draft-ietf-oauth-dyn-reg-23.txt   draft-ietf-oauth-dyn-reg-24.txt 
OAuth Working Group J. Richer, Ed. OAuth Working Group J. Richer, Ed.
Internet-Draft Internet-Draft
Intended status: Standards Track M. Jones Intended status: Standards Track M. Jones
Expires: August 13, 2015 Microsoft Expires: August 24, 2015 Microsoft
J. Bradley J. Bradley
Ping Identity Ping Identity
M. Machulak M. Machulak
Newcastle University Newcastle University
P. Hunt P. Hunt
Oracle Corporation Oracle Corporation
February 9, 2015 February 20, 2015
OAuth 2.0 Dynamic Client Registration Protocol OAuth 2.0 Dynamic Client Registration Protocol
draft-ietf-oauth-dyn-reg-23 draft-ietf-oauth-dyn-reg-24
Abstract Abstract
This specification defines mechanisms for dynamically registering This specification defines mechanisms for dynamically registering
OAuth 2.0 clients with authorization servers. Registration requests OAuth 2.0 clients with authorization servers. Registration requests
send a set of desired client metadata values to the authorization send a set of desired client metadata values to the authorization
server. The resulting registration responses return a client server. The resulting registration responses return a client
identifier to use at the authorization server and the client metadata identifier to use at the authorization server and the client metadata
values registered for the client. The client can then use this values registered for the client. The client can then use this
registration information to communicate with the authorization server registration information to communicate with the authorization server
skipping to change at page 1, line 46 skipping to change at page 1, line 46
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2015. This Internet-Draft will expire on August 24, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 5 1.3. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 5
2. Client Metadata . . . . . . . . . . . . . . . . . . . . . . . 6 2. Client Metadata . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Relationship between Grant Types and Response Types . . . 10 2.1. Relationship between Grant Types and Response Types . . . 10
2.2. Human Readable Client Metadata . . . . . . . . . . . . . 11 2.2. Human-Readable Client Metadata . . . . . . . . . . . . . 11
2.3. Software Statement . . . . . . . . . . . . . . . . . . . 12 2.3. Software Statement . . . . . . . . . . . . . . . . . . . 12
3. Client Registration Endpoint . . . . . . . . . . . . . . . . 13 3. Client Registration Endpoint . . . . . . . . . . . . . . . . 13
3.1. Client Registration Request . . . . . . . . . . . . . . . 14 3.1. Client Registration Request . . . . . . . . . . . . . . . 14
3.1.1. Client Registration Request Using a Software 3.1.1. Client Registration Request Using a Software
Statement . . . . . . . . . . . . . . . . . . . . . . 15 Statement . . . . . . . . . . . . . . . . . . . . . . 16
3.2. Responses . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2. Responses . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.1. Client Information Response . . . . . . . . . . . . . 16 3.2.1. Client Information Response . . . . . . . . . . . . . 17
3.2.2. Client Registration Error Response . . . . . . . . . 18 3.2.2. Client Registration Error Response . . . . . . . . . 19
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21
4.1. OAuth Dynamic Registration Client Metadata Registry . . . 20 4.1. OAuth Dynamic Registration Client Metadata Registry . . . 21
4.1.1. Registration Template . . . . . . . . . . . . . . . . 20 4.1.1. Registration Template . . . . . . . . . . . . . . . . 21
4.1.2. Initial Registry Contents . . . . . . . . . . . . . . 21 4.1.2. Initial Registry Contents . . . . . . . . . . . . . . 22
4.2. OAuth Token Endpoint Authentication Methods Registry . . 23 4.2. OAuth Token Endpoint Authentication Methods Registry . . 24
4.2.1. Registration Template . . . . . . . . . . . . . . . . 24 4.2.1. Registration Template . . . . . . . . . . . . . . . . 25
4.2.2. Initial Registry Contents . . . . . . . . . . . . . . 24 4.2.2. Initial Registry Contents . . . . . . . . . . . . . . 25
5. Security Considerations . . . . . . . . . . . . . . . . . . . 24 5. Security Considerations . . . . . . . . . . . . . . . . . . . 25
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 27 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 28
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.1. Normative References . . . . . . . . . . . . . . . . . . 28 7.1. Normative References . . . . . . . . . . . . . . . . . . 29
7.2. Informative References . . . . . . . . . . . . . . . . . 29 7.2. Informative References . . . . . . . . . . . . . . . . . 31
Appendix A. Use Cases . . . . . . . . . . . . . . . . . . . . . 29 Appendix A. Use Cases . . . . . . . . . . . . . . . . . . . . . 31
A.1. Open versus Protected Dynamic Client Registration . . . . 29 A.1. Open versus Protected Dynamic Client Registration . . . . 31
A.1.1. Open Dynamic Client Registration . . . . . . . . . . 30 A.1.1. Open Dynamic Client Registration . . . . . . . . . . 31
