<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Yes it probably should be separate instances of client software.    I don’t know that “of a given piece” adds much to the sentence.  <div class=""><br class=""></div><div class="">OAuth 2 allows for non confidential clients to use the code flow.  The client credential is optional. This is not as secure as it would be with a confidential client.</div><div class=""><br class=""></div><div class="">We now have the PKCE extension for OAuth that improves the security for non confidential clients using code flow, but that has become a RFC only after this profile was created.</div><div class=""><br class=""></div><div class="">This profile is forcing every client instance to dynamically register (3) so that it has it’s own asymmetric key pair provisioned. </div><div class=""><br class=""></div><div class="">I think that is fine for this profile.</div><div class=""><br class=""></div><div class="">John B.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class=""><div><blockquote type="cite" class=""><div class="">On Nov 28, 2015, at 1:34 PM, Eve Maler <<a href="mailto:eve.maler@forgerock.com" class="">eve.maler@forgerock.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">An example could go a long way here. The usual concern is that a mobile application has been assigned client credentials "at the factory", and every copy ("instance") downloaded at the App Store carries the exact same credentials -- that is, it's a kind of clone. (I'm writing this without having looked at the phrase in context, so I'm not sure if that's what was meant...)</div><div class="gmail_extra"><br clear="all" class=""><div class=""><div class="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><p class=""><b class="">Eve Maler<br class=""></b>ForgeRock Office of the CTO | VP Innovation & Emerging Technology<br class="">Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl<br class="">Join our <a href="http://forgerock.org/openuma/" target="_blank" class="">ForgeRock.org OpenUMA</a> community!</p></div></div></div></div></div>
<br class=""><div class="gmail_quote">On Sat, Nov 28, 2015 at 12:29 AM, Danny van Leeuwen <span dir="ltr" class=""><<a href="mailto:danny@health-hats.com" target="_blank" class="">danny@health-hats.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><div style="margin: 0in; line-height: 21pt;" class=""><a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#rfc.section.2.1.1" target="_blank" class=""><span style="font-weight:bold;font-family:verdana;font-size:14pt" class="">2.1.1.</span></a><span style="font-weight: bold; font-family: verdana; font-size: 14pt;" class=""> </span><a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html#FullClient" target="_blank" class=""><span style="font-weight:bold;font-family:verdana;font-size:14pt" class="">Full Client with
User Delegation</span></a></div><p style="margin:0in;font-family:Calibri;font-size:11pt" class=""> </p><div style="margin: 0in; font-family: Calibri; font-size: 9pt; color: rgb(89, 89, 89);" class="">From
<<a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html" target="_blank" class="">http://openid.bitbucket.org/HEART/openid-heart-oauth2.html</a>>
</div><div style="margin: 0in; font-family: Calibri; font-size: 11pt;" class="">The authorization
code flow is supported only for confidential clients. Examples of this client
type include web applications and native applications that can store
installation-instance-specific client credentials securely. Client credentials
MUST NOT be shared among <span style="background:yellow" class="">instances</span>
[<span style="font-weight:bold" class="">separate</span> or<span style="font-weight:bold" class=""> discreet </span>instances?] of a given piece of client software.</div><p style="margin:0in;font-family:Calibri;font-size:11pt" class=""> </p><div style="margin: 0in; font-family: Calibri; font-size: 9pt; color: rgb(89, 89, 89);" class="">From
<<a href="http://openid.bitbucket.org/HEART/openid-heart-oauth2.html" target="_blank" class="">http://openid.bitbucket.org/HEART/openid-heart-oauth2.html</a>> </div><span class="HOEnZb"><font color="#888888" class=""><div class=""><br class=""></div>-- <br class=""><div class=""><font color="#330099" class="">Danny van Leeuwen<br class=""><a href="tel:617-304-4681" value="+16173044681" target="_blank" class="">617-304-4681</a><br class=""></font><div class=""><b class=""><font color="#330099" class=""><br class=""></font></b><div class=""><b class=""><font color="#330099" class="">Blog <a href="http://www.health-hats.com/" target="_blank" class="">www.health-hats.com</a> <i class=""><span style="font-size:8pt;font-family:'Arial Black',sans-serif" class="">discovering the magic levers of best health</span></i></font></b></div></div><div class=""><b class=""><font color="#330099" class="">Twitter </font></b><b class=""><font color="#330099" class=""><i class=""><span style="font-size:8pt;font-family:'Arial Black',sans-serif" class="">@healthhats</span></i></font></b></div></div>
</font></span></div>
<br class="">_______________________________________________<br class="">
Openid-specs-heart mailing list<br class="">
<a href="mailto:Openid-specs-heart@lists.openid.net" class="">Openid-specs-heart@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-heart" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-heart</a><br class="">
<br class=""></blockquote></div><br class=""></div>
_______________________________________________<br class="">Openid-specs-heart mailing list<br class=""><a href="mailto:Openid-specs-heart@lists.openid.net" class="">Openid-specs-heart@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-heart<br class=""></div></blockquote></div><br class=""></div></div></body></html>