Ben,

I don't think there's an axiomatic answer here... "software_statement_uri"
is not defined by RFC 7591 or OIDC Dynamic Client Registration. A URI
introduces fetch-time risks: e.g. SSRF, redirects, DNS tricks, stale
caches. But your app could obtain the current signed SSA from your own
backend so you can rotate keys or perhaps require platform attestation such
as Android Play Integrity before handing one out.

- Mike Schwartz

--------------------------------------
Michael Schwartz
Gluu
Founder/CEO
[email protected]
https://www.linkedin.com/in/nynymike


>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 27 Jun 2026 21:36:02 +0000
> From: Ben van Hartingsveldt | Yocto <[email protected]>
> Subject: [OAUTH-WG] Getting software statements
> To: [email protected]
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
>
> Hello all,
>
> Recently I started investigating in developing Android apps (so public
> clients) for my products. I use Dynamic Client Registration (DCR) and
> want to use Software Statement Assertion (SSA) too. Now I am wondering
> if I should hardcode my software statement in the app, or that I should
> host the software statement on a HTTPS location I own. With the first
> option, I may not be able to resign the software statement with a new
> private key if I have to; with the last option, I have no standardized
> way to get the software statement. Is there some plan to make it
> possible to discover software statements by `software_id` and
> `software_version` in combination with some .well-known or DNS
> mechanism? And am I doing things right in the first place?
>
> Thanks in advance
>
> Ben
>
>
>

-- 





*CONFIDENTIALITY NOTICE*

This message may contain confidential or 
legally privileged information.
If you are not the intended recipient, 
please immediately advise the sender by reply e-mail that you received this 
message, and delete this e-mail from your system.
Thank you for your 
cooperation
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to