Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents

Torsten Lodderstedt <> Sun, 20 April 2014 10:14 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 39F331A010D for <>; Sun, 20 Apr 2014 03:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.151
X-Spam-Status: No, score=-0.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3XHyJNsZaP2h for <>; Sun, 20 Apr 2014 03:14:24 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 83A7D1A007F for <>; Sun, 20 Apr 2014 03:14:13 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <>) id 1WbolD-0006mc-B9; Sun, 20 Apr 2014 12:14:07 +0200
Message-ID: <>
Date: Sun, 20 Apr 2014 12:14:09 +0200
From: Torsten Lodderstedt <>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Hannes Tschofenig <>, "" <>
References: <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------020202000003070804010703"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Apr 2014 10:14:28 -0000

Hi all,

I also believe both documents should be merged.

Nevertheless, here are my comments on the current drafts:

*  OAuth 2.0 Dynamic Client Registration Core Protocol

1.2.  Terminology

  " Multiple instances of the same piece of client software MAY use
       the same Client ID value at an authorization server, provided that
       the Redirection URI values and potentially other values dictated
       by authorization server policy are the same for all instances."

Which entity determines whether the same client id is used for different 
instances? Given the current protocol design, I would assume it is at 
the discretion of the authz server. Other opinions?

"Software Statement ... It may also be accepted by some authorization 
       directly as a Client ID value, without prior registration."

under which circumstances does an authz server accept a software 
statement as client_id? How does the client know? I think the idea is 
valuable but needs much more text in order to come up with an 
interoperable protocol design.

1.3. Protocol Flow

Initial Access Token vs. Software Statement: In my opinion, those 
concepts are two different ways to authorize client registration. 
Although there are the typical differences between tokens and assertions 
(such as opaque content vs. defined syntax), I feel software statements 
could supersede initial access tokens.

2.  Client Metadata

"redirect_uris  ...  It is
       RECOMMENDED that clients using these flows register this
       parameter, and an authorization server SHOULD require ..."

I consider this a rather weak statement - does this foster interop? Why 
not requiring registration of redirect_uris for all clients using 
web-based grant types.

last paragraph:
"If the same client metadata name is present in both
    locations, the value in the software statement SHOULD take

why not MUST?

3.  Software Statement

Is there a need to require a certain signature method for JWTs used as 
software statement (interop)? JWT itself requires "HMAC" and "none", 
which both are of no or limited value in this context. RSA is just 
recommended by the JWT spec.


"If a software statement was used as part of the registration, its
    value SHOULD be returned in the response and its value MUST be
    returned if the authorization server supports registration management
    operations [OAuth.Registration.Management] that would require its
    presence in subsequent operations."

I don't get the connection between software statements and the 
management API. In the management API spec, I only found a reference to 
software statements in the introduction. Should this text just be removed?


error codes - invalid_client_metadata

I consider this underspecified. How is the client supposed to react if 
this error occurs? I would expect the authz server to give more detailed 
information regarding error conditions, e.g. notify the client if 
particular requested grant types are not supported. Otherwise, the 
client cannot handle those error differently.

* OAuth 2.0 Dynamic Client Registration Metadata

I would suggest to add "jwks" (as defined in 
in order to support native clients.


Am 04.04.2014 11:13, schrieb Hannes Tschofenig:
> Hi all,
> This is a Last Call for comments on the dynamic client registration
> documents:
> * OAuth 2.0 Dynamic Client Registration Core Protocol
> * OAuth 2.0 Dynamic Client Registration Metadata
> Since we have to do the last call for these two documents together we
> are setting the call for **3 weeks**.
> Please have your comments in no later than April 25th.
> Ciao
> Hannes & Derek
> _______________________________________________
> OAuth mailing list