A.1.2. Protected Dynamic Client Registration . . . . . . . . 30 A.1.2. Protected Dynamic Client Registration . . . . . . . . 31
A.2. Registration Without or With Software Statements . . . . 30 A.2. Registration Without or With Software Statements . . . . 32
A.2.1. Registration Without a Software Statement . . . . . . 30 A.2.1. Registration Without a Software Statement . . . . . . 32
A.2.2. Registration With a Software Statement . . . . . . . 30 A.2.2. Registration With a Software Statement . . . . . . . 32
A.3. Registration by the Client or Developer . . . . . . . . . 30 A.3. Registration by the Client or Developer . . . . . . . . . 32
A.3.1. Registration by the Client . . . . . . . . . . . . . 30 A.3.1. Registration by the Client . . . . . . . . . . . . . 32
A.3.2. Registration by the Developer . . . . . . . . . . . . 31 A.3.2. Registration by the Developer . . . . . . . . . . . . 32
A.4. Client ID per Client Instance or per Client Software . . 31 A.4. Client ID per Client Instance or per Client Software . . 32
A.4.1. Client ID per Client Software Instance . . . . . . . 31 A.4.1. Client ID per Client Software Instance . . . . . . . 32
A.4.2. Client ID Shared Among All Instances of Client A.4.2. Client ID Shared Among All Instances of Client
Software . . . . . . . . . . . . . . . . . . . . . . 31 Software . . . . . . . . . . . . . . . . . . . . . . 33
A.5. Stateful or Stateless Registration . . . . . . . . . . . 31 A.5. Stateful or Stateless Registration . . . . . . . . . . . 33
A.5.1. Stateful Client Registration . . . . . . . . . . . . 31 A.5.1. Stateful Client Registration . . . . . . . . . . . . 33
A.5.2. Stateless Client Registration . . . . . . . . . . . . 32 A.5.2. Stateless Client Registration . . . . . . . . . . . . 33
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 32 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 33
Appendix C. Document History . . . . . . . . . . . . . . . . . . 32 Appendix C. Document History . . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 37 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
In order for an OAuth 2.0 client to utilize an OAuth 2.0 In order for an OAuth 2.0 client to utilize an OAuth 2.0
authorization server, the client needs specific information to authorization server, the client needs specific information to
interact with the server, including an OAuth 2.0 client identifier to interact with the server, including an OAuth 2.0 client identifier to
use at that server. This specification describes how an OAuth 2.0 use at that server. This specification describes how an OAuth 2.0
client can be dynamically registered with an authorization server to client can be dynamically registered with an authorization server to
obtain this information. obtain this information.
skipping to change at page 4, line 26 skipping to change at page 4, line 26
This specification uses the terms "access token", "authorization This specification uses the terms "access token", "authorization
code", "authorization endpoint", "authorization grant", code", "authorization endpoint", "authorization grant",
"authorization server", "client", "client identifier", "client "authorization server", "client", "client identifier", "client
secret", "grant type", "protected resource", "redirection URI", secret", "grant type", "protected resource", "redirection URI",
"refresh token", "resource owner", "resource server", "response "refresh token", "resource owner", "resource server", "response
type", and "token endpoint" defined by OAuth 2.0 [RFC6749] and uses type", and "token endpoint" defined by OAuth 2.0 [RFC6749] and uses
the term "Claim" defined by JSON Web Token (JWT) [JWT]. the term "Claim" defined by JSON Web Token (JWT) [JWT].
This specification defines the following terms: This specification defines the following terms:
Client Developer
The person or organization that builds a client software package
and prepares it for distribution.
Client Instance
A deployed instance of a piece of client software.
Client Software Client Software
Software implementing an OAuth 2.0 client. Software implementing an OAuth 2.0 client.
Client Instance
A deployed instance of a piece of client software.
Client Developer
The person or organization that builds a client software package
and prepares it for distribution. At the time of building the
client, the developer is often not aware of who the deploying
service provider organizations will be. Client developers will
need to use dynamic registration when they are unable to predict
aspects of the software, such as the deployment URLs, at compile
time. For instance, this can occur when the software API
publisher and the deploying organization are not the same.
Client Registration Endpoint Client Registration Endpoint
OAuth 2.0 endpoint through which a client can be registered at an OAuth 2.0 endpoint through which a client can be registered at an
authorization server. The means by which the URL for this authorization server. The means by which the URL for this
endpoint is obtained are out of scope for this specification. endpoint is obtained are out of scope for this specification.
