Re: [OAUTH-WG] Dynamic Client Registration

"Richer, Justin P." <> Sun, 03 November 2013 21:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 185B421E80BD for <>; Sun, 3 Nov 2013 13:42:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.422
X-Spam-Status: No, score=-6.422 tagged_above=-999 required=5 tests=[AWL=0.177, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VtvDSmoboWHl for <>; Sun, 3 Nov 2013 13:42:23 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 0A19711E8123 for <>; Sun, 3 Nov 2013 13:42:23 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 6FB201F0323; Sun, 3 Nov 2013 16:42:22 -0500 (EST)
Received: from IMCCAS04.MITRE.ORG ( []) by (Postfix) with ESMTP id B12391F029C; Sun, 3 Nov 2013 16:42:21 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([]) by IMCCAS04.MITRE.ORG ([]) with mapi id 14.03.0158.001; Sun, 3 Nov 2013 16:42:21 -0500
From: "Richer, Justin P." <>
To: Hannes Tschofenig <>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration
Thread-Index: AQHO17VpgVm3wOfIFkiR4ENfx3W3lg==
Date: Sun, 3 Nov 2013 21:42:20 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: " WG" <>
Subject: Re: [OAUTH-WG] Dynamic Client Registration
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 03 Nov 2013 21:42:28 -0000


I think that your proposed path forward is reasonable, and it fits with the mentality I've always held that we can build this with reusable blocks to fit many different use cases. 

For what it's worth, I think that if people want a SCIM-based management profile then it should be published and handled in the SCIM working group so that it can track with the SCIM spec (which is still changing). In my opinion, there is plenty of value of having a non-SCIM RESTful API for everyone who wants to manage the objects but not implement all of SCIM. We can define that API here.

 -- Justin

On Nov 3, 2013, at 1:27 AM, Hannes Tschofenig <> wrote:

