Re: [Txauth] Registered Clients and Dynamic Clients

Dick Hardt <> Wed, 15 July 2020 17:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 572993A0B24 for <>; Wed, 15 Jul 2020 10:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nuhgEIuIzT6g for <>; Wed, 15 Jul 2020 10:18:14 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BCD3D3A0FB2 for <>; Wed, 15 Jul 2020 10:17:52 -0700 (PDT)
Received: by with SMTP id h22so3431626lji.9 for <>; Wed, 15 Jul 2020 10:17:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GsERo1vBCm1Ofoh4/nLQoJa4ydniNH4OiX7pKHpbnOo=; b=rJyzVeMQKY6+IRPtzxj54Sq7KkaF9OgHPrDXUNLr/50+vHwZAmw62VeOsFN/NFBqkL qARnc7R6njl/sAK6k4kfQC5D5xS4ztzgELmvaozk5uot0ELxVsgE47TZ3BtX9TeV3i1l 4LKJeh+udUAXVroGVgwQdd2N6pW9E2Bs+4evkt436SY8eg+fGE0Sx3qwFYXSHrDNSmR4 R3Hx8Aq6sd/5z4oxlGr4QPnwoCuDI2Je1Vk7gPHIVNRkmXXwJp9Vb9HWSlVu3VxcpBWh WYhSmb/t01bENm+GLe6PeRuYCVaCtK4FhsWmPOKXXo7WYG8d282Rcsn/MoJnTDAN8mMC GmSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GsERo1vBCm1Ofoh4/nLQoJa4ydniNH4OiX7pKHpbnOo=; b=hNe1T9d9/Rm2xBuUFxaMNrfOguQ3z3rm5y+ePrckEi8mijLpuMVjLT209xJZqjwf5l dbbOaqvxt6dHTMlUnJgnb7YCzj6SlDt3Q5KlLikC2lVH/FFSpQGriVdDsFDQ3Hiy66AR yb5eyUsTKmeBoKzHTFFbV+UrpNcowvvK2nXWO7apO2IQxOq55c5K8ymA6nrUSCfy3+rw WLiKtboMjIa7L4CzOuXE0kKdeAG85oiw4w6UwDZeMe8BcAMLxIyNApJjbuuzBhcpqkGt lkvzV1i5o5b3Wc7cak3VJM9CA9FSP0G6k/R9LPb6xJdji97E/EZoV8lJIpSQguKHT/be Zapw==
X-Gm-Message-State: AOAM533VrmNQP1jaD8jaJEsLsAPMQzztEF8Nhk/e8HxRrOsgmoyB8yZ1 26Iqlgl0/liFU8HnPCaobkHGyOB+xnXsQzX5R1QIQ/MR
X-Google-Smtp-Source: ABdhPJyQyahOhVbt3anAuQX/ZyArGLSjY+PEi7AQExL3X/1TxFZIlE78+I/R2p1OSIAR6PaXvXDARhfXgdMKR3epTgc=
X-Received: by 2002:a2e:b70b:: with SMTP id j11mr93269ljo.142.1594833470556; Wed, 15 Jul 2020 10:17:50 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Dick Hardt <>
Date: Wed, 15 Jul 2020 10:17:14 -0700
Message-ID: <>
To: Denis <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="0000000000007d0fac05aa7e1ab0"
Archived-At: <>
Subject: Re: [Txauth] Registered Clients and Dynamic Clients
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jul 2020 17:18:15 -0000

On Wed, Jul 15, 2020 at 10:04 AM Denis <> wrote:

> Hello Dick,
> I am puzzled with the two following definitions in
> draft-hardt-xauth-protocol-13 :
>       *Registered Client* - a Client that has registered with the GS and
> has a Client ID to identify itself, and
>        can prove it possesses a key that is linked to the Client ID.  The
> GS may have different policies for what
>        different Registered Clients can request.  A Registered Client MAY
> be interacting with a User.
> [Denis]  I interpret the last sentence in the following way: A Registered
> Client may be either an Application or a User.
>              Is it correct ?

No. A Registered Client MAY be interacting with a User, or it MAY not. IE,
a Registered Client may be a service.

>       *Dynamic Client* - a Client that has not been previously registered
> with the GS, and each instance will generate
>        it’s own asymmetric key pair so it can prove it is the same
> instance of the Client on subsequent requests. The GS
>        MAY return a Dynamic Client a Client Handle for the Client to
> identify itself in subsequent requests. A single-page
>        application with no active server component is an example of a
> Dynamic Client. A Dynamic Client MUST be interacting
>        with a User.
> [Denis] The draft does not include any other explanation for the reason
> to support the so-called "Dynamic Clients".
>             While I can understand the value to use a temporary key pair
> for a given RS, I can't understand the value for a GS
>             to support unknown clients. If a GS knows nothing about a
> so-called "Dynamic Client", then it will not be able to deliver
>             any user attribute into an access token to such client.

More of an explanation of Dynamic Clients is a good call out, thanks!

A Dynamic Client MUST be interacting with a User, as "trust" of the Client
is done by the User. A Single Page Application (SPA) or a mobile app are
examples of clients that cannot have a shared secret, but can generate and
keep secure their own key pair..

As suggested in another thread, GNAP could support Clients that are between
these two extremes. Mike called out automatic registration per OpenID
Connect Federation as one example. Other options include a "software
statement" passed from the Client to the GS.

We may want to revisit the terms "Registered Client" and "Dynamic Client"
as we broaden the mechanisms for Clients to "register" with a GS, but these
are the common cases today, so I picked them.


> Denis