[Openid-specs-ab] Interactive Client registration

[John Bradley]

This is a new idea put forward by Google to fit there data model.

For native applications needing to register at multiple AS the advantage of this approach is that it prevents denial of service attacks caused by registering huge numbers of clients via a bot.

The other approach being considered is using stateless clientID so that there is little cost to making ones that are not used. 

For clients that don't know what AS they need to register with until deployment time this problem needs to be addressed.

The current dynamic registration spec works but some IdP are concerned about denial of service and want a mitigation.

(Stateless is where the client id contains the info for the clients redirect_uri and other parameters directly in a signed JWT)

One possible solution is to issue stateless client_id and then the first time they are used they can be converted into regular by reference client_id and linked to the user's account.

This is being discussed in the OAUTH WG as it has broader impact than just Connect.

John B.

On Feb 11, 2014, at 10:11 AM, Pedro Felix <pmhsfelix at gmail.com> wrote:

> Hi all,
> 
> I've just saw the Spec call notes "10-Feb-14" and was very interested in the "Interactive Client Registration" part, namely binding a dynamically registered client to an authenticated user.
> I see this feature particularly interesting on mobile scenarios, in order to have per-installation clients bounded to the owning users.
> 
> Is there any prior work on this subject?
> 
> Thanks
> Pedro
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140307/c242fd50/attachment.p7s>