> Thanks for sharing your perspective, Justin.
> This is a good summary of the use cases in the appendix of
> draft-richer-oauth-dyn-reg-core-00 and draft-ietf-oauth-dyn-reg-14. The text in the appendix is more focuses on the technical aspects but I believe the main difference really is in the user/developer experience in those use cases, which you have summarized in this mail. I
> wonder whether it would make sense to include this brief summary of the
> use cases in the introduction section of the document (and point to the
> more detailed writeup in the appendix).
> Read through the document I have been to find out what the disconnect in
> the group has been and my only idea was that it might have something to
> do with the focus on different scenarios. If that's not the case then I
> really don't know.
> Since I am interested to make some progress on this area I am curious
> about what could be done.
> Here is what I believe I see:
> * We have the core specification (with is with
> draft-richer-oauth-dyn-reg-core-00 quite stripped down to focus on the
> interaction with the registration endpoint)
> * We have the software statements document
> <draft-hunt-oauth-software-statement-00>, which are a step that happens
> before the registration interaction kicks in. I see this as an
> independent specification that can easily be run before the steps
> outlined in
> draft-richer-oauth-dyn-reg-core-00
> * We have two approaches for managing registration information, namely
> draft-richer-oauth-dyn-reg-management and
> draft-hunt-oauth-scim-client-reg-00 (whereby the latter uses SCIM as a
> baseline and the former doesn't). I understand the argument that someone
> who already implements SCIM might as well want to re-use it. Of course,
> if you don't use SCIM then that argument does not get you too far. In
> that sense, I could imagine both being valid approach (with suitability
> for different environments). What I would like to see is how different
> they are with their on-the-wire behavior since both are supposed to be
> RESTful APIs
> * Finally, there was this worry about the stateless nature of the AS
> (with respect to the clients and their client ids). John had produced an
> interesting writeup to illustrate that you can accomplish the goal with
> the current OAuth 2.0 spec when you construct the client-id in a special
> way.
> A path forward could be to
> * go ahead with draft-richer-oauth-dyn-reg-core-00 (with minor updates
> to create the link to the other documents, such as the software statement).
> * publish the software statement document
> * for the approach of managing registration requires a bit of analysis
> to see whether the two approaches are indeed that different. If they are
> indeed very different then it might make sense to publish both. However,
> if they are not that different then we need to make a decision what we
> want to go further with. We don't need two specifications that are
> almost identical
> * I also think we should publish
> draft-bradley-stateless-oauth-client-00 as an informational document
> since it seems to be something that people worry about and the document
> illustrates how to accomplish the desired functionality without
> normative changes to the OAuth 2.0 protocol.
> Ciao
> Hannes
> Am 03.11.13 05:28, schrieb Richer, Justin P.:
>> Hannes,
>> There are a number of major use cases and expectations that I've kept
>> in mind throughout the development of this protocol. Some of the
>> fallout of this is captured in appendix B of the current draft, but
>> I'd be happy to write them out here:
>> First, the use cases of OpenID Connect and UMA are driving factors,
>> which shouldn't be surprising since the draft that we have now came
>> into existence by combining the UMA dynamic registration draft (which
>> started its life over 3 years ago now) and the OpenID Connect dynamic
>> registration draft (which is at least 2 years old). In both of these
>> cases, the trust starts at the end user, who effectively makes the
>> introductions between the different components. For example, in
>> Connect's fully open and distributed mode, the end user types in a
>> web finger address at the RP to point to an IdP that the RP's
>> potentially never heard of. That RP needs to be able to talk to that
>> IdP in real time, while the user is still there. Likewise in UMA, the
>> end user points the client at the API which discovers the AS. Any
>> kind of step that requires a system administrator or developer to be
>> involved is a dead stop for the fully distributed cases of these
>> protocols, since the whole point is to *automate* the process of
>> registration. The case is even more clear with BlueButton+, a
>> healthcare data access protocol, where the end user is the patient.
>> The patient has the right and ability to connect their health care
>> provider's API (protected by the provider's AS) to a client of the
>> patient's choosing, even if the provider or the provider's software
>> vendor has never heard of the client software before.
>> That said, there's a "more trusted" middle ground where you get
>> authorized to call the registration endpoint, and you can show that
>> by presenting an initial access token as part of that request. We've
>> taken that mechanism with BlueButton+ and defined our own initial
>> access token as a signed JWT assertion presented as a bearer
>> assertion. (There's also a discovery protocol in BB+ that defines how
>> the AS can validate the assertion.) Large providers, like the Googles
>> and Facebooks of the world, like to have a relationship with the
>> developer ahead of time. The developer is effectively issued an
>> access token to tie their clients back to the developer's account.
>> There can be a problem with this though, and it's important to think
>> of the dynamic registration from two perspectives:
>> From the perspective of the AS, the protocol is all about introducing
>> new clients. In this view, you've got an AS with lots of different
>> client applications trying to talk to it. These might be many copies
>> of the same code base, or many different code bases, but each
