[OAUTH-WG] Re: AS Metadata client id parameter draft

Karl McGuinness <me@karlmcguinness.com> Tue, 19 May 2026 03:01 UTC

Return-Path: <me@karlmcguinness.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B9A93F077853 for <oauth@mail2.ietf.org>; Mon, 18 May 2026 20:01:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779159709; bh=3MIwM2Pmz+/iMoWjTqX7UHq4cl6XDNgYJ+cDYBjxbs4=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=mGC8LyQejK9DDlmAAb9XWumMymmHWEsXL/EgIgVlVM77kEpratYTo0Haf3BA2Uc+y RMLL6NjxkQsEyiGmaukaVSwgs+NbEdH620p6mPk7J2i/xDuJQVYcH/ZjyyoiQrPe+z eGGcD5JUwqIRWlHL7z0kFKeTAcUM2VlmgqOGP99M=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=karlmcguinness.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jIRJHohw5U09 for <oauth@mail2.ietf.org>; Mon, 18 May 2026 20:01:42 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 23650F077677 for <oauth@ietf.org>; Mon, 18 May 2026 20:01:30 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-488a88aeec9so35536275e9.2 for <oauth@ietf.org>; Mon, 18 May 2026 20:01:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779159683; cv=none; d=google.com; s=arc-20240605; b=H/uEJpfW/wg3n6IDyrfRNWwafzVxoU1YeEntXzXS3kq1xKlQ6y35iQUhu2d2n8iurn 4kGGFbzNVewN4/Q8Oc03JYgsPHrOCo8BrvV1t7iJMwpR5oV3JvpbgNZ5dtQ1LXjYF7gx 0UZIezu1G1QWwvl8S29pxoBG4RzqfnsE0OCBFkjz/6x4slnbamJutKTNHI1EC/aeLJ6i 9aDElKxDXj4BHNy9mcmUrAjJ9VA8WBpD5tF82xO7q6XRLHeOLRc6TVakg/OGMnmCckSU g+TfDL0Jm0wmwqfqNR3gsNW/yQR3HWaNG/qhimNAaIMZKpOZ278Bd45Dx+s57ZPH1oEo ptNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=mPCQKSaga/AN+CLDoRHPO/sVVTKsARZ6OtjCEvuCzJE=; fh=PgCMA0Urq5klBRCPd9OaxcgUmaKWHkzW81XuDONh5iY=; b=VBahESOArTNeGK9aYPJ+C8o57NBQgQY210lRUkjlJm5zz2l3ue6dpwQKLOK5Q18iSc 0ot2ndDU9xxHfMJStaKSLYd2HIQyAxMHZ+Ab3/4FFEQHnj2o9t9U7lV+hB09LNqQwN4c 2PK0/q72pTXNBHMIH0Ag+AHbW6BRyfrjaFEuDlIcLl1fmYH+smRb1MBdj340EkQO+xtj axd+CJHbIpXQ/GHj9lAjyJnLHoJTJOR0jdO060z015ftEqHSfFebuGoGYXXIvZ8LcIkS I7yRGQYcSqJAZExQnU8MdvWGOqjbcWqQzGj/HudHcnsiYaAKc9HQyBu/oaA6do3BmXY0 HLnA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karlmcguinness.com; s=google; t=1779159683; x=1779764483; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mPCQKSaga/AN+CLDoRHPO/sVVTKsARZ6OtjCEvuCzJE=; b=giq3Dj+8p2mMrjCQO7uClfYZS0j/kqMvseVicpV5inoKwqZlBhXW1FMwn3X7iLK4pg Rtk9v/118YqaWh+0d3ZeEUcDAR3yIwbTwYHWP748W5p/R0Fnwh6c/VZl8WIPVq8IwVEa 6Zx1WMxdgLVBK6nEjaHX7EoVMXho8TLWOj6sMunajfjgrqZPk/Ibip+7C0Ffnxspvm36 DwCl5Qg+YrrF7GGsSMNDvgLKhx4WJV0TsjBRKK3YQAc96W3Xiayj2XzQvLQq7Krr2DuN C0bBkJDywQTS76LS8yz3i+u4jjhbUVs+v1k1oT5DBQo46rLHinhqY2kKNrOCfgXXKB8M lD2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779159683; x=1779764483; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mPCQKSaga/AN+CLDoRHPO/sVVTKsARZ6OtjCEvuCzJE=; b=i6/MubGeVl8U42t5SwGTciHsBZcytaxx+3iS1t0WtDOyU9cxQmu9fDjje3s7FELTw5 1yG4pO7TMek/r94gtvkEiH5IJM0haFDARGkQDeBwOGE+8LIDzYeK6MMOYXbw+DcPC0hw 66MbNFvj/2sLOB7dymZo//DmlM1DmCQREApQBc/zxkzeeErNCJVbbyaURNOj2jKyho9B 5RtXt/bdasRRBcpExESEvnQwoM4zYzydQWlMI6AhebNIqe2uHKg9Bs3+AyN/idTtspFc MSrk3wW9JEfLS7jDl4vjRha1WcCCJ9l6S1Emm8PJKzfeYJv5rPaYL+DmhyhcYjBKu/rJ jtYA==
