summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7592.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7592.txt')
-rw-r--r--doc/rfc/rfc7592.txt1011
1 files changed, 1011 insertions, 0 deletions
diff --git a/doc/rfc/rfc7592.txt b/doc/rfc/rfc7592.txt
new file mode 100644
index 0000000..e914935
--- /dev/null
+++ b/doc/rfc/rfc7592.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) J. Richer, Ed.
+Request for Comments: 7592
+Category: Experimental M. Jones
+ISSN: 2070-1721 Microsoft
+ J. Bradley
+ Ping Identity
+ M. Machulak
+ Newcastle University
+ July 2015
+
+
+ OAuth 2.0 Dynamic Client Registration Management Protocol
+
+Abstract
+
+ This specification defines methods for management of OAuth 2.0
+ dynamic client registrations for use cases in which the properties of
+ a registered client may need to be changed during the lifetime of the
+ client. Not all authorization servers supporting dynamic client
+ registration will support these management methods.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for examination, experimental implementation, and
+ evaluation.
+
+ This document defines an Experimental Protocol for the Internet
+ community. This document is a product of the Internet Engineering
+ Task Force (IETF). It represents the consensus of the IETF
+ community. It has received public review and has been approved for
+ publication by the Internet Engineering Steering Group (IESG). Not
+ all documents approved by the IESG are a candidate for any level of
+ Internet Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7592.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 1]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3
+ 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.3. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 4
+ 2. Client Configuration Endpoint . . . . . . . . . . . . . . . . 5
+ 2.1. Client Read Request . . . . . . . . . . . . . . . . . . . 6
+ 2.2. Client Update Request . . . . . . . . . . . . . . . . . . 7
+ 2.3. Client Delete Request . . . . . . . . . . . . . . . . . . 9
+ 3. Client Information Response . . . . . . . . . . . . . . . . . 10
+ 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
+ 5. Security Considerations . . . . . . . . . . . . . . . . . . . 12
+ 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 13
+ 7. Normative References . . . . . . . . . . . . . . . . . . . . 13
+ Appendix A. Registration Tokens and Client Credentials . . . . . 15
+ A.1. Credential Rotation . . . . . . . . . . . . . . . . . . . 16
+ Appendix B. Forming the Client Configuration Endpoint URL . . . 16
+ Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 17
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
+
+1. Introduction
+
+ In order for an OAuth 2.0 client to utilize an OAuth 2.0
+ authorization server, the client needs specific information to
+ interact with the server, including an OAuth 2.0 client identifier to
+ use with that server. "OAuth 2.0 Dynamic Client Registration
+ Protocol" [RFC7591] describes how an OAuth 2.0 client can be
+ dynamically registered with an authorization server to obtain this
+ information and how metadata about the client can be registered with
+ the server.
+
+
+
+
+
+Richer, et al. Experimental [Page 2]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ This specification extends the core registration specification by
+ defining a set of methods for management of dynamic OAuth 2.0 client
+ registrations beyond those defined in the core registration
+ specification. In some situations, the registered metadata of a
+ client can change over time, either by modification at the
+ authorization server or by a change in the client software itself.
+ This specification provides methods for the current registration
+ state of a client to be queried at the authorization server, methods
+ for the registration of a client to be updated at the authorization
+ server, and methods for the client to be unregistered from the
+ authorization server.
+
+ This Experimental RFC is intended to encourage development and
+ deployment of interoperable solutions with the intent that feedback
+ from this experience will inform a future standard.
+
+1.1. Notational Conventions
+
+ The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
+ 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
+ document are to be interpreted as described in [RFC2119].
+
+ Unless otherwise noted, all the protocol parameter names and values
+ are case sensitive.
+
+1.2. Terminology
+
+ This specification uses the terms "access token", "authorization
+ code", "authorization endpoint", "authorization grant",
+ "authorization server", "client", "client identifier", "client
+ secret", "grant type", "protected resource", "redirection URI",
+ "refresh token", "resource owner", "resource server", "response
+ type", and "token endpoint" defined by OAuth 2.0 [RFC6749] and the
+ terms defined by "OAuth 2.0 Client Dynamic Registration Protocol"
+ [RFC7591].
