[Openid-specs-ab] Dynamic client registration and software statements
gffletch at aol.com
Wed Jan 9 16:22:49 UTC 2019
Since the OIDC dynamic client registration specs were published before
the RFCs for OAuth2, there is no mention of the use of
software_statements. However, the OIDC flows allow for use of additional
parameters. What's not clear to me is how an implementation can be
certified for OIDC DCR if it requires software statements.
Also, if the client is going to be a mobile app client and generate a
private key locally on the device (or via trusted hardware) it seems
that it MUST use the 'jwks' parameter and NOT the 'jwks_uri' parameter.
However, the use of the 'jwks' parameter is kind of discouraged by the
spec language saying that 'jwks_uri' should be used if possible do to
"key rotation not supported" with the 'jwks' parameter.
All this leads to a couple of questions...
1. Is there any best practice recommendations around OIDC dynamic client
registration. I'm specifically interested in experience where the mobile
app is using a private key generated on the device and/or use of
software_statements with OIDC.
2. Why can't the application (once it's registered it's public key)
update it's configuration with a new public thus supporting key
rotation? It should be able to sign any such update with its existing
private key thus making the request secure.
More information about the Openid-specs-ab