Initial Access Token Initial Access Token
OAuth 2.0 access token optionally issued by an authorization OAuth 2.0 access token optionally issued by an authorization
server to a developer or client and used to authorize calls to the server to a developer or client and used to authorize calls to the
client registration endpoint. The type and format of this token client registration endpoint. The type and format of this token
are likely service-specific and are out of scope for this are likely service-specific and are out of scope for this
specification. The means by which the authorization server issues specification. The means by which the authorization server issues
skipping to change at page 4, line 47 skipping to change at page 5, line 4
Initial Access Token Initial Access Token
OAuth 2.0 access token optionally issued by an authorization OAuth 2.0 access token optionally issued by an authorization
server to a developer or client and used to authorize calls to the server to a developer or client and used to authorize calls to the
client registration endpoint. The type and format of this token client registration endpoint. The type and format of this token
are likely service-specific and are out of scope for this are likely service-specific and are out of scope for this
specification. The means by which the authorization server issues specification. The means by which the authorization server issues
this token as well as the means by which the registration endpoint this token as well as the means by which the registration endpoint
validates this token are out of scope for this specification. Use validates this token are out of scope for this specification. Use
of an initial access token is required when the authorization of an initial access token is required when the authorization
server limits the parties that can register a client. server limits the parties that can register a client.
Deployment Organization Deployment Organization
An administrative security domain under which a software API is An administrative security domain under which a software API
deployed and protected by an OAuth 2.0 framework. In simple cloud (service) is deployed and protected by an OAuth 2.0 framework. In
deployments, the software API publisher and the deployment some OAuth scenarios, the deployment organization and the software
organization may be the same. In other scenarios, a software API publisher are the same. In these cases, the deploying
publisher may be working with many different deployment organization will often have a close relationship with client
organizations. software developers. In many other cases, the definer of the
service may be an independent third-party publisher or a standards
organization. When working to a published specification for an
API, the client software developer is unable to have a prior
relationship with the potentially many deployment organizations
deploying the software API (service).
Software API Deployment Software API Deployment
A deployed instance of a software API that is protected by OAuth A deployed instance of a software API that is protected by OAuth
2.0 in a particular deployment organization domain. For any 2.0 (a protected resource) in a particular deployment organization
particular software API, there may be one or more deployments. A domain. For any particular software API, there may be one or more
software API deployment typically has an associated OAuth 2.0 deployments. A software API deployment typically has an
authorization server as well as a client registration endpoint. associated OAuth 2.0 authorization server as well as a client
The means by which endpoints are obtained are out of scope for registration endpoint. The means by which endpoints are obtained
this specification. are out of scope for this specification.
Software API Publisher Software API Publisher
The organization that defines a particular web accessible API that The organization that defines a particular web accessible API that
may deployed in one or more deployment environments. A publisher may be deployed in one or more deployment environments. A
may be any commercial, public, private, or open source publisher may be any standards body, commercial, public, private,
organization that is responsible for publishing and distributing or open source organization that is responsible for publishing and
software that may be protected via OAuth 2.0. In some cases a distributing software and API specifications that may be protected
software API publisher and a client developer may be the same via OAuth 2.0. In some cases, a software API publisher and a
organization. client developer may be the same organization. At the time of
publication of a web accessible API, the software publisher often
does not have a prior relationship with the deploying
organizations.
Software Statement Software Statement
Digitally signed or MACed JSON Web Token (JWT) [JWT] that asserts Digitally signed or MACed JSON Web Token (JWT) [JWT] that asserts
metadata values about the client software. In some cases, a metadata values about the client software. In some cases, a
software statement will be issued directly by the client software statement will be issued directly by the client
developer. In other cases, a software statement will be issued by developer. In other cases, a software statement will be issued by
a third party organization for use by the client developer. In a third party organization for use by the client developer. In
both cases, the trust relationship the authorization server has both cases, the trust relationship the authorization server has
with the issuer of the software statement is intended to be used with the issuer of the software statement is intended to be used
as an input to the evaluation of whether the registration request as an input to the evaluation of whether the registration request
is accepted. A software statement can be presented to an is accepted. A software statement can be presented to an
skipping to change at page 8, line 20 skipping to change at page 8, line 33
Section 4.2. Section 4.2.
If the authorization endpoint is used by the grant type, the value If the authorization endpoint is used by the grant type, the value
of this parameter MUST be the same as the value of the of this parameter MUST be the same as the value of the
"response_type" parameter passed to the authorization endpoint "response_type" parameter passed to the authorization endpoint
defined in the grant type definition. Authorization servers MAY defined in the grant type definition. Authorization servers MAY
allow for other values as defined in the grant type extension allow for other values as defined in the grant type extension
process is described in OAuth 2.0 Section 2.5. If omitted, the process is described in OAuth 2.0 Section 2.5. If omitted, the
default is that the client will use only the "code" response type. default is that the client will use only the "code" response type.
client_name client_name
Human-readable name of the client to be presented to the user Human-readable name of the client to be presented to the end-user
during authorization. If omitted, the authorization server MAY during authorization. If omitted, the authorization server MAY
display the raw "client_id" value to the user instead. It is display the raw "client_id" value to the end-user instead. It is
RECOMMENDED that clients always send this field. The value of RECOMMENDED that clients always send this field. The value of
this field MAY be internationalized, as described in Section 2.2. this field MAY be internationalized, as described in Section 2.2.