+
+ This specification defines the following terms:
+
+ Client Configuration Endpoint
+ OAuth 2.0 endpoint through which registration information for a
+ registered client can be managed. This URL for this endpoint is
+ returned by the authorization server in the client information
+ response.
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 3]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ Registration Access Token
+ OAuth 2.0 Bearer Token issued by the authorization server through
+ the client registration endpoint that is used to authenticate the
+ caller when accessing the client's registration information at the
+ client configuration endpoint. This access token is associated
+ with a particular registered client.
+
+1.3. Protocol Flow
+
+ This extends the flow in "OAuth 2.0 Dynamic Client Registration
+ Protocol" [RFC7591] as follows:
+
+ +--------(A)- Initial Access Token (OPTIONAL)
+ |
+ | +----(B)- Software Statement (OPTIONAL)
+ | |
+ v v
+ +-----------+ +---------------+
+ | |--(C)- Client Registration Request -->| Client |
+ | | | Registration |
+ | |<-(D)- Client Information Response ---| Endpoint |
+ | | +---------------+
+ | |
+ | | +---------------+
+ | Client or |--(E)- Read or Update Request ------->| |
+ | Developer | | |
+ | |<-(F)- Client Information Response ---| Client |
+ | | | Configuration |
+ | | | Endpoint |
+ | | | |
+ | |--(G)- Delete Request --------------->| |
+ | | | |
+ | |<-(H)- Delete Confirmation -----------| |
+ +-----------+ +---------------+
+
+ Figure 1: Abstract Extended Dynamic Client Registration Flow
+
+ The abstract OAuth 2.0 client dynamic registration flow illustrated
+ in Figure 1 describes the interaction between the client or developer
+ and the endpoints defined in this specification and its parent. This
+ figure does not demonstrate error conditions. This flow includes the
+ following steps:
+
+ (A) Optionally, the client or developer is issued an initial access
+ token for use with the client registration endpoint. The
+ method by which the initial access token is issued to the
+ client or developer is out of scope for this specification.
+
+
+
+
+Richer, et al. Experimental [Page 4]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ (B) Optionally, the client or developer is issued a software
+ statement for use with the client registration endpoint. The
+ method by which the software statement is issued to the client
+ or developer is out of scope for this specification.
+
+ (C) The client or developer calls the client registration endpoint
+ with its desired registration metadata, optionally including
+ the initial access token from (A) if one is required by the
+ authorization server.
+
+ (D) The authorization server registers the client and returns:
+
+ * the client's registered metadata,
+
+ * a client identifier that is unique to the server,
+
+ * a set of client credentials such as a client secret, if
+ applicable for this client,
+
+ * a URI pointing to the client configuration endpoint, and
+
+ * a registration access token to be used when calling the
+ client configuration endpoint.
+
+ (E) The client or developer optionally calls the client
+ configuration endpoint with a read or update request using the
+ registration access token issued in (D). An update request
+ contains all of the client's registered metadata.
+
+ (F) The authorization server responds with the client's current
+ configuration, potentially including a new registration access
+ token and a new set of client credentials such as a client
+ secret if applicable for this client. If a new registration
+ access token is issued, it replaces the token issued in (D) for
+ all subsequent calls to the client configuration endpoint.
+
+ (G) The client or developer optionally calls the client
+ configuration endpoint with a delete request using the
+ registration access token issued in (D) or (F).
+
+ (H) The authorization server deprovisions the client and responds
+ with a confirmation that the deletion has taken place.
+
+2. Client Configuration Endpoint
+
+ The client configuration endpoint is an OAuth 2.0 protected resource
+ that is provisioned by the server to facilitate viewing, updating,
+ and deleting a client's registered information. The location of this
+
+
+
+Richer, et al. Experimental [Page 5]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ endpoint is communicated to the client through the
+ "registration_client_uri" member of the client information response,
+ as specified in Section 3. The client MUST use its registration
+ access token in all calls to this endpoint as an OAuth 2.0 Bearer
+ Token [RFC6750].
