draft-ietf-oauth-dyn-reg-management-10.txt   draft-ietf-oauth-dyn-reg-management-11.txt 
skipping to change at page 1, line 14 skipping to change at page 1, line 14
Internet-Draft Internet-Draft
Intended status: Experimental M. Jones Intended status: Experimental M. Jones
Expires: September 24, 2015 Microsoft Expires: September 24, 2015 Microsoft
J. Bradley J. Bradley
Ping Identity Ping Identity
M. Machulak M. Machulak
Newcastle University Newcastle University
March 23, 2015 March 23, 2015
OAuth 2.0 Dynamic Client Registration Management Protocol OAuth 2.0 Dynamic Client Registration Management Protocol
draft-ietf-oauth-dyn-reg-management-10 draft-ietf-oauth-dyn-reg-management-11
Abstract Abstract
This specification defines methods for management of dynamic OAuth This specification defines methods for management of dynamic OAuth
2.0 client registrations for use cases in which the properties of a 2.0 client registrations for use cases in which the properties of a
registered client may need to be changed during the lifetime of the registered client may need to be changed during the lifetime of the
client. Not all authorization servers supporting dynamic client client. Not all authorization servers supporting dynamic client
registration will support these management methods. registration will support these management methods.
Status of This Memo Status of This Memo
skipping to change at page 2, line 37 skipping to change at page 2, line 37
B.1. Credential Rotation . . . . . . . . . . . . . . . . . . . 15 B.1. Credential Rotation . . . . . . . . . . . . . . . . . . . 15
Appendix C. Forming the Client Configuration Endpoint URL . . . 15 Appendix C. Forming the Client Configuration Endpoint URL . . . 15
Appendix D. Document History . . . . . . . . . . . . . . . . . . 16 Appendix D. Document History . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
In order for an OAuth 2.0 client to utilize an OAuth 2.0 In order for an OAuth 2.0 client to utilize an OAuth 2.0
authorization server, the client needs specific information to authorization server, the client needs specific information to
interact with the server, including an OAuth 2.0 client identifier to interact with the server, including an OAuth 2.0 client identifier to
use at that server. The OAuth 2.0 Dynamic Client Registration use with that server. The OAuth 2.0 Dynamic Client Registration
Protocol [OAuth.Registration] specification describes how an OAuth Protocol [OAuth.Registration] specification describes how an OAuth
2.0 client can be dynamically registered with an authorization server 2.0 client can be dynamically registered with an authorization server
to obtain this information and how metadata about the client can be to obtain this information and how metadata about the client can be
registered with the server. registered with the server.
This specification extends the core registration specification by This specification extends the core registration specification by
defining a set of methods for management of dynamic OAuth 2.0 client defining a set of methods for management of dynamic OAuth 2.0 client
registrations beyond those defined in the core registration registrations beyond those defined in the core registration
specification. In some situations, the registered metadata of a specification. In some situations, the registered metadata of a
client can change over time, either by modification at the client can change over time, either by modification at the
skipping to change at page 5, line 9 skipping to change at page 5, line 9
(C) The client or developer calls the client registration endpoint (C) The client or developer calls the client registration endpoint
with its desired registration metadata, optionally including the with its desired registration metadata, optionally including the
initial access token from (A) if one is required by the initial access token from (A) if one is required by the
authorization server. authorization server.
(D) The authorization server registers the client and returns: (D) The authorization server registers the client and returns:
* the client's registered metadata, * the client's registered metadata,
* a client identifier that is unique at the server, * a client identifier that is unique to the server,
* a set of client credentials such as a client secret, if * a set of client credentials such as a client secret, if
applicable for this client, applicable for this client,
* a URI pointing to the client configuration endpoint, and * a URI pointing to the client configuration endpoint, and
* a registration access token to be used when calling the client * a registration access token to be used when calling the client
configuration endpoint. configuration endpoint.