X-Forwarded-Encrypted: i=1; AFNElJ/58Kuyo6oiJsHhT4C8mGQZZ4w4sQjmH1SPVzxt2sjZ/fPV4dSVP+t0wfwxHs67tO78zavvQw==@ietf.org
X-Gm-Message-State: AOJu0YwzHGLymZm/I3F6k/D6dUFsrrpKzqHBhCFw68yLCdueG7c+dHJy kQoFiQBn7Nav1hQeW27WGnBseAEtDWpsC/Q3G8ZmYEWLlWn5ZDYjDlgaFcd5inRSZe75/H8zXid TLGMqVb7Ir2nVgNTk0w16liioKjx0qHO27G/7E67qaQ==
X-Gm-Gg: Acq92OHjjwoN6+E2pGLbrYbhvpnduBa8GJXx9bqBC5/RTqxRmcSCrrZvDXSfK5CG3Rs x2J38mmD2ElJoSK9AyTqsp3j/Rpvxi0AqRlN7eKyI0Ffcj+0XzWJ4mpHiQn/Ap6fFEbXQ/RCC0o tCNT8DqQmQ1yZZGmIqg0+Q1ASFZYqLoTX56LwYrnN6qQeIvuC+tXDnAbYG57duLJiswot1tNScE 0/G7YOfGBj6hDknTlkS/GvbjkC+Ko3pRmETsl0UJ2+it4Kv8FAQUNTnxAGxPxFib0zUumIemH62 Axx5H0ya9FSgochbjZjH44BUwrSEcbSRqPY4YkiTMxpErx+PLuR7070TMM1JZN645kaiMCc=
X-Received: by 2002:a05:600c:46cf:b0:48f:d5a0:284e with SMTP id 5b1f17b1804b1-48fe66267eemr261926935e9.28.1779159682945; Mon, 18 May 2026 20:01:22 -0700 (PDT)
MIME-Version: 1.0
References: <CALZ8nCuvyBB7XuRUJO0EqNxXReiaRGe69d0niTGndyvUO6PZMQ@mail.gmail.com> <CALAqi_-CVzF2Q+z_Xvr1ShF_mA4wnXskXHX88GaZOdNZ+HK2Dg@mail.gmail.com> <CAMjEm+FKAYsYuh9Q2piCFw_hqCFEdN5=U5+53nEFtDpzghKSNw@mail.gmail.com> <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com>
In-Reply-To: <CAEnJ2_XP+juU_6WFy+R3cTtCw2T16SDnrMiPJVuuM=UC2-w2fQ@mail.gmail.com>
From: Karl McGuinness <me@karlmcguinness.com>
Date: Mon, 18 May 2026 20:01:11 -0700
X-Gm-Features: AVHnY4J88eEluJmzHHdZS3RtU5AFNARphn0pf-aiYxLBVf-5URT8akK19Yt42-g
Message-ID: <CAPVrLW0hme839xoVf-A4Hu_Xzwq-zdUHCm79BnuUZ-OeTj_Qhg@mail.gmail.com>
To: Max Gerber <max=40stytch.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6a43d065222e4e9"
Message-ID-Hash: ADDON7JEOZKPVV7R4MUBAPHFX2JKH22T
X-Message-ID-Hash: ADDON7JEOZKPVV7R4MUBAPHFX2JKH22T
X-MailFrom: me@karlmcguinness.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Andy Barlow <0xandybarlow@gmail.com>, Nick Watson <nwatson=40google.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: AS Metadata client id parameter draft
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jZo3kjswDEQM6zo64xOLYRRaEJE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I strongly support standardizing an approach for a per-client metadata
mechanism to enable discovery of client-specific metadata values and reduce
change management risk as folks have indicated.  Okta shipped support for
client_id as query param for similar reasons almost 10 years ago!