+
+ The client configuration endpoint MUST be protected by a transport-
+ layer security mechanism, as described in Section 5.
+
+ Operations on this endpoint are switched through the use of different
+ HTTP methods [RFC7231]. If an authorization server does not support
+ a particular method on the client configuration endpoint, it MUST
+ respond with the appropriate error code.
+
+2.1. Client Read Request
+
+ To read the current configuration of the client on the authorization
+ server, the client makes an HTTP GET request to the client
+ configuration endpoint, authenticating with its registration access
+ token.
+
+ The following is a non-normative example request:
+
+ GET /register/s6BhdRkqt3 HTTP/1.1
+ Accept: application/json
+ Host: server.example.com
+ Authorization: Bearer reg-23410913-abewfq.123483
+
+ Upon successful read of the information for a currently active
+ client, the authorization server responds with an HTTP 200 OK with
+ content type of "application/json" and a payload as described in
+ Section 3. Some values in the response, including the
+ "client_secret" and "registration_access_token", MAY be different
+ from those in the initial registration response. If the
+ authorization server includes a new client secret and/or registration
+ access token in its response, the client MUST immediately discard its
+ previous client secret and/or registration access token. The value
+ of the "client_id" MUST NOT change from the initial registration
+ response.
+
+ If the registration access token used to make this request is not
+ valid, the server MUST respond with an error as described in the
+ OAuth Bearer Token Usage specification [RFC6750].
+
+ If the client does not exist on this server, the server MUST respond
+ with HTTP 401 Unauthorized and the registration access token used to
+ make this request SHOULD be immediately revoked.
+
+
+
+
+Richer, et al. Experimental [Page 6]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ If the client does not have permission to read its record, the server
+ MUST return an HTTP 403 Forbidden.
+
+2.2. Client Update Request
+
+ To update a previously registered client's registration with an
+ authorization server, the client makes an HTTP PUT request to the
+ client configuration endpoint with a content type of "application/
+ json". The HTTP entity payload is a JSON [RFC7159] document
+ consisting of a JSON object and all parameters as top-level members
+ of that JSON object. This request is authenticated by the
+ registration access token issued to the client.
+
+ This request MUST include all client metadata fields as returned to
+ the client from a previous registration, read, or update operation.
+ The updated client metadata fields request MUST NOT include the
+ "registration_access_token", "registration_client_uri",
+ "client_secret_expires_at", or "client_id_issued_at" fields described
+ in Section 3.
+
+ Valid values of client metadata fields in this request MUST replace,
+ not augment, the values previously associated with this client.
+ Omitted fields MUST be treated as null or empty values by the server,
+ indicating the client's request to delete them from the client's
+ registration. The authorization server MAY ignore any null or empty
+ value in the request just as any other value.
+
+ The client MUST include its "client_id" field in the request, and it
+ MUST be the same as its currently issued client identifier. If the
+ client includes the "client_secret" field in the request, the value
+ of this field MUST match the currently issued client secret for that
+ client. The client MUST NOT be allowed to overwrite its existing
+ client secret with its own chosen value.
+
+ For all metadata fields, the authorization server MAY replace any
+ invalid values with suitable default values, and it MUST return any
+ such fields to the client in the response.
+
+ For example, a client could send the following request to the client
+ registration endpoint to update the client registration in the above
+ example with new information.
+
+
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 7]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ The following is a non-normative example request:
+
+ PUT /register/s6BhdRkqt3 HTTP/1.1
+ Accept: application/json
+ Host: server.example.com
+ Authorization: Bearer reg-23410913-abewfq.123483
+
+ {
+ "client_id": "s6BhdRkqt3",
+ "client_secret": "cf136dc3c1fc93f31185e5885805d",
+ "redirect_uris": [
+ "https://client.example.org/callback",
+ "https://client.example.org/alt"],
+ "grant_types": ["authorization_code", "refresh_token"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "jwks_uri": "https://client.example.org/my_public_keys.jwks",
+ "client_name": "My New Example",
+ "client_name#fr": "Mon Nouvel Exemple",
+ "logo_uri": "https://client.example.org/newlogo.png",
+ "logo_uri#fr": "https://client.example.org/fr/newlogo.png"
+ }
+
+ This example uses client metadata values defined in [RFC7591].
