Re: [OAUTH-WG] Dynamic Client Registration

"Richer, Justin P." <> Sun, 03 November 2013 04:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A07C11E818D for <>; Sat, 2 Nov 2013 21:28:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.383
X-Spam-Status: No, score=-6.383 tagged_above=-999 required=5 tests=[AWL=0.216, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7foR2TMGfy9X for <>; Sat, 2 Nov 2013 21:28:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7AEE911E8171 for <>; Sat, 2 Nov 2013 21:28:38 -0700 (PDT)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id EFEC11F02D0; Sun, 3 Nov 2013 00:28:37 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG ( []) by (Postfix) with ESMTP id DD2201F027F; Sun, 3 Nov 2013 00:28:37 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([]) by IMCCAS01.MITRE.ORG ([]) with mapi id 14.03.0158.001; Sun, 3 Nov 2013 00:28:37 -0400
From: "Richer, Justin P." <>
To: Hannes Tschofenig <>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration
Thread-Index: AQHO17VpgVm3wOfIFkiR4ENfx3W3lpoTPrkA
Date: Sun, 03 Nov 2013 04:28:36 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: " WG" <>
Subject: Re: [OAUTH-WG] Dynamic Client Registration
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 03 Nov 2013 04:28:43 -0000


There are a number of major use cases and expectations that I've kept in mind throughout the development of this protocol. Some of the fallout of this is captured in appendix B of the current draft, but I'd be happy to write them out here:

First, the use cases of OpenID Connect and UMA are driving factors, which shouldn't be surprising since the draft that we have now came into existence by combining the UMA dynamic registration draft (which started its life over 3 years ago now) and the OpenID Connect dynamic registration draft (which is at least 2 years old). In both of these cases, the trust starts at the end user, who effectively makes the introductions between the different components. For example, in Connect's fully open and distributed mode, the end user types in a web finger address at the RP to point to an IdP that the RP's potentially never heard of. That RP needs to be able to talk to that IdP in real time, while the user is still there. Likewise in UMA, the end user points the client at the API which discovers the AS. Any kind of step that requires a system administrator or developer to be involved is a dead stop for the fully distributed cases of these protocols, since the whole point is to *automate* the process of registration. The case is even more clear with BlueButton+, a healthcare data access protocol, where the end user is the patient. The patient has the right and ability to connect their health care provider's API (protected by the provider's AS) to a client of the patient's choosing, even if the provider or the provider's software vendor has never heard of the client software before. 

That said, there's a "more trusted" middle ground where you get authorized to call the registration endpoint, and you can show that by presenting an initial access token as part of that request. We've taken that mechanism with BlueButton+ and defined our own initial access token as a signed JWT assertion presented as a bearer assertion. (There's also a discovery protocol in BB+ that defines how the AS can validate the assertion.) Large providers, like the Googles and Facebooks of the world, like to have a relationship with the developer ahead of time. The developer is effectively issued an access token to tie their clients back to the developer's account. There can be a problem with this though, and it's important to think of the dynamic registration from two perspectives: 

>From the perspective of the AS, the protocol is all about introducing new clients. In this view, you've got an AS with lots of different client applications trying to talk to it. These might be many copies of the same code base, or many different code bases, but each instance needs to be able to present a client_id and client_secret (or equivalent authentication) that the AS can recognize. In an enterprise, it's common to think from this perspective because it's usually the enterprise that's rolling out the AS and wanting to provide access to a published API to a bunch of clients that may or may not be known ahead of time. 

>From the perspective of the client (which is really to say, an instance of a client), the protocol is all about introducing the client to a bunch of different auth servers. This is usually the case when you've got an "open" API, like OIDC, that may be hosted by any number of unknown parties that need to be discovered at runtime. One client can talk to a number of different instantiations of this same API. This perspective often gets lost when people talk about deploying auth servers (especially the large internet providers) or having some kind of trusted registration, like what Google wants to do with giving developers access tokens. However, I think that this perspective is going to become more important as we have more widespread common APIs and better service discovery systems.  Note that in BB+ we have both open and trusted registrations, with the open registrations MTI.

Extensibility of the base draft is also a very important consideration to me. OAuth works because it's a set of composable blocks that can be brought together to solve a wide variety of problems. As such, it's important that the client's metadata be safely and easily extensible so that specific protocols being protected by OAuth (like Connect or Blue Button) can easily define protocol-specific client aspects. This would also be the logical place to inject Phil's proposed software statement, as an extension to the client's presented metadata and a means for protecting particular fields with a signature. Additionally, since OAuth has many different methods of clients authenticating, the draft defines a registry to allow for specific OAuth-protected protocols and systems to define different auth methods, like Connect's private_key_jwt and client_secret_jwt methods that are more specific to how Connect defines its interactions. I'm sure there will be other methods in the future, too.

Finally, the ability of the client to manage the metadata that's attached to a client_id over time is important in some use cases. Fundamentally, the registration process is the "Create" verb, and the "Read/Update/Delete" verbs are a short step after that to implement. It's become clear to me that if your authorization servers are fully stateless, or if you believe that all of the metadata properties of a given client (or even piece of software with multiple instances), then the management API doesn't make any sense. However, neither of these assumptions are universal, and with the right components, we can have a system that can be composed in different ways to fit all of these use cases.

 -- Justin

On Nov 2, 2013, at 6:21 AM, Hannes Tschofenig <>

> Hi all,
> reading througth various dynamic client registration document I get the impression that there is one area of potential disconnect, namely in the end user / developer experience.
> When OpenID started this concept that a random IdP could talk to a random RP it seemed like a great idea. There was no need to exchange secrets and go through this complicated introduction process between the different parties, which sometimes even required business argeements. Those processes were known from Kerberos and also from the SAML identity federations.
> OpenID looked at the entire step from a technical point of view in an attempt to exchange the necessary information and then you were done with it.
> However, there was a bit more to this whole process, namely the entire notion of trust. In particular, there was the problem that the IdP would hand out information (personal data) to RPs only based on the user's consent. Of course, things could go wrong and some RPs misused the data given by the RP. The IdP couldn't really do anything about that since it knew nothing about the developer at the RP or the RP itself.
> So, how does the IdP ensure that it has some way to improve security and privacy of their users without handing out just everything. Of course, the IdP had it's own interest to know to know data is being passed to.
> Jumping to OAuth many deployments required developers to register and this registration procedure might require lots of information (such as credit card number, phone number, agreeing the terms of service, etc.). So, in many cases it wasn't purely about giving the developer a client-id and a shared secret for the client application.
> Now, here is the challenge: there are obviously different environments developers produce software for (such as the Web, the mobile app eco-system, and enterprise environments). They might all have different processes and expectations about the entire process.
> We have pretty much short-cut the entire story to the purely technical parts, namely to sending messages around and defining new attributes and have done very little in describing the process itself that we assume takes place.
> I know that you have these processes in your head when you write your documents and in discussions I have heard about these processes. Unfortunately, they aren't really documented anywhere. I guess it is needless to say that the expectations about how enterprises plan to deploy software vs. how the same is done for the Web is somewhat different.
> So, I believe it is useful to chat about these aspects even though they may just lead to a few paragraphs in our documents providing background information rather than actual normative specification text.
> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list