OAuth 2.0 Dynamic Client Registration Management Protocol
draft-ietf-oauth-dyn-reg-management-13
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7592.
|
|
---|---|---|---|
Authors | Justin Richer , Michael B. Jones , John Bradley , Maciej Machulak | ||
Last updated | 2015-04-09 (Latest revision 2015-04-06) | ||
Replaces | draft-jones-oauth-dyn-reg-management | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
GENART Last Call review
(of
-09)
by Peter Yee
Ready w/nits
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Hannes Tschofenig | ||
Shepherd write-up | Show Last changed 2015-03-03 | ||
IESG | IESG state | Became RFC 7592 (Experimental) | |
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | Kathleen Moriarty | ||
Send notices to | "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> | ||
IANA | IANA review state | IANA OK - Actions Needed |
draft-ietf-oauth-dyn-reg-management-13
quot;, RFC 7231, June 2014. [TLS.BCP] Sheffer, Y., Holz, R., and P. Saint-Andre, "Recommendations for Secure Use of TLS and DTLS", November 2014. Richer, et al. Expires October 8, 2015 [Page 13] Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015 Appendix A. Acknowledgments The authors thank the OAuth Working Group, the User-Managed Access Working Group, and the OpenID Connect Working Group participants for their input to this document. In particular, the following individuals have been instrumental in their review and contribution to various versions of this document: Amanda Anganes, Derek Atkins, Tim Bray, Domenico Catalano, Donald Coffin, Vladimir Dzhuvinov, George Fletcher, Thomas Hardjono, Phil Hunt, William Kim, Torsten Lodderstedt, Eve Maler, Josh Mandel, Nov Matake, Tony Nadalin, Nat Sakimura, Christian Scholz, and Hannes Tschofenig. Appendix B. Registration Tokens and Client Credentials Throughout the course of the dynamic registration protocol, there are three different classes of credentials in play, each with different properties and targets. o The initial access token is optionally used by the client or developer at the registration endpoint. This is an OAuth 2.0 token that is used to authorize the initial client registration request. The content, structure, generation, and validation of this token are out of scope for this specification. The authorization server can use this token to verify that the presenter is allowed to dynamically register new clients. This token may be shared among multiple instances of a client to allow them to each register separately, thereby letting the authorization server use this token to tie multiple instances of registered clients (each with their own distinct client identifier) back to the party to whom the initial access token was issued, usually an application developer. This token is usually intended to be used only at the client registration endpoint. o The registration access token is used by the client or developer at the client configuration endpoint and represents the holder's authorization to manage the registration of a client. This is an OAuth 2.0 bearer token that is issued from the client registration endpoint in response to a client registration request and is returned in a client information response. The registration access token is uniquely bound to the client identifier and is required to be presented with all calls to the client configuration endpoint. The registration access token should be protected as described in [RFC6750] and should not be shared between instances of a client. If a registration access token is shared between client instances, one instance could change or delete registration values for all other instances of the client. The registration access token can be rotated through the use of the client read or update method on the client configuration Richer, et al. Expires October 8, 2015 [Page 14] Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015 endpoint. The registration access token is intended to be used only at the client configuration endpoint. o The client credentials (such as "client_secret") are optional depending on the type of client and are used to retrieve OAuth tokens. Client credentials are most often bound to particular instances of a client and should not be shared between instances. Note that since not all types of clients have client credentials, they cannot be used to manage client registrations at the client configuration endpoint. The client credentials can be rotated through the use of the client read or update method on the client configuration endpoint. The client credentials are intended to be used only at the token endpoint. B.1. Credential Rotation The authorization server may be configured to issue new registration access tokens and/or client credentials (such as a "client_secret") throughout the lifetime of the client. This may help minimize the impact of exposed credentials. The authorization server conveys new registration access tokens and client credentials (if applicable) to the client in the client information response of either a read or update request to the client configuration endpoint. The client's current registration access token and client credentials (if applicable) MUST be included in the client information response. The registration access token SHOULD be rotated only in response to a read or update request to the client configuration endpoint, at which point the new registration access token is returned to the client and the old registration access token MUST be discarded by the client and SHOULD be discarded by the server, if possible. If instead the registration access token were to expire or be invalidated outside of such requests, the client or developer might be locked out of managing the client's configuration. Note that the authorization server decides the frequency of the credential rotation and not the client. Methods by which the client can request credential rotation are outside the scope of this document. Appendix C. Forming the Client Configuration Endpoint URL The authorization server MUST provide the client with the fully qualified URL in the "registration_client_uri" element of the Client Information Response, as specified in Section 3. The authorization server MUST NOT expect the client to construct or discover this URL on its own. The client MUST use the URL as given by the server and MUST NOT construct this URL from component pieces. Richer, et al. Expires October 8, 2015 [Page 15] Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015 Depending on deployment characteristics, the client configuration endpoint URL may take any number of forms. It is RECOMMENDED that this endpoint URL be formed through the use of a server-constructed URL string which combines the client registration endpoint's URL and the issued "client_id" for this client, with the latter as either a path parameter or a query parameter. For example, a client with the client identifier "s6BhdRkqt3" could be given a client configuration endpoint URL of "https://server.example.com/register/s6BhdRkqt3" (path parameter) or of "https://server.example.com/ register?client_id=s6BhdRkqt3" (query parameter). In both of these cases, the client simply uses the URL as given by the authorization server. These common patterns can help the server to more easily determine the client to which the request pertains, which MUST be matched against the client to which the registration access token was issued. If desired, the server MAY simply return the client registration endpoint URL as the client configuration endpoint URL and change behavior based on the authentication context provided by the registration access token. Appendix D. Document History [[ to be removed by the RFC editor before publication as an RFC ]] -13 o Changed rate-limiting suggestion to a complexity requirement. -12 o Used consistent registry name. -11 o Fixed a series of nits from Peter Yee's Gen-ART review. -10 o Updated author information. o Updated TLS information, imported from Dynamic Registration core. o Expanded introduction. o Reformatted diagram text. o Added privacy considerations section. Richer, et al. Expires October 8, 2015 [Page 16] Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015 -09 o Updated author information. -08 o Updated HTTP RFC reference. -07 o Editorial clarifications due to document shepherd feedback. -06 o Removed TLS 1.0. o Moved several explanatory sections to the appendix. o Clarified read operations. o Added IANA request. -05 o Removed Phil Hunt from authors list, per request. o Applied various minor editorial changes from working group comments. -04 o Incorrect XML uploaded for -03 -03 o Changed draft to be Experimental instead of Standards Track. -02 o Added more context information to the abstract. -01 o Addressed issues that arose from last call comments on draft-ietf- oauth-dyn-reg and draft-ietf-oauth-dyn-reg-metadata. -00 Richer, et al. Expires October 8, 2015 [Page 17] Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015 o Created from draft-jones-oauth-dyn-reg-management-00. Authors' Addresses Justin Richer (editor) Email: ietf@justin.richer.org Michael B. Jones Microsoft Email: mbj@microsoft.com URI: http://self-issued.info/ John Bradley Ping Identity Email: ve7jtb@ve7jtb.com Maciej Machulak Newcastle University Email: maciej.machulak@gmail.com Richer, et al. Expires October 8, 2015 [Page 18]