+
+ Upon successful update, the authorization server responds with an
+ HTTP 200 OK message with content type "application/json" and a
+ payload as described in Section 3. Some values in the response,
+ including the "client_secret" and "registration_access_token", MAY be
+ different from those in the initial registration response. If the
+ authorization server includes a new client secret and/or registration
+ access token in its response, the client MUST immediately discard its
+ previous client secret and/or registration access token. The value
+ of the "client_id" MUST NOT change from the initial registration
+ response.
+
+ If the registration access token used to make this request is not
+ valid, the server MUST respond with an error as described in the
+ OAuth Bearer Token Usage specification [RFC6750].
+
+ If the client does not exist on this server, the server MUST respond
+ with HTTP 401 Unauthorized, and the registration access token used to
+ make this request SHOULD be immediately revoked.
+
+ If the client is not allowed to update its records, the server MUST
+ respond with HTTP 403 Forbidden.
+
+
+
+
+
+
+Richer, et al. Experimental [Page 8]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ If the client attempts to set an invalid metadata field and the
+ authorization server does not set a default value, the authorization
+ server responds with an error as described in [RFC7591].
+
+2.3. Client Delete Request
+
+ To deprovision itself on the authorization server, the client makes
+ an HTTP DELETE request to the client configuration endpoint. This
+ request is authenticated by the registration access token issued to
+ the client.
+
+ The following is a non-normative example request:
+
+ DELETE /register/s6BhdRkqt3 HTTP/1.1
+ Host: server.example.com
+ Authorization: Bearer reg-23410913-abewfq.123483
+
+ A successful delete action will invalidate the "client_id",
+ "client_secret", and "registration_access_token" for this client,
+ thereby preventing the "client_id" from being used at either the
+ authorization endpoint or token endpoint of the authorization server.
+ If possible, the authorization server SHOULD immediately invalidate
+ all existing authorization grants and currently active access tokens,
+ all refresh tokens, and all other tokens associated with this client.
+
+ If a client has been successfully deprovisioned, the authorization
+ server MUST respond with an HTTP 204 No Content message.
+
+ If the server does not support the delete method, the server MUST
+ respond with HTTP 405 Not Supported.
+
+ If the registration access token used to make this request is not
+ valid, the server MUST respond with an error as described in the
+ OAuth Bearer Token Usage specification [RFC6750].
+
+ If the client does not exist on this server, the server MUST respond
+ with HTTP 401 Unauthorized and the registration access token used to
+ make this request SHOULD be immediately revoked, if possible.
+
+ If the client is not allowed to delete itself, the server MUST
+ respond with HTTP 403 Forbidden.
+
+ The following is a non-normative example response:
+
+ HTTP/1.1 204 No Content
+ Cache-Control: no-store
+ Pragma: no-cache
+
+
+
+
+Richer, et al. Experimental [Page 9]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+3. Client Information Response
+
+ This specification extends the client information response defined in
+ "OAuth 2.0 Client Dynamic Registration" [RFC7591], which states that
+ the response contains the client identifier (as well as the client
+ secret if the client is a confidential client). When used with this
+ specification, the client information response also contains the
+ fully qualified URL of the client configuration endpoint (Section 2)
+ for this specific client that the client or developer may use to
+ manage the client's registration configuration, as well as a
+ registration access token that is to be used by the client or
+ developer to perform subsequent operations at the client
+ configuration endpoint.
+
+ registration_client_uri
+ REQUIRED. String containing the fully qualified URL of the client
+ configuration endpoint for this client.
+
+ registration_access_token
+ REQUIRED. String containing the access token to be used at the
+ client configuration endpoint to perform subsequent operations
+ upon the client registration.
+
+ Additionally, the authorization server MUST return all registered
+ metadata about this client, including any fields provisioned by the
+ authorization server itself. The authorization server MAY reject or
+ replace any of the client's requested metadata values submitted
+ during the registration or update requests and substitute them with
+ suitable values.