client_uri client_uri
URL of a web page providing information about the client. If URL of a web page providing information about the client. If
present, the server SHOULD display this URL to the end user in a present, the server SHOULD display this URL to the end-user in a
clickable fashion. It is RECOMMENDED that clients always send clickable fashion. It is RECOMMENDED that clients always send
this field. The value of this field MUST point to a valid web this field. The value of this field MUST point to a valid web
page. The value of this field MAY be internationalized, as page. The value of this field MAY be internationalized, as
described in Section 2.2. described in Section 2.2.
logo_uri logo_uri
URL that references a logo for the client. If present, the server URL that references a logo for the client. If present, the server
SHOULD display this image to the end user during approval. The SHOULD display this image to the end-user during approval. The
value of this field MUST point to a valid image file. The value value of this field MUST point to a valid image file. The value
of this field MAY be internationalized, as described in of this field MAY be internationalized, as described in
Section 2.2. Section 2.2.
scope scope
Space separated list of scope values (as described in Section 3.3 Space separated list of scope values (as described in Section 3.3
of OAuth 2.0 [RFC6749]) that the client can use when requesting of OAuth 2.0 [RFC6749]) that the client can use when requesting
access tokens. The semantics of values in this list is service access tokens. The semantics of values in this list is service
specific. If omitted, an authorization server MAY register a specific. If omitted, an authorization server MAY register a
client with a default set of scopes. client with a default set of scopes.
contacts contacts
Array of strings representing ways to contact people responsible Array of strings representing ways to contact people responsible
for this client, typically email addresses. The authorization for this client, typically email addresses. The authorization
server MAY make these addresses available to end users for support server MAY make these contact addresses available to end-users for
requests for the client. support requests for the client. See Section 6 for information on
Privacy Considerations.
tos_uri tos_uri
URL that points to a human-readable terms of service document for URL that points to a human-readable terms of service document for
the client that describes a contractual relationship between the the client that describes a contractual relationship between the
end-user and the client that the end-user accepts when authorizing end-user and the client that the end-user accepts when authorizing
the client. The authorization server SHOULD display this URL to the client. The authorization server SHOULD display this URL to
the end-user if it is provided. The value of this field MUST the end-user if it is provided. The value of this field MUST
point to a valid web page. The value of this field MAY be point to a valid web page. The value of this field MAY be
internationalized, as described in Section 2.2. internationalized, as described in Section 2.2.
policy_uri policy_uri
URL that points to a human-readable privacy policy document that URL that points to a human-readable privacy policy document that
skipping to change at page 9, line 37 skipping to change at page 10, line 4
jwks jwks
Client's JSON Web Key Set [JWK] document value, which contains the Client's JSON Web Key Set [JWK] document value, which contains the
client's public keys. The value of this field MUST be a JSON client's public keys. The value of this field MUST be a JSON
object containing a valid JWK Set. These keys can be used by object containing a valid JWK Set. These keys can be used by
higher level protocols that use signing or encryption. This higher level protocols that use signing or encryption. This
parameter is intended to be used by clients that cannot use the parameter is intended to be used by clients that cannot use the
"jwks_uri" parameter, such as native clients that cannot host "jwks_uri" parameter, such as native clients that cannot host
public URLs. The "jwks_uri" and "jwks" parameters MUST NOT both public URLs. The "jwks_uri" and "jwks" parameters MUST NOT both
be present in the same request or response. be present in the same request or response.
software_id software_id
Identifier for the software that comprises a client. Unlike A unique identifier (e.g. a UUID) assigned by the client developer
"client_id", which is issued by the authorization server and may or software publisher used by registration endpoints to identify
vary between instances, the "software_id" is asserted by the the client software to be dynamically registered. Unlike
client software on behalf of the software developer and is "client_id", which is issued by the authorization server and
intended to be shared among all instances of the client software. SHOULD vary between instances, the "software_id" SHOULD remain the
The identifier SHOULD NOT change when software version changes or same for all instances of the client software. The "software_id"
when a new installation occurs. SHOULD remain the same across multiple updates or versions of the
same piece of software. The value of this field is not intended
to be human-readable and is usually opaque to the client and
authorization server.
software_version software_version
Version identifier for the software that comprises a client. The A version identifier for the client software identified by
value of this field is a string that is intended to be compared "software_id". The value of the "software_version" SHOULD change
using string equality matching. The value of the on any update to the client software identified by the same
"software_version" SHOULD change on any update to the client "software_id". The value of this field is a string that is
software. intended to be compared using string equality matching. The value
of this field is not intended to be human readable and is usually
opaque to the client and authorization server.
Extensions and profiles of this specification MAY expand this list. Extensions and profiles of this specification MAY expand this list.
The authorization server MUST ignore any client metadata values sent The authorization server MUST ignore any client metadata values sent
by the client that it does not understand. by the client that it does not understand.
