Thanks Phil. This is largely in-line with what I have been looking for since 2011 or so. Instead of "software id", I was using the term "client class id" but that would be more or less equivalent, though I like "client class id" better than "software id" as a piece of software may imply client instance as well.
I further was thinking that "client class id" should be a URI from which the authorization server can pull the "software statement"/"class properties" so that signing it would be optional and it could simply be a plain JSON. That would make it easier to fix the "software statement" bugs and adding more values (e.g. more language support) at a later date. As to the "association" is concerned, it would be really nice if the response includes the link relationship in the response JSON like in http://tools.ietf.org/html/draft-sakimura-oauth-meta . By doing so, the client instance can learn which authorization endpoint and so on that it should use [1]. This would allow the server to assign different endpoints to different client instances for scalability, security, billing and all sorts of other reasons. It would also achieve HATEOAS. As to the relationship with the dynreg draft is concerned, I kind of see dynreg as an API to talk to the software publisher. [1] I think it would be better return the discovery endpoint and have the client figure out where is its authorization endpoint than returning authorization endpoint directly but it can be either way. Cheers, Nat 2013/11/2 Phil Hunt <[email protected]> > I would like to encourage people to read the client association draft > before monday. > http://tools.ietf.org/html/draft-hunt-oauth-client-association-00.txt and > the related > http://tools.ietf.org/html/draft-hunt-oauth-software-statement-00.txt > > Most of the draft just focuses on background and taxonomy. If you are not > interested, focus in on the dynamic association section. I believe you will > find this alternate stateless approach to be very simple to implement and > uses a well established pattern. > > My position is that while the new approach represents a major change to > OIDC implementors, the benefits outweigh the costs as it will make Connect > much easier to support for service providers. > > The key difference in approaches is that the software statement serves as > a way to lock-down registration profiles that allow servers (and their > policy systems) to recognize different types of client software. Note > that nothing about using software statements prevents developers from > self-asserting registration. Those scenarios can continue to work. The > key benefit to service providers and client developers is that the number > of variations for registration options is dramatically reduced. The > registration becomes a simple assertion swap with any allowable per-client > overrides as an exception rather than the norm. > > IOW -- client association places different emphasis on what happens when. > Client association assumes software characteristics are known at packaging > time and does not vary widely (from the client side) other than having to > handle different authentication policies of the various service providers. > > I've already spent more text here explaining the difference than the core > of the draft takes to explain the registration. So please read the draft > before our discussion on monday. > > Phil > > @independentid > www.independentid.com > [email protected] > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