+
+ The response is an "application/json" document with all parameters as
+ top-level members of a JSON object [RFC7159].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 10]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ The following is a non-normative example response:
+
+ HTTP/1.1 200 OK
+ Content-Type: application/json
+ Cache-Control: no-store
+ Pragma: no-cache
+
+ {
+ "registration_access_token": "reg-23410913-abewfq.123483",
+ "registration_client_uri":
+ "https://server.example.com/register/s6BhdRkqt3",
+ "client_id": "s6BhdRkqt3",
+ "client_secret": "cf136dc3c1fc93f31185e5885805d",
+ "client_id_issued_at": 2893256800,
+ "client_secret_expires_at": 2893276800,
+ "client_name": "My Example Client",
+ "client_name#ja-Jpan-JP":
+ "\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D",
+ "redirect_uris": [
+ "https://client.example.org/callback",
+ "https://client.example.org/callback2"],
+ "grant_types": ["authorization_code", "refresh_token"],
+ "token_endpoint_auth_method": "client_secret_basic",
+ "logo_uri": "https://client.example.org/logo.png",
+ "jwks_uri": "https://client.example.org/my_public_keys.jwks"
+ }
+
+4. IANA Considerations
+
+ This specification registers the following client metadata names and
+ descriptions in the "OAuth Dynamic Client Registration Metadata"
+ registry established by [RFC7591]:
+
+ o Client Metadata Name: "registration_access_token"
+
+ o Client Metadata Description: OAuth 2.0 Bearer Token used to access
+ the client configuration endpoint
+
+ o Change Controller: IESG
+
+ o Specification Document(s): RFC 7592
+
+ o Client Metadata Name: "registration_client_uri"
+
+ o Client Metadata Description: Fully qualified URI of the client
+ registration endpoint
+
+ o Change Controller: IESG
+
+
+
+Richer, et al. Experimental [Page 11]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ o Specification Document(s): RFC 7592
+
+5. Security Considerations
+
+ While the client secret can expire, the registration access token
+ SHOULD NOT expire while a client is still actively registered. If
+ this token were to expire, a developer or client could be left in a
+ situation where they have no means of retrieving, updating, or
+ deleting the client's registration information. Were that the case,
+ a new registration would be required, thereby generating a new client
+ identifier. However, to limit the exposure surface of the
+ registration access token, the registration access token MAY be
+ rotated when the developer or client does a read or update operation
+ on the client's client configuration endpoint. As the registration
+ access tokens are relatively long-term credentials, and since the
+ registration access token is a Bearer Token and acts as the sole
+ authentication for use at the client configuration endpoint, it MUST
+ be protected by the developer or client as described in the OAuth 2.0
+ Bearer Token Usage specification [RFC6750].
+
+ Since requests to the client configuration endpoint result in the
+ transmission of clear-text credentials (in the HTTP request and
+ response), the authorization server MUST require the use of a
+ transport-layer security mechanism when sending requests to the
+ endpoint. The server MUST support TLS 1.2 [RFC5246] and MAY support
+ additional transport-layer security mechanisms meeting its security
+ requirements. When using TLS, the client MUST perform a TLS/SSL
+ server certificate check, per RFC 6125 [RFC6125]. Implementation
+ security considerations can be found in Recommendations for Secure
+ Use of TLS and DTLS [BCP195].
+
+ Since possession of the registration access token authorizes the
+ holder to potentially read, modify, or delete a client's registration
+ (including its credentials such as a client_secret), the registration
+ access token MUST contain sufficient entropy to prevent a random
+ guessing attack of this token, such as described in Section 5.2 of
+ [RFC6750] and Section 5.1.4.2.2 of [RFC6819].
+
+ If a client is deprovisioned from a server, any outstanding
+ registration access token for that client MUST be invalidated at the
+ same time. Otherwise, this can lead to an inconsistent state wherein
+ a client could make requests to the client configuration endpoint
+ where the authentication would succeed but the action would fail
+ because the client is no longer valid. The authorization server MUST
+ treat all such requests as if the registration access token was
+ invalid by returning an HTTP 401 Unauthorized error, as described.