(E) The client or developer optionally calls the client (E) The client or developer optionally calls the client
skipping to change at page 5, line 33 skipping to change at page 5, line 33
(F) The authorization server responds with the client's current (F) The authorization server responds with the client's current
configuration, potentially including a new registration access configuration, potentially including a new registration access
token and a new set of client credentials such as a client secret token and a new set of client credentials such as a client secret
if applicable for this client. If a new registration access token if applicable for this client. If a new registration access token
is issued, it replaces the token issued in (D) for all subsequent is issued, it replaces the token issued in (D) for all subsequent
calls to the client configuration endpoint. calls to the client configuration endpoint.
(G) The client or developer optionally calls the client (G) The client or developer optionally calls the client
configuration endpoint with a delete request using the configuration endpoint with a delete request using the
registration access token issued in (D). registration access token issued in (D) or (F).
(H) The authorization server deprovisions the client and responds (H) The authorization server deprovisions the client and responds
with a confirmation that the deletion has taken place. with a confirmation that the deletion has taken place.
2. Client Configuration Endpoint 2. Client Configuration Endpoint
The client configuration endpoint is an OAuth 2.0 protected resource The client configuration endpoint is an OAuth 2.0 protected resource
that is provisioned by the server to facilitate viewing, updating, that is provisioned by the server to facilitate viewing, updating,
and deleting a client's registered information. The location of this and deleting a client's registered information. The location of this
endpoint is communicated to the client through the endpoint is communicated to the client through the
skipping to change at page 6, line 50 skipping to change at page 6, line 50
If the client does not exist on this server, the server MUST respond If the client does not exist on this server, the server MUST respond
with HTTP 401 Unauthorized and the registration access token used to with HTTP 401 Unauthorized and the registration access token used to
make this request SHOULD be immediately revoked. make this request SHOULD be immediately revoked.
If the client does not have permission to read its record, the server If the client does not have permission to read its record, the server
MUST return an HTTP 403 Forbidden. MUST return an HTTP 403 Forbidden.
2.2. Client Update Request 2.2. Client Update Request
This operation updates a previously-registered client with new To update previously-registered client's registration with an
metadata at the authorization server. This request is authenticated authorization server, the client makes an HTTP PUT request to the
by the registration access token issued to the client. client configuration endpoint with a content type of "application/
json". The HTTP entity payload is a JSON [RFC7159] document
The client sends an HTTP PUT to the client configuration endpoint consisting of a JSON object and all parameters as top-level members
with a content type of "application/json". The HTTP entity payload of that JSON object. This request is authenticated by the
is a JSON [RFC7159] document consisting of a JSON object and all registration access token issued to the client.
parameters as top- level members of that JSON object.
This request MUST include all client metadata fields as returned to This request MUST include all client metadata fields as returned to
the client from a previous registration, read, or update operation. the client from a previous registration, read, or update operation.
The client MUST NOT include the "registration_access_token", The updated client metadata fields request MUST NOT include the
"registration_client_uri", "client_secret_expires_at", or "registration_access_token", "registration_client_uri",
"client_id_issued_at" fields described in Section 3. "client_secret_expires_at", or "client_id_issued_at" fields described
in Section 3.
Valid values of client metadata fields in this request MUST replace, Valid values of client metadata fields in this request MUST replace,
not augment, the values previously associated with this client. not augment, the values previously associated with this client.
Omitted fields MUST be treated as null or empty values by the server, Omitted fields MUST be treated as null or empty values by the server,
indicating the client's request to delete them from the client's indicating the client's request to delete them from the client's
registration. The authorization server MAY ignore any null or empty registration. The authorization server MAY ignore any null or empty
value in the request just as any other value. value in the request just as any other value.
The client MUST include its "client_id" field in the request, and it The client MUST include its "client_id" field in the request, and it
MUST be the same as its currently-issued client identifier. If the MUST be the same as its currently-issued client identifier. If the
skipping to change at page 12, line 45 skipping to change at page 12, line 45
Since the client configuration endpoint is an OAuth 2.0 protected Since the client configuration endpoint is an OAuth 2.0 protected
resource, it SHOULD have some rate limiting on failures to prevent resource, it SHOULD have some rate limiting on failures to prevent
the registration access token from being disclosed though repeated the registration access token from being disclosed though repeated
access attempts. access attempts.
