-zdUHCm79BnuUZ-OeTj_Qhg@mail.gmail.com>
To: Max Gerber <max=40stytch.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6a43d065222e4e9"
Message-ID-Hash: ADDON7JEOZKPVV7R4MUBAPHFX2JKH22T
X-Message-ID-Hash: ADDON7JEOZKPVV7R4MUBAPHFX2JKH22T
X-MailFrom: me@karlmcguinness.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andy Barlow <0xandybarlow@gmail.com>, Nick Watson <nwatson=40google.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: AS Metadata client id parameter draft
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jZo3kjswDEQM6zo64xOLYRRaEJE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I strongly support standardizing an approach for a per-client metadata mechanism to enable discovery of client-specific metadata values and reduce change management risk as folks have indicated. Okta shipped support for client_id as query param for similar reasons almost 10 years ago! I also think we need to consider the inverse for OAuth Client ID Metadata Document (CIMD) where the authorization server identifier is an optional parameter for the same reasons. -Karl On Mon, May 18, 2026 at 5:27 PM Max Gerber <max=40stytch.com@dmarc.ietf.org> wrote: > It's a really interesting idea. Thanks Filip for the slides as well! > > > (1) do gradual rollouts of AS metadata changes client by client > > I 100% see the value in better-supporting gradual rollouts. Today, an AS > can try *(emphasis on try!)* to feature flag responses based on IP > address or User-Agent but both of those are *very* poor signals. > > > (2) customize metadata if necessary > > I am not a fan of long-lived customizations of metadata to support legacy > clients, though I understand gradual rollouts and long-lived legacy flags > are two sides of the same coin. I know it is not always possible or > reasonable, but I would rather break old, insecure, and unmaintained > clients than build tools to accommodate them. > > The security considerations could be worrisome; you call out that an > attacker could enumerate which legacy features an AS still supports for a > given client. > This differs from observing that client's behavior—a client might remove > the use of the `implicit` grant from their flow, but still be permitted by > the AS to use it for legacy reasons. Using this endpoint, an attacker could > determine that fact and attempt to exploit it. > > > On Mon, May 18, 2026 at 10:08 AM Andy Barlow <0xandybarlow@gmail.com> > wrote: > >> I fully support any and all effort on this topic. >> >> On Mon, 18 May 2026 at 17:58, Filip Skokan <panva.ip@gmail.com> wrote: >> >>> Hello Nick, >>> >>> Let me know what you all think. >>> >>> >>> Back at IETF 121 I presented this related/similar idea: >>> >>> - https://youtu.be/_kNpecjcj64?t=6354 >>> - >>> https://datatracker.ietf.org/meeting/121/materials/slides-121-oauth-sessa-client-id-hint-for-authorization-server-metadata-requests-00 >>> >>> I haven't had a chance to follow up on it since >>> >>> S pozdravem, >>> *Filip Skokan* >>> >>> >>> On Mon, 18 May 2026 at 17:09, Nick Watson <nwatson= >>> 40google.com@dmarc.ietf.org> wrote: >>> >>>> >>>> https://njwatson32.github.io/as-metadata-client-id/draft-watson-oauth-as-metadata-client-id.html >>>> >>>> I've written up a quick draft on supporting a client_id parameter on AS >>>> Metadata, which would allow the AS to (1) do gradual rollouts of AS >>>> metadata changes client by client and (2) customize metadata if necessary >>>> (e.g. for clients participating in beta programs of upcoming drafts). >>>> >>>> AS can also choose to ignore the client_id parameter completely and >>>> continue serving a statically cached global AS metadata file. >>>> >>>> I had this idea recently when implementing support for 9207 (iss >>>> parameter) and running into poorly behaved clients handling these updates >>>> badly. The draft I'm proposing would have allowed me to avoid making global >>>> changes to AS metadata, and even do a synchronized rollout of returning >>>> `iss` from the authorization endpoint and >>>> declaring authorization_response_iss_parameter_supported. >>>> >>>> Let me know what you all think. >>>> >>>> Nick >>>> >>>> PS: I've also proposed the "reverse" of this for CIMD in this issue >>>> <https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/78> >>>> . >>>> >>>> -- >>>> Nick Watson | Software Engineer | nwatson@google.com | (781) 608-3352 >>>> _______________________________________________ >>>> OAuth mailing list -- oauth@ietf.org >>>> To unsubscribe send an email to oauth-leave@ietf.org >>>> >>> _______________________________________________ >>> OAuth mailing list -- oauth@ietf.org >>> To unsubscribe send an email to oauth-leave@ietf.org >>> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] AS Metadata client id parameter draft Nick Watson
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Filip Skokan
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Andy Barlow
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Max Gerber
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Karl McGuinness
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Tobias Looker
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Nick Watson
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Emelia S.
- [OAUTH-WG] Re: AS Metadata client id parameter dr… Frederik Krogsdal Jacobsen