[Openid-specs-ab] Dynamic client registration and software statements

George Fletcher gffletch at aol.com
Wed Jan 9 16:22:49 UTC 2019


Since the OIDC dynamic client registration specs were published before 
the RFCs for OAuth2, there is no mention of the use of 
software_statements. However, the OIDC flows allow for use of additional 
parameters. What's not clear to me is how an implementation can be 
certified for OIDC DCR if it requires software statements.

Also, if the client is going to be a mobile app client and generate a 
private key locally on the device (or via trusted hardware) it seems 
that it MUST use the 'jwks' parameter and NOT the 'jwks_uri' parameter. 
However, the use of the 'jwks' parameter is kind of discouraged by the 
spec language saying that 'jwks_uri' should be used if possible do to 
"key rotation not supported" with the 'jwks' parameter.

All this leads to a couple of questions...

1. Is there any best practice recommendations around OIDC dynamic client 
registration. I'm specifically interested in experience where the mobile 
app is using a private key generated on the device and/or use of 
software_statements with OIDC.

2. Why can't the application (once it's registered it's public key) 
update it's configuration with a new public thus supporting key 
rotation? It should be able to sign any such update with its existing 
private key thus making the request secure.


More information about the Openid-specs-ab mailing list