+
+
+
+
+
+Richer, et al. Experimental [Page 12]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+6. Privacy Considerations
+
+ This specification poses no additional privacy considerations beyond
+ those described in the core "OAuth 2.0 Dynamic Client Registration
+ Protocol" [RFC7591].
+
+7. Normative References
+
+ [BCP195] Sheffer, Y., Holz, R., and P. Saint-Andre,
+ "Recommendations for Secure Use of Transport Layer
+ Security (TLS) and Datagram Transport Layer Security
+ (DTLS)", BCP 195, RFC 7525, May 2015,
+ <http://www.rfc-editor.org/info/bcp195>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246,
+ DOI 10.17487/RFC5246, August 2008,
+ <http://www.rfc-editor.org/info/rfc5246>.
+
+ [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
+ Verification of Domain-Based Application Service Identity
+ within Internet Public Key Infrastructure Using X.509
+ (PKIX) Certificates in the Context of Transport Layer
+ Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
+ 2011, <http://www.rfc-editor.org/info/rfc6125>.
+
+ [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
+ RFC 6749, DOI 10.17487/RFC6749, October 2012,
+ <http://www.rfc-editor.org/info/rfc6749>.
+
+ [RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
+ Framework: Bearer Token Usage", RFC 6750,
+ DOI 10.17487/RFC6750, October 2012,
+ <http://www.rfc-editor.org/info/rfc6750>.
+
+ [RFC6819] Lodderstedt, T., Ed., McGloin, M., and P. Hunt, "OAuth 2.0
+ Threat Model and Security Considerations", RFC 6819,
+ DOI 10.17487/RFC6819, January 2013,
+ <http://www.rfc-editor.org/info/rfc6819>.
+
+ [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
+ Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
+ 2014, <http://www.rfc-editor.org/info/rfc7159>.
+
+
+
+Richer, et al. Experimental [Page 13]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
+ Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
+ DOI 10.17487/RFC7231, June 2014,
+ <http://www.rfc-editor.org/info/rfc7231>.
+
+ [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
+ P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
+ RFC 7591, DOI 10.17487/RFC7591, July 2015,
+ <http://www.rfc-editor.org/info/rfc7591>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 14]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+Appendix A. Registration Tokens and Client Credentials
+
+ Throughout the course of the dynamic registration protocol, there are
+ three different classes of credentials in play, each with different
+ properties and targets.
+
+ o The initial access token is optionally used by the client or
+ developer at the registration endpoint. This is an OAuth 2.0
+ token that is used to authorize the initial client registration
+ request. The content, structure, generation, and validation of
+ this token are out of scope for this specification. The
+ authorization server can use this token to verify that the
+ presenter is allowed to dynamically register new clients. This
+ token may be shared among multiple instances of a client to allow
+ them to each register separately, thereby letting the
+ authorization server use this token to tie multiple instances of
+ registered clients (each with their own distinct client
+ identifier) back to the party to whom the initial access token was
+ issued, usually an application developer. This token is usually
+ intended to be used only at the client registration endpoint.
+
+ o The registration access token is used by the client or developer
+ at the client configuration endpoint and represents the holder's
+ authorization to manage the registration of a client. This is an
+ OAuth 2.0 Bearer Token that is issued from the client registration
+ endpoint in response to a client registration request and is
+ returned in a client information response. The registration
+ access token is uniquely bound to the client identifier and is
+ required to be presented with all calls to the client
+ configuration endpoint. The registration access token should be
+ protected as described in [RFC6750] and should not be shared
+ between instances of a client. If a registration access token is
+ shared between client instances, one instance could change or
+ delete registration values for all other instances of the client.
+ The registration access token can be rotated through the use of
+ the client read or update method on the client configuration
+ endpoint. The registration access token is intended to be used
+ only at the client configuration endpoint.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 15]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ o The client credentials (such as "client_secret") are optional
+ depending on the type of client and are used to retrieve OAuth
+ tokens. Client credentials are most often bound to particular
+ instances of a client and should not be shared between instances.
