I think it's an interesting idea... I'm just not sure how to tie the
dynamic client registration to a verified user email address. To get a
verified email address, most OAuth2 flows require the client_id to be
already provisioned.
I do agree that from the AS/OP perspective, we don't want to allow
unlimited client registrations. This could be it's own form of DoS
attack. I suppose if the client has a verifiable token containing the
user attributes, that could be passed optionally to the dynamic client
registration flow. How the client got the verifiable token could be left
out of scope.
There are probably other ways to protect against abuse and they will
likely be different from OP to OP for a while, until some best practices
are established.
Thanks,
George
On 10/19/12 12:00 PM, Pedro Felix wrote:
And what if the client instance is also connected to some verifiable
user attribute, such as an email?
Is this a bad idea?
Pedro
On Fri, Oct 19, 2012 at 4:24 PM, John Bradley <[email protected]
<mailto:[email protected]>> wrote:
The client instance registration was something that we discussed
and put into the openID Connect dynamic client registration but
has not yet been put back into the UMA draft.
http://openid.bitbucket.org/openid-connect-registration-1_0.html
The basic idea is that you can bake a access token into client
code and that client then uses that to get a unique clientID and
secret/register public key.
There was a long discussion about this at a IIW about a year ago.
In some of the native apps projects I am looking at that are not
openID connect related we are looking at doing the same thing to
differentiate instances of clients.
John B.
On 2012-10-19, at 11:47 AM, Pedro Felix <[email protected]
<mailto:[email protected]>> wrote:
Thanks for the response.
I know that this area is work in progress. However, I've looked
into http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-00 and
didn't found much about this subject.
What is the best place to follow this discussion? This mailing list?
Thanks
Pedro
On Thu, Oct 18, 2012 at 5:59 PM, Phil Hunt <[email protected]
<mailto:[email protected]>> wrote:
Pedro,
AFAIK this is still a TODO within the current charter.
Phil
@independentid
www.independentid.com <http://www.independentid.com/>
[email protected] <mailto:[email protected]>
On 2012-10-18, at 9:06 AM, Pedro Felix wrote:
> Hi,
>
> Where can I find more information about the dynamic
registration of client application instances?
> The idea is that each installed application instance has a
different id, eventually related to the "general" application id.
>
> It also would be interesting if this instance id was the
result of an activation process, where the instance is
attached to a device or to an user (e.g. confimed email address).
>
> Thanks
> Pedro
>
> _______________________________________________
> OAuth mailing list
> [email protected] <mailto:[email protected]>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected] <mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
