OAuth 2.0 Dynamic Client Registration Management Protocol
draft-ietf-oauth-dyn-reg-management-13
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7592.
|
|
|---|---|---|---|
| Authors | Justin Richer , Michael B. Jones , John Bradley , Maciej Machulak | ||
| Last updated | 2015-04-09 (Latest revision 2015-04-06) | ||
| Replaces | draft-jones-oauth-dyn-reg-management | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
GENART Last Call review
(of
-09)
by Peter Yee
Ready w/nits
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Document shepherd | Hannes Tschofenig | ||
| Shepherd write-up | Show Last changed 2015-03-03 | ||
| IESG | IESG state | Became RFC 7592 (Experimental) | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | Kathleen Moriarty | ||
| Send notices to | "Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> | ||
| IANA | IANA review state | IANA OK - Actions Needed |
draft-ietf-oauth-dyn-reg-management-13
quot;, RFC 7231, June 2014.
[TLS.BCP] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of TLS and DTLS", November
2014.
Richer, et al. Expires October 8, 2015 [Page 13]
Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015
Appendix A. Acknowledgments
The authors thank the OAuth Working Group, the User-Managed Access
Working Group, and the OpenID Connect Working Group participants for
their input to this document. In particular, the following
individuals have been instrumental in their review and contribution
to various versions of this document: Amanda Anganes, Derek Atkins,
Tim Bray, Domenico Catalano, Donald Coffin, Vladimir Dzhuvinov,
George Fletcher, Thomas Hardjono, Phil Hunt, William Kim, Torsten
Lodderstedt, Eve Maler, Josh Mandel, Nov Matake, Tony Nadalin, Nat
Sakimura, Christian Scholz, and Hannes Tschofenig.
Appendix B. Registration Tokens and Client Credentials
Throughout the course of the dynamic registration protocol, there are
three different classes of credentials in play, each with different
properties and targets.
o The initial access token is optionally used by the client or
developer at the registration endpoint. This is an OAuth 2.0
token that is used to authorize the initial client registration
request. The content, structure, generation, and validation of
this token are out of scope for this specification. The
authorization server can use this token to verify that the
presenter is allowed to dynamically register new clients. This
token may be shared among multiple instances of a client to allow
them to each register separately, thereby letting the
authorization server use this token to tie multiple instances of
registered clients (each with their own distinct client
identifier) back to the party to whom the initial access token was
issued, usually an application developer. This token is usually
intended to be used only at the client registration endpoint.
o The registration access token is used by the client or developer
at the client configuration endpoint and represents the holder's
authorization to manage the registration of a client. This is an
OAuth 2.0 bearer token that is issued from the client registration
endpoint in response to a client registration request and is
returned in a client information response. The registration
access token is uniquely bound to the client identifier and is
required to be presented with all calls to the client
configuration endpoint. The registration access token should be
protected as described in [RFC6750] and should not be shared
between instances of a client. If a registration access token is
shared between client instances, one instance could change or
delete registration values for all other instances of the client.
The registration access token can be rotated through the use of
the client read or update method on the client configuration
Richer, et al. Expires October 8, 2015 [Page 14]
Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015
endpoint. The registration access token is intended to be used
only at the client configuration endpoint.
o The client credentials (such as "client_secret") are optional
depending on the type of client and are used to retrieve OAuth
tokens. Client credentials are most often bound to particular
instances of a client and should not be shared between instances.
Note that since not all types of clients have client credentials,
they cannot be used to manage client registrations at the client
configuration endpoint. The client credentials can be rotated
through the use of the client read or update method on the client
configuration endpoint. The client credentials are intended to be
used only at the token endpoint.
B.1. Credential Rotation
The authorization server may be configured to issue new registration
access tokens and/or client credentials (such as a "client_secret")
throughout the lifetime of the client. This may help minimize the
impact of exposed credentials. The authorization server conveys new
registration access tokens and client credentials (if applicable) to
the client in the client information response of either a read or
update request to the client configuration endpoint. The client's
current registration access token and client credentials (if
applicable) MUST be included in the client information response.
The registration access token SHOULD be rotated only in response to a
read or update request to the client configuration endpoint, at which
point the new registration access token is returned to the client and
the old registration access token MUST be discarded by the client and
SHOULD be discarded by the server, if possible. If instead the
registration access token were to expire or be invalidated outside of
such requests, the client or developer might be locked out of
managing the client's configuration.
Note that the authorization server decides the frequency of the
credential rotation and not the client. Methods by which the client
can request credential rotation are outside the scope of this
document.
Appendix C. Forming the Client Configuration Endpoint URL
The authorization server MUST provide the client with the fully
qualified URL in the "registration_client_uri" element of the Client
Information Response, as specified in Section 3. The authorization
server MUST NOT expect the client to construct or discover this URL
on its own. The client MUST use the URL as given by the server and
MUST NOT construct this URL from component pieces.
Richer, et al. Expires October 8, 2015 [Page 15]
Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015
Depending on deployment characteristics, the client configuration
endpoint URL may take any number of forms. It is RECOMMENDED that
this endpoint URL be formed through the use of a server-constructed
URL string which combines the client registration endpoint's URL and
the issued "client_id" for this client, with the latter as either a
path parameter or a query parameter. For example, a client with the
client identifier "s6BhdRkqt3" could be given a client configuration
endpoint URL of "https://server.example.com/register/s6BhdRkqt3"
(path parameter) or of "https://server.example.com/
register?client_id=s6BhdRkqt3" (query parameter). In both of these
cases, the client simply uses the URL as given by the authorization
server.
These common patterns can help the server to more easily determine
the client to which the request pertains, which MUST be matched
against the client to which the registration access token was issued.
If desired, the server MAY simply return the client registration
endpoint URL as the client configuration endpoint URL and change
behavior based on the authentication context provided by the
registration access token.
Appendix D. Document History
[[ to be removed by the RFC editor before publication as an RFC ]]
-13
o Changed rate-limiting suggestion to a complexity requirement.
-12
o Used consistent registry name.
-11
o Fixed a series of nits from Peter Yee's Gen-ART review.
-10
o Updated author information.
o Updated TLS information, imported from Dynamic Registration core.
o Expanded introduction.
o Reformatted diagram text.
o Added privacy considerations section.
Richer, et al. Expires October 8, 2015 [Page 16]
Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015
-09
o Updated author information.
-08
o Updated HTTP RFC reference.
-07
o Editorial clarifications due to document shepherd feedback.
-06
o Removed TLS 1.0.
o Moved several explanatory sections to the appendix.
o Clarified read operations.
o Added IANA request.
-05
o Removed Phil Hunt from authors list, per request.
o Applied various minor editorial changes from working group
comments.
-04
o Incorrect XML uploaded for -03
-03
o Changed draft to be Experimental instead of Standards Track.
-02
o Added more context information to the abstract.
-01
o Addressed issues that arose from last call comments on draft-ietf-
oauth-dyn-reg and draft-ietf-oauth-dyn-reg-metadata.
-00
Richer, et al. Expires October 8, 2015 [Page 17]
Internet-Draft OAuth 2.0 Dynamic Registration Management April 2015
o Created from draft-jones-oauth-dyn-reg-management-00.
Authors' Addresses
Justin Richer (editor)
Email: ietf@justin.richer.org
Michael B. Jones
Microsoft
Email: mbj@microsoft.com
URI: http://self-issued.info/
John Bradley
Ping Identity
Email: ve7jtb@ve7jtb.com
Maciej Machulak
Newcastle University
Email: maciej.machulak@gmail.com
Richer, et al. Expires October 8, 2015 [Page 18]