idnits 2.17.1
draft-oauth-dyn-reg-v1-00.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** The document seems to lack an IANA Considerations section. (See Section
2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
when there are no actions for IANA.)
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
-- The document date (August 10, 2010) is 5007 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'RFC2617' is defined on line 814, but no explicit
reference was found in the text
** Obsolete normative reference: RFC 4627 (ref. 'JSON') (Obsoleted by RFC
7158, RFC 7159)
-- Possible downref: Non-RFC (?) normative reference: ref. 'OAuth-Sig'
** Obsolete normative reference: RFC 2617 (Obsoleted by RFC 7235, RFC 7615,
RFC 7616, RFC 7617)
** Obsolete normative reference: RFC 5785 (Obsoleted by RFC 8615)
Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 2 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group C. Scholz, Ed.
3 Internet-Draft COM.lounge GmbH
4 Intended status: Standards Track M. Machulak
5 Expires: February 11, 2011 Newcastle University
6 E. Maler
7 PayPal
8 August 10, 2010
10 OAuth Dynamic Client Registration Protocol
11 draft-oauth-dyn-reg-v1-00.txt
13 Abstract
15 This specification proposes an OAuth Dynamic Client Registration
16 protocol.
18 Status of this Memo
20 This Internet-Draft is submitted in full conformance with the
21 provisions of BCP 78 and BCP 79.
23 Internet-Drafts are working documents of the Internet Engineering
24 Task Force (IETF). Note that other groups may also distribute
25 working documents as Internet-Drafts. The list of current Internet-
26 Drafts is at http://datatracker.ietf.org/drafts/current/.
28 Internet-Drafts are draft documents valid for a maximum of six months
29 and may be updated, replaced, or obsoleted by other documents at any
30 time. It is inappropriate to use Internet-Drafts as reference
31 material or to cite them other than as "work in progress."
33 This Internet-Draft will expire on February 11, 2011.
35 Copyright Notice
37 Copyright (c) 2010 IETF Trust and the persons identified as the
38 document authors. All rights reserved.
40 This document is subject to BCP 78 and the IETF Trust's Legal
41 Provisions Relating to IETF Documents
42 (http://trustee.ietf.org/license-info) in effect on the date of
43 publication of this document. Please review these documents
44 carefully, as they describe your rights and restrictions with respect
45 to this document. Code Components extracted from this document must
46 include Simplified BSD License text as described in Section 4.e of
47 the Trust Legal Provisions and are provided without warranty as
48 described in the Simplified BSD License.
50 Table of Contents
52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
53 1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3
54 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
55 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4
56 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 5
57 3.1. The client needs to be uniquely identifiable by the
58 authorization server . . . . . . . . . . . . . . . . . . . 5
59 3.2. The authorization server must collect metadata about a
60 client for later user interaction . . . . . . . . . . . . 5
61 3.3. The authorization server must have the option of
62 strongly authenticating the client and its metadata . . . 5
63 3.4. Dynamic client registration must be possible from both
64 web-server applications and applications with other
65 capabilities and limitations, such as native
66 applications . . . . . . . . . . . . . . . . . . . . . . . 6
67 3.5. Transaction integrity must be ensured in large
68 deployments where data propagation can be an issue . . . . 6
69 3.6. UMA design principles and requirements . . . . . . . . . . 6
70 4. Analysis of Registration Flow Options . . . . . . . . . . . . 7
71 5. Discovery of Server's Client Registration Endpoint . . . . . . 8
72 6. Client Registration with Pushed Metadata . . . . . . . . . . . 9
73 6.1. Client Registration Request . . . . . . . . . . . . . . . 9
74 6.2. Client Registration Response . . . . . . . . . . . . . . . 10
75 6.3. Error Response . . . . . . . . . . . . . . . . . . . . . . 11
76 7. Client Registration with Pushed URL and Pulled Metadata . . . 12
77 7.1. Client Registration Request . . . . . . . . . . . . . . . 13
78 7.2. Client Discovery . . . . . . . . . . . . . . . . . . . . . 14
79 7.3. Client Registration Response . . . . . . . . . . . . . . . 15
80 7.4. Error Response . . . . . . . . . . . . . . . . . . . . . . 16
81 8. Native Application Client Registration . . . . . . . . . . . . 17
82 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18
83 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 18
84 Appendix B. Document History . . . . . . . . . . . . . . . . . . 19
85 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
86 10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
87 10.2. Non-Normative References . . . . . . . . . . . . . . . . . 19
88 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
90 1. Introduction
92 This informal draft discusses a number of requirements for and
93 approaches to automatic registration of clients with an OAuth
94 authorization server, with special emphasis on the needs of the
95 OAuth-based User-Managed Access protocol [UMA-Core].
97 In some use-case scenarios it is desirable or necessary to allow
98 OAuth clients to obtain authorization from an OAuth authorization
99 server without the two parties having previously interacted.