Client metadata values can either be communicated directly in the Client metadata values can either be communicated directly in the
body of a registration request, as described in Section 3.1, or body of a registration request, as described in Section 3.1, or
included as claims in a software statement, as described in included as claims in a software statement, as described in
Section 2.3, or a mixture of both. If the same client metadata name Section 2.3, or a mixture of both. If the same client metadata name
is present in both locations and the software statement is trusted by is present in both locations and the software statement is trusted by
skipping to change at page 11, line 5 skipping to change at page 11, line 22
| client_credentials | (none) | | client_credentials | (none) |
| refresh_token | (none) | | refresh_token | (none) |
| urn:ietf:params:oauth:grant-type:jwt-bearer | (none) | | urn:ietf:params:oauth:grant-type:jwt-bearer | (none) |
| urn:ietf:params:oauth:grant-type:saml2-bearer | (none) | | urn:ietf:params:oauth:grant-type:saml2-bearer | (none) |
+-----------------------------------------------+-------------------+ +-----------------------------------------------+-------------------+
Extensions and profiles of this document that introduce new values to Extensions and profiles of this document that introduce new values to
either the "grant_types" or "response_types" parameter MUST document either the "grant_types" or "response_types" parameter MUST document
all correspondences between these two parameter types. all correspondences between these two parameter types.
2.2. Human Readable Client Metadata 2.2. Human-Readable Client Metadata
Human-readable client metadata values and client metadata values that Human-readable client metadata values and client metadata values that
reference human-readable values MAY be represented in multiple reference human-readable values MAY be represented in multiple
languages and scripts. For example, the values of fields such as languages and scripts. For example, the values of fields such as
"client_name", "tos_uri", "policy_uri", "logo_uri", and "client_uri" "client_name", "tos_uri", "policy_uri", "logo_uri", and "client_uri"
might have multiple locale-specific values in some client might have multiple locale-specific values in some client
registrations to facilitate use in different locations. registrations to facilitate use in different locations.
To specify the languages and scripts, BCP47 [RFC5646] language tags To specify the languages and scripts, BCP47 [RFC5646] language tags
are added to client metadata member names, delimited by a # are added to client metadata member names, delimited by a #
skipping to change at page 13, line 30 skipping to change at page 13, line 46
required in this case, are beyond the scope of this specification. required in this case, are beyond the scope of this specification.
3. Client Registration Endpoint 3. Client Registration Endpoint
The client registration endpoint is an OAuth 2.0 endpoint defined in The client registration endpoint is an OAuth 2.0 endpoint defined in
this document that is designed to allow a client to be registered this document that is designed to allow a client to be registered
with the authorization server. The client registration endpoint MUST with the authorization server. The client registration endpoint MUST
accept HTTP POST messages with request parameters encoded in the accept HTTP POST messages with request parameters encoded in the
entity body using the "application/json" format. The client entity body using the "application/json" format. The client
registration endpoint MUST be protected by a transport-layer security registration endpoint MUST be protected by a transport-layer security
mechanism, and the server MUST support TLS 1.2 RFC 5246 [RFC5246] and mechanism, as described in Section 5.
MAY support additional transport-layer mechanisms meeting its
security requirements. When using TLS, the client MUST perform a
TLS/SSL server certificate check, per RFC 6125 [RFC6125].
Implementation security considerations can be found in
Recommendations for Secure Use of TLS and DTLS [TLS.BCP].
The client registration endpoint MAY be an OAuth 2.0 protected The client registration endpoint MAY be an OAuth 2.0 protected
resource and accept an initial access token in the form of an OAuth resource and accept an initial access token in the form of an OAuth
2.0 [RFC6749] access token to limit registration to only previously 2.0 [RFC6749] access token to limit registration to only previously
authorized parties. The method by which the initial access token is authorized parties. The method by which the initial access token is
obtained by the client or developer is generally out-of-band and is obtained by the client or developer is generally out-of-band and is
out of scope for this specification. The method by which the initial out of scope for this specification. The method by which the initial
access token is verified and validated by the client registration access token is verified and validated by the client registration
endpoint is out of scope for this specification. endpoint is out of scope for this specification.
skipping to change at page 16, line 8 skipping to change at page 17, line 6
precedence over those conveyed using plain JSON elements. precedence over those conveyed using plain JSON elements.
Software statements are included in the requesting JSON object using Software statements are included in the requesting JSON object using
this OPTIONAL member: this OPTIONAL member:
software_statement software_statement
A software statement containing client metadata values about the A software statement containing client metadata values about the
client software as claims. client software as claims.
