Justin, In addition to instance_name and instance_description, I think we need collision resistant instance_id which can be cryptographically linked to the instance so that it can actually be authenticated, in a similar manner to what we do with the self-issued IdP in the OpenID Connect.
My proposal is to create a public-private key pair at the install time and use the sha256 of the public key as the instance_id. Note: If the client is going to talk to multiple entities, the instance_id would have some privacy impact. We may need to generate the keypair for each entity that the client talks to. -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