100 Nevertheless, in order for the authorization server to accurately
101 represent to end-users which client is seeking authorization to
102 access the end-user's resources, a method for automatic and unique
103 registration of clients is needed.
105 The goal of this proposed registration protocol is for an
106 authorization server to provide a client with a client identifier and
107 optionally a client secret in a dynamic fashion. To accomplish this,
108 the authorization server must first be provided with information
109 about the client, with the client-name being the minimal information
110 provided. In practice, additional information will need to be
111 furnished to the authorization server, such as the client's homepage,
112 icon, description, and so on.
114 The dynamic registration protocol proposed here is envisioned to be
115 an additional task to be performed by the OAuth authorization server,
116 namely registration of a new client identifier and optional secret
117 and the issuance of this information to the client. This task would
118 occur prior to the point at which the client wields its identifier
119 and secret at the authorization server in order to obtain an access
120 token in normal OAuth fashion.
122 1.1. Notational Conventions
124 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
125 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
126 document are to be interpreted as described in [RFC2119].
128 Unless otherwise noted, all the protocol parameter names and values
129 are case sensitive.
131 1.2. Terminology
133 resource server
134 A server capable of accepting and responding to protected
135 resource requests.
137 resource owner
138 An entity capable of granting access to a protected resource.
140 client
141 An application obtaining authorization and making protected
142 resource requests.
144 authorization server
145 A server capable of issuing tokens after successfully
146 authenticating the resource owner and obtaining authorization.
147 The authorization server may be the same server as the resource
148 server, or a separate entity.
150 authorization manager
151 An UMA-defined variant of an authorization server that carries
152 out an authorizing user's policies governing access to a
153 protected resource.
155 end-user authorization endpoint
156 The authorization server's HTTP endpoint capable of
157 authenticating the end-user and obtaining authorization.
159 token endpoint
160 The authorization server's HTTP endpoint capable of issuing
161 tokens and refreshing expired tokens.
163 client identifier
164 An unique identifier issued to the client to identify itself to
165 the authorization server. Client identifiers may have a
166 matching secret.
168 client registration endpoint The authorization server's HTTP
169 endpoint capable of issuing client identifiers and optional
170 client secrets.
172 2. Use Cases
174 The UMA protocol involves two instances of OAuth flows. In the
175 first, an end-user introduces a host (essentially an enhanced OAuth
176 resource server) to an authorization manager (an enhanced OAuth
177 authorization server) as a client of it, possibly without that host
178 having obtained client identification information from that server
179 previously. In the second, a requester (an enhanced OAuth client)
180 approaches a host and authorization manager to get and use an access
181 token in approximately the normal OAuth fashion, again possibly
182 without that client having obtained client identification information
183 from that server previously. Both the host-as-client and the
184 requester-as-client thus may need dynamic client registration in
185 order for the UMA protocol flow to proceed.
187 The needs for inter-party trust vary in different UMA use cases. In
188 lightweight Web circumstances such as person-to-person calendar
189 sharing, dynamic registration is entirely appropriate. In cases
190 where high-sensitivity information is being protected or where a
191 regulatory environment puts constraints on the building of trust
192 relationships, such as sharing health records with medical
193 professionals or giving access to tax records to outsourced
194 bookkeeping staff, static means of provisioning client identifiers
195 may be imposed.
197 More information about UMA use cases is available at [UMA-UC].
199 3. Requirements
201 Following are proposed requirements for dynamic client registration.
203 3.1. The client needs to be uniquely identifiable by the authorization
204 server
206 In order for an authorization server to do proper user-delegated
207 authorization and prevent unauthorized access it must be able to
208 identify clients uniquely. As is done today in OAuth, the client
209 identifier (and optional secret) should thus be issued by the
210 authorization server and not simply accepted as proposed by the
211 client.
213 3.2. The authorization server must collect metadata about a client for
214 later user interaction
216 In order for the authorization server to describe a client to an end-
217 user in an authorization step it needs information about the client.
218 This can be the client name at a minimum, but today servers usually
219 request at least a description, a homepage URL, and an icon when
220 doing manual registration.
222 3.3. The authorization server must have the option of strongly
223 authenticating the client and its metadata
225 In order to prevent spoofing of clients and enable dynamic building
226 of strong trust relationships, the authorization server should have
227 the option to verify the provided information. This might be solved
228 using message signature verification; relatively weaker
229 authentication might be achieved in a simpler way by pulling metadata
230 from a trusted client URL.