In the following example, some registration parameters are conveyed In the following example, some registration parameters are conveyed
as claims in a software statement from the example in the Section 2.3 as claims in a software statement from the example in Section 2.3,
section, while some values specific to the client instance are while some values specific to the client instance are conveyed as
conveyed as regular parameters (with line wraps within values for regular parameters (with line wraps within values for display
display purposes only): purposes only):
POST /register HTTP/1.1 POST /register HTTP/1.1
Content-Type: application/json Content-Type: application/json
Accept: application/json Accept: application/json
Host: server.example.com Host: server.example.com
{ {
"redirect_uris":[ "redirect_uris":[
"https://client.example.org/callback", "https://client.example.org/callback",
"https://client.example.org/callback2" "https://client.example.org/callback2"
skipping to change at page 25, line 9 skipping to change at page 26, line 9
Since requests to the client registration endpoint result in the Since requests to the client registration endpoint result in the
transmission of clear-text credentials (in the HTTP request and transmission of clear-text credentials (in the HTTP request and
response), the authorization server MUST require the use of a response), the authorization server MUST require the use of a
transport-layer security mechanism when sending requests to the transport-layer security mechanism when sending requests to the
registration endpoint. The server MUST support TLS 1.2 RFC 5246 registration endpoint. The server MUST support TLS 1.2 RFC 5246
[RFC5246] and MAY support additional transport-layer mechanisms [RFC5246] and MAY support additional transport-layer mechanisms
meeting its security requirements. When using TLS, the client MUST meeting its security requirements. When using TLS, the client MUST
perform a TLS/SSL server certificate check, per RFC 6125 [RFC6125]. perform a TLS/SSL server certificate check, per RFC 6125 [RFC6125].
Implementation security considerations can be found in Implementation security considerations can be found in
Recommendations for Secure Use of TLS and DTLS [TLS.BCP]. Recommendations for Secure Use of TLS and DTLS
[I-D.ietf-uta-tls-bcp].
For clients that use redirect-based grant types such as For clients that use redirect-based grant types such as
"authorization_code" and "implicit", authorization servers MUST "authorization_code" and "implicit", authorization servers MUST
require clients to register their redirection URI values. This can require clients to register their redirection URI values. This can
help mitigate attacks where rogue actors inject and impersonate a help mitigate attacks where rogue actors inject and impersonate a
validly registered client and intercept its authorization code or validly registered client and intercept its authorization code or
tokens through an invalid redirection URI or open redirector. tokens through an invalid redirection URI or open redirector.
Additionally, in order to prevent hijacking of the return values of Additionally, in order to prevent hijacking of the return values of
the redirection, registered redirection URI values MUST be one of: the redirection, registered redirection URI values MUST be one of:
skipping to change at page 26, line 5 skipping to change at page 27, line 6
Since different OAuth 2.0 grant types have different security and Since different OAuth 2.0 grant types have different security and
usage parameters, an authorization server MAY require separate usage parameters, an authorization server MAY require separate
registrations for a piece of software to support multiple grant registrations for a piece of software to support multiple grant
types. For instance, an authorization server might require that all types. For instance, an authorization server might require that all
clients using the "authorization_code" grant type make use of a clients using the "authorization_code" grant type make use of a
client secret for the "token_endpoint_auth_method", but any clients client secret for the "token_endpoint_auth_method", but any clients
using the "implicit" grant type do not use any authentication at the using the "implicit" grant type do not use any authentication at the
token endpoint. In such a situation, a server MAY disallow clients token endpoint. In such a situation, a server MAY disallow clients
from registering for both the "authorization_code" and "implicit" from registering for both the "authorization_code" and "implicit"
grant types simultaneously. Similarly, the "authorization_code" grant types simultaneously. Similarly, the "authorization_code"
grant type is used to represent access on behalf of an end user, but grant type is used to represent access on behalf of an end-user, but
the "client_credentials" grant type represents access on behalf of the "client_credentials" grant type represents access on behalf of
the client itself. For security reasons, an authorization server the client itself. For security reasons, an authorization server
could require that different scopes be used for these different use could require that different scopes be used for these different use
cases, and as a consequence it MAY disallow these two grant types cases, and as a consequence it MAY disallow these two grant types
from being registered together by the same client. In all of these from being registered together by the same client. In all of these
cases, the authorization server would respond with an cases, the authorization server would respond with an
"invalid_client_metadata" error response. "invalid_client_metadata" error response.
Unless used as a claim in a software statement, the authorization Unless used as a claim in a software statement, the authorization
server MUST treat all client metadata as self-asserted. For server MUST treat all client metadata as self-asserted. For
skipping to change at page 26, line 27 skipping to change at page 27, line 28
client that it is trying to impersonate. Additionally, a rogue client that it is trying to impersonate. Additionally, a rogue
client might try to use the software identifier or software version client might try to use the software identifier or software version
of a legitimate client to attempt to associate itself on the of a legitimate client to attempt to associate itself on the
authorization server with instances of the legitimate client. To authorization server with instances of the legitimate client. To
counteract this, an authorization server needs to take steps to counteract this, an authorization server needs to take steps to
mitigate this risk by looking at the entire registration request and mitigate this risk by looking at the entire registration request and
client configuration. For instance, an authorization server could client configuration. For instance, an authorization server could
issue a warning if the domain/site of the logo doesn't match the issue a warning if the domain/site of the logo doesn't match the
domain/site of redirection URIs. An authorization server could also domain/site of redirection URIs. An authorization server could also
refuse registration requests from a known software identifier that is refuse registration requests from a known software identifier that is
requesting different redirection URIs or a different client homepage requesting different redirection URIs or a different client URI. An
URI. An authorization server can also present warning messages to authorization server can also present warning messages to end-users
end users about dynamically registered clients in all cases, about dynamically registered clients in all cases, especially if such
especially if such clients have been recently registered or have not clients have been recently registered or have not been trusted by any
been trusted by any users at the authorization server before. users at the authorization server before.
