[OpenID] Does Application Type correspond to Client Type?

Takahiko Kawasaki daru.tk at gmail.com
Sat May 10 01:29:58 UTC 2014 

Hello,

I'm wondering whether this is the right place to ask my question.
If not, please tell me so.

I posted a question to StackOverflow, but no answer yet.

  http://stackoverflow.com/q/23557801/1174054

My question is "Does Application Type (OpenID Connect) correspond to
Client Type (OAuth 2.0)?" Could anyone give me an answer please?
Below is the detail of the question.

"OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata"
has an entry named application_type, whose defined values are
'native' and 'web'.

  --- Excerpt from OpenID Connect Dynamic Client Registration ------
  application_type
    OPTIONAL. Kind of the application. The default, if omitted, is
    web. The defined values are native or web. Web Clients using the
    OAuth Implicit Grant Type MUST only register URLs using the
    https scheme as redirect_uris; they MUST NOT use localhost as
    the hostname. Native Clients MUST only register redirect_uris
    using custom URI schemes or URLs using the http: scheme with
    localhost as the hostname. Authorization Servers MAY place
    additional constraints on Native Clients. Authorization Servers
    MAY reject Redirection URI values using the http scheme, other
    than the localhost case for Native Clients. The Authorization
    Server MUST verify that all the registered redirect_uris conform
    to these constraints. This prevents sharing a Client ID across
    different types of Clients.
  ------------------------------------------------------------------

Do these defined values correspond to 'public' and 'confidential'
described in "RFC 6749 (OAuth 2.0), 2.1. Client Types"?

  --- Excerpt from RFC 6749 (OAuth 2.0) ----------------------------
  OAuth defines two client types, based on their ability to
  authenticate securely with the authorization server (i.e., ability
  to maintain the confidentiality of their client credentials):

    confidential
      Clients capable of maintaining the confidentiality of their
      credentials (e.g., client implemented on a secure server with
      restricted access to the client credentials), or capable of
      secure client authentication using other means.

    public
      Clients incapable of maintaining the confidentiality of their
      credentials (e.g., clients executing on the device used by the
      resource owner, such as an installed native application or a
      web browser-based application), and incapable of secure client
      authentication via any other means.
  ------------------------------------------------------------------

If not, why doesn't the specification (OpenID Connect Dynamic Client
Registration 1.0) have an entry to specify a client type? Is there
any way to specify a client type (public or confidential) at the
client registration endpoint?


--
Best Regards,
Takahiko Kawasaki

More information about the general mailing list