Hi Michael,
Thank you for your response. To fix it, I was indeed thinking about a
"software_statement_endpoint" or "software_statement_uri". Then, the
client will use the "software_id" and "software_version" parameter query
parameters on the endpoint and it will return a document
`{"software_statement":"eyJ..."}`, which is a signed software statement
JWT. There can indeed be fetch-time risks, but I think other endpoints
could have those too and I think those can be overcome. My goal is
mainly to standardize the way a software statement is downloaded, if
they are allowed to be public anyway.
Ben
Michael Schwartz schreef op 2026-06-29 19:45:
Ben,
I don't think there's an axiomatic answer here...
"software_statement_uri" is not defined by RFC 7591 or OIDC Dynamic
Client Registration. A URI introduces fetch-time risks: e.g. SSRF,
redirects, DNS tricks, stale caches. But your app could obtain the
current signed SSA from your own backend so you can rotate keys or
perhaps require platform attestation such as Android Play Integrity
before handing one out.
- Mike Schwartz
--------------------------------------
Michael Schwartz
Gluu
Founder/CEO
[email protected]
https://www.linkedin.com/in/nynymike
----------------------------------------------------------------------
Message: 1
Date: Sat, 27 Jun 2026 21:36:02 +0000
From: Ben van Hartingsveldt | Yocto <[email protected]>
Subject: [OAUTH-WG] Getting software statements
To: [email protected]
Message-ID: <[email protected]>
Content-Type: text/plain; charset=US-ASCII; format=flowed
Hello all,
Recently I started investigating in developing Android apps (so
public
clients) for my products. I use Dynamic Client Registration (DCR)
and
want to use Software Statement Assertion (SSA) too. Now I am
wondering
if I should hardcode my software statement in the app, or that I
should
host the software statement on a HTTPS location I own. With the
first
option, I may not be able to resign the software statement with a
new
private key if I have to; with the last option, I have no
standardized
way to get the software statement. Is there some plan to make it
possible to discover software statements by `software_id` and
`software_version` in combination with some .well-known or DNS
mechanism? And am I doing things right in the first place?
Thanks in advance
Ben
-------------------------
CONFIDENTIALITY NOTICE
This message may contain confidential or legally privileged
information.
If you are not the intended recipient, please immediately advise the
sender by reply e-mail that you received this message, and delete this
e-mail from your system.
Thank you for your cooperation
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]