+ Note that since not all types of clients have client credentials,
+ they cannot be used to manage client registrations at the client
+ configuration endpoint. The client credentials can be rotated
+ through the use of the client read or update method on the client
+ configuration endpoint. The client credentials are intended to be
+ used only at the token endpoint.
+
+A.1. Credential Rotation
+
+ The authorization server may be configured to issue new registration
+ access tokens and/or client credentials (such as a "client_secret")
+ throughout the lifetime of the client. This may help minimize the
+ impact of exposed credentials. The authorization server conveys new
+ registration access tokens and client credentials (if applicable) to
+ the client in the client information response of either a read or
+ update request to the client configuration endpoint. The client's
+ current registration access token and client credentials (if
+ applicable) MUST be included in the client information response.
+
+ The registration access token SHOULD be rotated only in response to a
+ read or update request to the client configuration endpoint. At this
+ point, the new registration access token is returned to the client,
+ the old registration access token MUST be discarded by the client,
+ and it SHOULD be discarded by the server, if possible. If, instead,
+ the registration access token were to expire or be invalidated
+ outside of such requests, the client or developer might be locked out
+ of managing the client's configuration.
+
+ Note that the authorization server decides the frequency of the
+ credential rotation and not the client. Methods by which the client
+ can request credential rotation are outside the scope of this
+ document.
+
+Appendix B. Forming the Client Configuration Endpoint URL
+
+ The authorization server MUST provide the client with the fully
+ qualified URL in the "registration_client_uri" element of the Client
+ Information Response, as specified in Section 3. The authorization
+ server MUST NOT expect the client to construct or discover this URL
+ on its own. The client MUST use the URL as given by the server and
+ MUST NOT construct this URL from component pieces.
+
+
+
+
+
+
+Richer, et al. Experimental [Page 16]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+ Depending on deployment characteristics, the client configuration
+ endpoint URL may take any number of forms. It is RECOMMENDED that
+ this endpoint URL be formed through the use of a server-constructed
+ URL string that combines the client registration endpoint's URL and
+ the issued "client_id" for this client, with the latter as either a
+ path parameter or a query parameter. For example, a client with the
+ client identifier "s6BhdRkqt3" could be given a client configuration
+ endpoint URL of "https://server.example.com/register/s6BhdRkqt3"
+ (path parameter) or of "https://server.example.com/
+ register?client_id=s6BhdRkqt3" (query parameter). In both of these
+ cases, the client simply uses the URL as given by the authorization
+ server.
+
+ These common patterns can help the server to more easily determine
+ the client to which the request pertains, which MUST be matched
+ against the client to which the registration access token was issued.
+ If desired, the server MAY simply return the client registration
+ endpoint URL as the client configuration endpoint URL and change
+ behavior based on the authentication context provided by the
+ registration access token.
+
+Acknowledgments
+
+ The authors thank the OAuth Working Group, the User-Managed Access
+ Working Group, and the OpenID Connect Working Group participants for
+ their input to this document. In particular, the following
+ individuals have been instrumental in their review and contribution
+ to various draft versions of this document: Amanda Anganes, Derek
+ Atkins, Tim Bray, Domenico Catalano, Donald Coffin, Vladimir
+ Dzhuvinov, George Fletcher, Thomas Hardjono, Phil Hunt, William Kim,
+ Torsten Lodderstedt, Eve Maler, Josh Mandel, Nov Matake, Tony
+ Nadalin, Nat Sakimura, Christian Scholz, and Hannes Tschofenig.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 17]
+
+RFC 7592 OAuth 2.0 Dynamic Registration Management July 2015
+
+
+Authors' Addresses
+
+ Justin Richer (editor)
+
+ Email: ietf@justin.richer.org
+
+
+ Michael B. Jones
+ Microsoft
+
+ Email: mbj@microsoft.com
+ URI: http://self-issued.info/
+
+
+ John Bradley
+ Ping Identity
+
+ Email: ve7jtb@ve7jtb.com
+
+
+ Maciej Machulak
+ Newcastle University
+
+ Email: maciej.machulak@gmail.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Richer, et al. Experimental [Page 18]
+