In a situation where the authorization server is supporting open In a situation where the authorization server is supporting open
client registration, it must be extremely careful with any URL client registration, it must be extremely careful with any URL
provided by the client that will be displayed to the user (e.g. provided by the client that will be displayed to the user (e.g.
"logo_uri", "tos_uri", "client_uri", and "policy_uri"). For "logo_uri", "tos_uri", "client_uri", and "policy_uri"). For
instance, a rogue client could specify a registration request with a instance, a rogue client could specify a registration request with a
reference to a drive-by download in the "policy_uri". The reference to a drive-by download in the "policy_uri". The
authorization server SHOULD check to see if the "logo_uri", authorization server SHOULD check to see if the "logo_uri",
"tos_uri", "client_uri", and "policy_uri" have the same host and "tos_uri", "client_uri", and "policy_uri" have the same host and
scheme as the those defined in the array of "redirect_uris" and that scheme as the those defined in the array of "redirect_uris" and that
skipping to change at page 27, line 47 skipping to change at page 28, line 48
client. client.
6. Privacy Considerations 6. Privacy Considerations
As the protocol described in this specification deals almost As the protocol described in this specification deals almost
exclusively with information about software and not about people, exclusively with information about software and not about people,
there are very few privacy concerns for its use. The notable there are very few privacy concerns for its use. The notable
exception is the "contacts" field as defined in Client Metadata exception is the "contacts" field as defined in Client Metadata
(Section 2), which contains contact information for the developers or (Section 2), which contains contact information for the developers or
other parties responsible for the client software. These values are other parties responsible for the client software. These values are
intended to be displayed to end users and will be available to the intended to be displayed to end-users and will be available to the
administrators of the authorization server. As such, the developer administrators of the authorization server. As such, the developer
may wish to provide an email address or other contact information may wish to provide an email address or other contact information
expressly dedicated to the purpose of supporting the client instead expressly dedicated to the purpose of supporting the client instead
of using their personal or professional addresses. Alternatively, of using their personal or professional addresses. Alternatively,
the developer may wish to provide a collective email address for the the developer may wish to provide a collective email address for the
client to allow for continuing contact and support of the client client to allow for continuing contact and support of the client
software after the developer moves on and someone else takes over software after the developer moves on and someone else takes over
that responsibility. that responsibility.
In general, the metadata for a client, such as the client name and
software identifier, are common across all instances of a piece of
client software and therefore pose no privacy issues for end-users.
Client identifiers, on the other hand, are often unique to a specific
instance of a client. For clients such as web sites that are used by
many users, there may not be significant privacy concerns regarding
the client identifier, but for clients such as native applications
that are installed on a single end-user's device, the client
identifier could be uniquely tracked during OAuth 2.0 transactions
and its use tied to that single end-user. However, as the client
software still needs to be authorized by a resource owner through an
OAuth 2.0 authorization grant, this type of tracking can occur
whether or not the client identifier is unique by correlating the
authenticated resource owner with the requesting client identifier.
Note that clients are forbidden by this specification from creating
their own client identifier. If the client were able to do so, an
individual client instance could be tracked across multiple colluding
authorization servers, leading to privacy and security issues.
Additionally, client identifiers are generally issued uniquely per
registration request, even for the same instance of software. In
this way, an application could marginally improve privacy by
registering multiple times and appearing to be completely separate
applications. However, this technique does incur significant
usability cost in the form of requiring multiple authorizations per
resource owner and is therefore unlikely to be used in practice.
7. References 7. References
7.1. Normative References 7.1. Normative References
[IANA.Language] [IANA.Language]
Internet Assigned Numbers Authority (IANA), "Language Internet Assigned Numbers Authority (IANA), "Language
Subtag Registry", 2005. Subtag Registry", 2005.
[JWK] Jones, M., "JSON Web Key (JWK)", draft-ietf-jose-json-web- [JWK] Jones, M., "JSON Web Key (JWK)", draft-ietf-jose-json-web-
key (work in progress), July 2014. key (work in progress), January 2015.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", draft-ietf-jose-json-web-signature (work Signature (JWS)", draft-ietf-jose-json-web-signature (work
in progress), July 2014. in progress), January 2015.
[JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", draft-ietf-oauth-json-web-token (work in (JWT)", draft-ietf-oauth-json-web-token (work in
progress), July 2014. progress), January 2015.