232 3.4. Dynamic client registration must be possible from both web-server
233 applications and applications with other capabilities and
234 limitations, such as native applications
236 In the UMA context, alternative types of applications might serve as
237 both hosts (for example, as a device-based personal data store) and
238 requesters (for example, to subscribe to a calendar or view a photo).
239 Such applications, particularly native applications, may have special
240 limitations, so new solutions to meeting the set of requirements
241 presented here may be needed. We anticipate that each instance of a
242 native application (that is, the specific instance running on each
243 device) that is installed and run by the same user may need the
244 option of getting a unique client identifier. In this case, there
245 are implications around gathering and displaying enough information
246 to ensure that the end-user is delegating authorization to the
247 intended application.
249 3.5. Transaction integrity must be ensured in large deployments where
250 data propagation can be an issue
252 When a client sends information to a server endpoint, it might take
253 time for this data to propagate through big server installations that
254 spread across various data centers. Care needs to be taken that
255 subsequent interactions with the user after the registration process,
256 such as an authorization request, show the correct data.
258 In the UMA context, dynamic registration of a host at an AM is almost
259 certain to take place in the middle of an introduction and
260 authorization process mediated by the end-user; even though the host
261 needs a client identifier from the AM no matter which end-user caused
262 the registration process to take place, the end-user may need to wait
263 for the registration sub-process to finish in order to continue with
264 the overall process. It may be necessary to ensure that the host
265 interacts with the same AM server throughout.
267 3.6. UMA design principles and requirements
269 In addition to general requirements for dynamic client registration,
270 UMA seeks to optimize for the design principles and requirements
271 found in the UMA Requirements document [UMA-Reqs], most particularly:
273 o DP1: Simple to understand, implement in an interoperable fashion,
274 and deploy on an Internet-wide scale
276 o DP6: Able to be combined and extended to support a variety of use
277 cases and emerging application functionality
279 o DP8: Avoid adding crypto requirements beyond what existing web app
280 implementations do today
282 o DP10: Complexity should be borne by the authorization endpoint vs.
283 other endpoints
285 4. Analysis of Registration Flow Options
287 This section analyzes some options for exchanging client metadata for
288 a client identifier and optional secret.
290 It currently seems impossible to specify a single registration flow
291 that will satisfy all requirements, deployment needs, and client
292 types. This document, therefore, presents as small a variety of
293 options as possible. If it is possible to construct a single unified
294 flow in the ultimate design, all other things being equal this would
295 be preferred.
297 Client provides metadata on every request
298 In this approach, the client passes all necessary metadata such
299 as its name and icon on every request to the authorization
300 server, and the client doesn't wield a client identifier as
301 such. This option makes it more difficult (though not
302 impossible) to meet the first and second requirements since
303 different clients could theoretically represent themselves to
304 an authorization server with the same metadata and the same
305 client could represent itself on subsequent visits with
306 different metadata. Also, today's OAuth protocol requires the
307 use of a client identifier. Because of the UMA simplicity
308 principle we do not recommend this flow option and and have not
309 provided a candidate solution.
311 Client pushes metadata
312 In this approach, the client discovers the registration
313 endpoint of the authorization server and sends its metadata
314 directly to that endpoint in a standard format. The
315 authorization server answers with a client identifier and
316 optional secret in the response. This approach may be
317 necessary in cases where the client is behind a firewall, but
318 strong authentication of the client metadata may be more
319 difficult or costly with this approach than with a "pull"
320 approach, discussed just below. Further, this approach is
321 problematic in the case of applications that can't function as
322 POST-capable web servers. A proposal for "push" is presented
323 in this document.
325 Client pushes URL, server pulls metadata from it
326 In this approach, the client sends only a URL to the
327 authorization server, which then uses that URL to pull metadata
328 about the client in some standard format, returning
329 identification information in the response to the initial
330 request. This approach more easily allows for strong
331 authentication of clients because the metadata can be
332 statically signed. (The message containing the URL could be
333 signed as well.) However, caution should be exercised around
334 the propagation issue if the initial URL push is made to a
335 server different from the one the end-user is interacting with.
336 Further, this approach is problematic in the case of
337 applications that cannot themselves serve as "pull-able"
338 metadata repositories. A proposal for "pull" is presented in
339 this document.