If a client is deprovisioned from a server, any outstanding If a client is deprovisioned from a server, any outstanding
registration access token for that client MUST be invalidated at the registration access token for that client MUST be invalidated at the
same time. Otherwise, this can lead to an inconsistent state wherein same time. Otherwise, this can lead to an inconsistent state wherein
a client could make requests to the client configuration endpoint a client could make requests to the client configuration endpoint
where the authentication would succeed but the action would fail where the authentication would succeed but the action would fail
because the client is no longer valid. To prevent accidental because the client is no longer valid. The authorization server MUST
disclosure from such an erroneous situation, the authorization server treat all such requests as if the registration access token was
MUST treat all such requests as if the registration access token was invalid by returning an HTTP 401 Unauthorized error, as described.
invalid (by returning an HTTP 401 Unauthorized error, as described).
6. Privacy Considerations 6. Privacy Considerations
This specification poses no additional privacy considerations beyond This specification poses no additional privacy considerations beyond
those described in the core OAuth 2.0 Dynamic Client Registration those described in the core OAuth 2.0 Dynamic Client Registration
[OAuth.Registration] specification. [OAuth.Registration] specification.
7. Normative References 7. Normative References
[OAuth.Registration] [OAuth.Registration]
skipping to change at page 15, line 15 skipping to change at page 15, line 15
Note that since not all types of clients have client credentials, Note that since not all types of clients have client credentials,
they cannot be used to manage client registrations at the client they cannot be used to manage client registrations at the client
configuration endpoint. The client credentials can be rotated configuration endpoint. The client credentials can be rotated
through the use of the client read or update method on the client through the use of the client read or update method on the client
configuration endpoint. The client credentials are intended to be configuration endpoint. The client credentials are intended to be
used only at the token endpoint. used only at the token endpoint.
B.1. Credential Rotation B.1. Credential Rotation
The authorization server may be configured to issue new registration The authorization server may be configured to issue new registration
access token and/or client credentials (such as a "client_secret") access tokens and/or client credentials (such as a "client_secret")
throughout the lifetime of the client. This map help minimize the throughout the lifetime of the client. This may help minimize the
impact of exposed credentials. The authorization server conveys new impact of exposed credentials. The authorization server conveys new
registration access tokens and client credentials (if applicable) to registration access tokens and client credentials (if applicable) to
the client in the client information response of either a read or the client in the client information response of either a read or
update request to the client configuration endpoint. The client's update request to the client configuration endpoint. The client's
current registration access token and client credentials (if current registration access token and client credentials (if
applicable) MUST be included in the client information response. applicable) MUST be included in the client information response.
The registration access token SHOULD be rotated only in response to a The registration access token SHOULD be rotated only in response to a
read or update request to the client configuration endpoint, at which read or update request to the client configuration endpoint, at which
point the new registration access token is returned to the client and point the new registration access token is returned to the client and
skipping to change at page 16, line 23 skipping to change at page 16, line 23
against the client to which the registration access token was issued. against the client to which the registration access token was issued.
If desired, the server MAY simply return the client registration If desired, the server MAY simply return the client registration
endpoint URL as the client configuration endpoint URL and change endpoint URL as the client configuration endpoint URL and change
behavior based on the authentication context provided by the behavior based on the authentication context provided by the
registration access token. registration access token.
Appendix D. Document History Appendix D. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
-11
o Fixed a series of nits from Peter Yee's Gen-ART review.
-10 -10
o Updated author information. o Updated author information.
o Updated TLS information, imported from Dynamic Registration core. o Updated TLS information, imported from Dynamic Registration core.
o Expanded introduction. o Expanded introduction.
o Reformatted diagram text. o Reformatted diagram text.
 End of changes. 9 change blocks. 
21 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/