[OAuth.JWT] [OAuth.JWT]
Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token
(JWT) Profile for OAuth 2.0 Client Authentication and (JWT) Profile for OAuth 2.0 Client Authentication and
Authorization Grants", draft-ietf-oauth-jwt-bearer (work Authorization Grants", draft-ietf-oauth-jwt-bearer (work
in progress), July 2014. in progress), November 2015.
[OAuth.SAML2] [OAuth.SAML2]
Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0 Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0
Profile for OAuth 2.0 Client Authentication and Profile for OAuth 2.0 Client Authentication and
Authorization Grants", draft-ietf-oauth-saml2-bearer (work Authorization Grants", draft-ietf-oauth-saml2-bearer (work
in progress), July 2014. in progress), November 2015.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008. May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008. (TLS) Protocol Version 1.2", RFC 5246, August 2008.
skipping to change at page 29, line 27 skipping to change at page 31, line 12
[RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, March 2014. Interchange Format", RFC 7159, March 2014.
7.2. Informative References 7.2. Informative References
[I-D.hardjono-oauth-umacore] [I-D.hardjono-oauth-umacore]
Hardjono, T., "User-Managed Access (UMA) Profile of OAuth Hardjono, T., "User-Managed Access (UMA) Profile of OAuth
2.0", draft-hardjono-oauth-umacore-10 (work in progress), 2.0", draft-hardjono-oauth-umacore-10 (work in progress),
July 2014. July 2014.
[I-D.ietf-uta-tls-bcp]
Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of TLS and DTLS", draft-
ietf-uta-tls-bcp-09 (work in progress), February 2015.
[OAuth.Registration.Management] [OAuth.Registration.Management]
Richer, J., Jones, M., Bradley, J., and M. Machulak, Richer, J., Jones, M., Bradley, J., and M. Machulak,
"OAuth 2.0 Dynamic Client Registration Management "OAuth 2.0 Dynamic Client Registration Management
Protocol", draft-ietf-oauth-dyn-reg-management (work in Protocol", draft-ietf-oauth-dyn-reg-management (work in
progress), August 2014. progress), February 2015.
[OpenID.Registration] [OpenID.Registration]
Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect
Dynamic Client Registration 1.0", February 2014. Dynamic Client Registration 1.0", November 2014.
[TLS.BCP] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of TLS and DTLS", November
2014.
Appendix A. Use Cases Appendix A. Use Cases
This appendix describes different ways that this specification can be This appendix describes different ways that this specification can be
utilized, including describing some of the choices that may need to utilized, including describing some of the choices that may need to
be made. Some of the choices are independent and can be used in be made. Some of the choices are independent and can be used in
combination, whereas some of the choices are interrelated. combination, whereas some of the choices are interrelated.
A.1. Open versus Protected Dynamic Client Registration A.1. Open versus Protected Dynamic Client Registration
A.1.1. Open Dynamic Client Registration A.1.1. Open Dynamic Client Registration
Authorization servers that support open registration allow Authorization servers that support open registration allow
registrations to be made with no initial access token. This allows registrations to be made with no initial access token. This allows
all client software to register with the authorization server. all client software to register with the authorization server.
A.1.2. Protected Dynamic Client Registration A.1.2. Protected Dynamic Client Registration
Authorization servers that support protected registration require Authorization servers that support protected registration require
that an initial access token be used when making registration that an initial access token be used when making registration
skipping to change at page 32, line 30 skipping to change at page 34, line 12
to various versions of this document: Amanda Anganes, Derek Atkins, to various versions of this document: Amanda Anganes, Derek Atkins,
Tim Bray, Domenico Catalano, Donald Coffin, Vladimir Dzhuvinov, Tim Bray, Domenico Catalano, Donald Coffin, Vladimir Dzhuvinov,
George Fletcher, Thomas Hardjono, Phil Hunt, William Kim, Torsten George Fletcher, Thomas Hardjono, Phil Hunt, William Kim, Torsten
Lodderstedt, Eve Maler, Josh Mandel, Nov Matake, Tony Nadalin, Nat Lodderstedt, Eve Maler, Josh Mandel, Nov Matake, Tony Nadalin, Nat
Sakimura, Christian Scholz, and Hannes Tschofenig. Sakimura, Christian Scholz, and Hannes Tschofenig.
Appendix C. Document History Appendix C. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-24
o Clarified some party definitions.
o Clarified the opaqueness of software_id and software_statement.
o Created a forward pointer to the Security Considerations section
for TLS requirements on the registration endpoint.
o Added a forward pointer to the Privacy Considerations section for
the contacts field.
o Wrote privacy considerations about client_id tracking.
-23 -23
o Updated author information. o Updated author information.
-22 -22
o Reorganized registration response sections. o Reorganized registration response sections.
o Addressed shepherd comments. o Addressed shepherd comments.
o Added concrete JWK set to example. o Added concrete JWK set to example.
 End of changes. 39 change blocks. 
111 lines changed or deleted 167 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/