[Openid-specs-ab] Dynamic client registration and software statements

Roland Hedberg roland at catalogix.se
Thu Jan 10 08:27:47 UTC 2019

> On 9 Jan 2019, at 17:22, George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> Hi,
> Since the OIDC dynamic client registration specs were published before the RFCs for OAuth2, there is no mention of the use of software_statements. However, the OIDC flows allow for use of additional parameters. What's not clear to me is how an implementation can be certified for OIDC DCR if it requires software statements.
> Also, if the client is going to be a mobile app client and generate a private key locally on the device (or via trusted hardware) it seems that it MUST use the 'jwks' parameter and NOT the 'jwks_uri' parameter. However, the use of the 'jwks' parameter is kind of discouraged by the spec language saying that 'jwks_uri' should be used if possible do to "key rotation not supported" with the 'jwks' parameter.
> All this leads to a couple of questions...
> 1. Is there any best practice recommendations around OIDC dynamic client registration. I'm specifically interested in experience where the mobile app is using a private key generated on the device and/or use of software_statements with OIDC.
> 2. Why can't the application (once it's registered it's public key) update it's configuration with a new public thus supporting key rotation? It should be able to sign any such update with its existing private key thus making the request secure.

This is somewhat akin to what we are proposing for key rotation for trust anchors in the OIDC federation draft so yes is should be possible.

— Roland
Can anything be sadder than work left unfinished? Yes, work never begun. -Christina Rossetti, poet (5 Dec 1830-1894) 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190110/5ef9107b/attachment.html>

More information about the Openid-specs-ab mailing list