>> instance needs to be able to present a client_id and client_secret
>> (or equivalent authentication) that the AS can recognize. In an
>> enterprise, it's common to think from this perspective because it's
>> usually the enterprise that's rolling out the AS and wanting to
>> provide access to a published API to a bunch of clients that may or
>> may not be known ahead of time.
>> From the perspective of the client (which is really to say, an
>> instance of a client), the protocol is all about introducing the
>> client to a bunch of different auth servers. This is usually the case
>> when you've got an "open" API, like OIDC, that may be hosted by any
>> number of unknown parties that need to be discovered at runtime. One
>> client can talk to a number of different instantiations of this same
>> API. This perspective often gets lost when people talk about
>> deploying auth servers (especially the large internet providers) or
>> having some kind of trusted registration, like what Google wants to
>> do with giving developers access tokens. However, I think that this
>> perspective is going to become more important as we have more
>> widespread common APIs and better service discovery systems.  Note
>> that in BB+ we have both open and trusted registrations, with the
>> open registrations MTI.
>> Extensibility of the base draft is also a very important
>> consideration to me. OAuth works because it's a set of composable
>> blocks that can be brought together to solve a wide variety of
>> problems. As such, it's important that the client's metadata be
>> safely and easily extensible so that specific protocols being
>> protected by OAuth (like Connect or Blue Button) can easily define
>> protocol-specific client aspects. This would also be the logical
>> place to inject Phil's proposed software statement, as an extension
>> to the client's presented metadata and a means for protecting
>> particular fields with a signature. Additionally, since OAuth has
>> many different methods of clients authenticating, the draft defines a
>> registry to allow for specific OAuth-protected protocols and systems
>> to define different auth methods, like Connect's private_key_jwt and
>> client_secret_jwt methods that are more specific to how Connect
>> defines its interactions. I'm sure there will be other methods in the
>> future, too.
>> Finally, the ability of the client to manage the metadata that's
>> attached to a client_id over time is important in some use cases.
>> Fundamentally, the registration process is the "Create" verb, and the
>> "Read/Update/Delete" verbs are a short step after that to implement.
>> It's become clear to me that if your authorization servers are fully
>> stateless, or if you believe that all of the metadata properties of a
>> given client (or even piece of software with multiple instances),
>> then the management API doesn't make any sense. However, neither of
>> these assumptions are universal, and with the right components, we
>> can have a system that can be composed in different ways to fit all
>> of these use cases.
>> -- Justin
>> On Nov 2, 2013, at 6:21 AM, Hannes Tschofenig
>> <> wrote:
>>> Hi all,
>>> reading througth various dynamic client registration document I get
>>> the impression that there is one area of potential disconnect,
>>> namely in the end user / developer experience.
>>> When OpenID started this concept that a random IdP could talk to a
>>> random RP it seemed like a great idea. There was no need to
>>> exchange secrets and go through this complicated introduction
>>> process between the different parties, which sometimes even
>>> required business argeements. Those processes were known from
>>> Kerberos and also from the SAML identity federations.
>>> OpenID looked at the entire step from a technical point of view in
>>> an attempt to exchange the necessary information and then you were
>>> done with it.
>>> However, there was a bit more to this whole process, namely the
>>> entire notion of trust. In particular, there was the problem that
>>> the IdP would hand out information (personal data) to RPs only
>>> based on the user's consent. Of course, things could go wrong and
>>> some RPs misused the data given by the RP. The IdP couldn't really
>>> do anything about that since it knew nothing about the developer at
>>> the RP or the RP itself.
>>> So, how does the IdP ensure that it has some way to improve
>>> security and privacy of their users without handing out just
>>> everything. Of course, the IdP had it's own interest to know to
>>> know data is being passed to.
>>> Jumping to OAuth many deployments required developers to register
>>> and this registration procedure might require lots of information
>>> (such as credit card number, phone number, agreeing the terms of
>>> service, etc.). So, in many cases it wasn't purely about giving the
>>> developer a client-id and a shared secret for the client
>>> application.
>>> Now, here is the challenge: there are obviously different
>>> environments developers produce software for (such as the Web, the
>>> mobile app eco-system, and enterprise environments). They might all
>>> have different processes and expectations about the entire
>>> process.
>>> We have pretty much short-cut the entire story to the purely
>>> technical parts, namely to sending messages around and defining new
>>> attributes and have done very little in describing the process
>>> itself that we assume takes place.
>>> I know that you have these processes in your head when you write
>>> your documents and in discussions I have heard about these
>>> processes. Unfortunately, they aren't really documented anywhere. I
>>> guess it is needless to say that the expectations about how
>>> enterprises plan to deploy software vs. how the same is done for
>>> the Web is somewhat different.
>>> So, I believe it is useful to chat about these aspects even though
>>> they may just lead to a few paragraphs in our documents providing
>>> background information rather than actual normative specification
>>> text.
>>> Ciao Hannes _______________________________________________ OAuth
>>> mailing list