I also think we need to consider the inverse for OAuth Client ID Metadata
Document (CIMD) where the authorization server identifier is an optional
parameter for the same reasons.

-Karl





On Mon, May 18, 2026 at 5:27 PM Max Gerber <max=40stytch.com@dmarc.ietf.org>
wrote:

> It's a really interesting idea. Thanks Filip for the slides as well!
>
> > (1) do gradual rollouts of AS metadata changes client by client
>
> I 100% see the value in better-supporting gradual rollouts. Today, an AS
> can try *(emphasis on try!)* to feature flag responses based on IP
> address or User-Agent but both of those are *very* poor signals.
>
> > (2) customize metadata if necessary
>
> I am not a fan of long-lived customizations of metadata to support legacy
> clients, though I understand gradual rollouts and long-lived legacy flags
> are two sides of the same coin. I know it is not always possible or
> reasonable, but I would rather break old, insecure, and unmaintained
> clients than build tools to accommodate them.
>
> The security considerations could be worrisome; you call out that an
> attacker could enumerate which legacy features an AS still supports for a
> given client.
> This differs from observing that client's behavior—a client might remove
> the use of the `implicit` grant from their flow, but still be permitted by
> the AS to use it for legacy reasons. Using this endpoint, an attacker could
> determine that fact and attempt to exploit it.
>
>
> On Mon, May 18, 2026 at 10:08 AM Andy Barlow <0xandybarlow@gmail.com>
> wrote:
>
>> I fully support any and all effort on this topic.
>>
>> On Mon, 18 May 2026 at 17:58, Filip Skokan <panva.ip@gmail.com> wrote:
>>
>>> Hello Nick,
>>>
>>> Let me know what you all think.
>>>
>>>
>>> Back at IETF 121 I presented this related/similar idea:
>>>
>>>    - https://youtu.be/_kNpecjcj64?t=6354
>>>    -
>>>    https://datatracker.ietf.org/meeting/121/materials/slides-121-oauth-sessa-client-id-hint-for-authorization-server-metadata-requests-00
>>>
>>> I haven't had a chance to follow up on it since
>>>
>>> S pozdravem,
>>> *Filip Skokan*
>>>
>>>
>>> On Mon, 18 May 2026 at 17:09, Nick Watson <nwatson=
>>> 40google.com@dmarc.ietf.org> wrote:
>>>
>>>>
>>>> https://njwatson32.github.io/as-metadata-client-id/draft-watson-oauth-as-metadata-client-id.html
>>>>
>>>> I've written up a quick draft on supporting a client_id parameter on AS
>>>> Metadata, which would allow the AS to (1) do gradual rollouts of AS
>>>> metadata changes client by client and (2) customize metadata if necessary
>>>> (e.g. for clients participating in beta programs of upcoming drafts).
>>>>
>>>> AS can also choose to ignore the client_id parameter completely and
>>>> continue serving a statically cached global AS metadata file.
>>>>
>>>> I had this idea recently when implementing support for 9207 (iss
>>>> parameter) and running into poorly behaved clients handling these updates
>>>> badly. The draft I'm proposing would have allowed me to avoid making global
>>>> changes to AS metadata, and even do a synchronized rollout of returning
>>>> `iss` from the authorization endpoint and
>>>> declaring authorization_response_iss_parameter_supported.
>>>>
>>>> Let me know what you all think.
>>>>
>>>> Nick
>>>>
>>>> PS: I've also proposed the "reverse" of this for CIMD in this issue
>>>> <https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document/issues/78>
>>>> .
>>>>
>>>> --
>>>> Nick Watson | Software Engineer | nwatson@google.com | (781) 608-3352
>>>> _______________________________________________
>>>> OAuth mailing list -- oauth@ietf.org
>>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>