Ben, I don't think there's an axiomatic answer here... "software_statement_uri" is not defined by RFC 7591 or OIDC Dynamic Client Registration. A URI introduces fetch-time risks: e.g. SSRF, redirects, DNS tricks, stale caches. But your app could obtain the current signed SSA from your own backend so you can rotate keys or perhaps require platform attestation such as Android Play Integrity before handing one out.
- Mike Schwartz -------------------------------------- Michael Schwartz Gluu Founder/CEO [email protected] https://www.linkedin.com/in/nynymike > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 27 Jun 2026 21:36:02 +0000 > From: Ben van Hartingsveldt | Yocto <[email protected]> > Subject: [OAUTH-WG] Getting software statements > To: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset=US-ASCII; format=flowed > > Hello all, > > Recently I started investigating in developing Android apps (so public > clients) for my products. I use Dynamic Client Registration (DCR) and > want to use Software Statement Assertion (SSA) too. Now I am wondering > if I should hardcode my software statement in the app, or that I should > host the software statement on a HTTPS location I own. With the first > option, I may not be able to resign the software statement with a new > private key if I have to; with the last option, I have no standardized > way to get the software statement. Is there some plan to make it > possible to discover software statements by `software_id` and > `software_version` in combination with some .well-known or DNS > mechanism? And am I doing things right in the first place? > > Thanks in advance > > Ben > > > -- *CONFIDENTIALITY NOTICE* This message may contain confidential or legally privileged information. If you are not the intended recipient, please immediately advise the sender by reply e-mail that you received this message, and delete this e-mail from your system. Thank you for your cooperation
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