341 Native-app client collaborates with home-base web app to provide
342 metadata
343 An instance of a native application (for example, on a mobile
344 device) may have difficulty directly conveying trustworthy
345 metadata but may also have difficulty providing a trustworthy
346 third-party source from which a server can pull metadata. This
347 document explores one option for meeting the requirements, but
348 does not present a full-fledged proposal.
350 5. Discovery of Server's Client Registration Endpoint
352 Regardless of flow option, the client needs to discover the
353 authorization server's client registration endpoint.
355 The client MUST use the [RFC5785] and [hostmeta] discovery mechanisms
356 to learn the URI of the client registration endpoint at the
357 authorization server. The authorization server MUST provide a host-
358 meta document containing a Link element with a rel value of:
359 "http://oauth.net/as/registration"
361 For example:
363
364 http://server.example.com
365
367 Client Registration Endpoint
368
369
371 6. Client Registration with Pushed Metadata
373 This registration flow works as follows:
375 1. The client sends its metadata in JSON form to the client
376 registration endpoint. The client MUST send its name,
377 description, and redirection URI and MAY send a URI for its icon.
378 The client MAY sign the metadata as a JSON Token issuer, using
379 the mechanisms defined in [OAuth-Sig].
381 2. The authorization server checks the data, verifying the signature
382 as necessary, and returns a client identifier and an optional
383 client secret.
385 +--------+ +---------------+
386 | Client |--(A)--- Registration Request --->| Authorization |
387 | | with Metadata | Server |
388 | | | |
389 | |<-(B)----Registration Response ---| |
390 | | with Client ID Info | |
391 +--------+ +---------------+
393 Figure 1: Client Registration Flow with Pushed Metadata
395 6.1. Client Registration Request
397 The client sends a JSON formatted document to the client registration
398 endpoint. The client includes the following parameters in the
399 request:
401 type
402 REQUIRED. This parameter must be set to "push".
404 client_name
405 REQUIRED. This field contains a human-readable name of the
406 client.
408 client_url
409 REQUIRED. This field contains the URL of the homepage of the
410 client.
412 client_description
413 REQUIRED. This field contains a text description of the
414 client.
416 client_icon
417 OPTIONAL. This field contains a URL for an icon for the
418 client.
420 redirect_url
421 REQUIRED. This field contains the URL to which the
422 authorization server should send its response.
424 The client MAY include additional metadata in the request and the
425 authorization server MAY ignore this additional information.
427 For example, the client might send the following request:
429 POST /register HTTP/1.1
430 Host: server.example.com
431 Content-Type: application/json
433 {
434 type: "push",
435 client_name: "Online Photo Gallery",
436 client_url: "http://onlinephotogallery.com",
437 client_description: "Uploading and also editing capabilities!",
438 client_icon: "http://onlinephotogallery.com/icon.png",
439 redirect_url: "https://onlinephotogallery.com/client_reg"
440 }
442 The parameters are included in the entity body of the HTTP request
443 using the "application/json" media type as defined by [JSON]. The
444 parameters are serialized into a JSON structure by adding each
445 parameter at the highest structure level. Parameter names and string
446 values are included as JSON strings.
448 6.2. Client Registration Response
450 After receiving and verifying information received from the client,
451 the authorization server issues a client identifier and an optional
452 client secret, and constructs the response by adding the following
453 parameters to the entity body of the HTTP response with a 200 status
454 code (OK):
456 client_id
457 REQUIRED.
459 client_secret
460 OPTIONAL.
462 issued_at
463 OPTIONAL. Specifies the timestamp when the identifier was
464 issued. The timestamp value MUST be a positive integer. The
465 value is expressed in the number of seconds since January 1,
466 1970 00:00:00 GMT.
468 expires_in
469 OPTIONAL; if supplied, the "issued_at" parameter is REQUIRED.
470 Specifies the valid lifetime, in seconds, of the identifier.
471 The value is represented in base 10 ASCII.
473 The parameters are included in the entity body of the HTTP response
474 using the "application/json" media type as defined by [JSON]. The
475 parameters are serialized into a JSON structure by adding each
476 parameter at the highest structure level. Parameter names and string
477 values are included as JSON strings.
479 The authorization server MUST include the HTTP "Cache-Control"
480 response header field with a value of "no-store" in any response
481 containing "client_secret".
483 For example, the authorization server might return the following
484 response:
486 HTTP/1.1 200 OK
487 Content-Type: application/json
488 Cache-Control: no-store
490 {
491 client_id: "5UO9XcL4TQTa",
492 client_secret: "WdRKN3zeTc20"
493 }
495 6.3. Error Response
497 If the request for registration is invalid or unauthorized, the
498 authorization server constructs the response by adding the following
499 parameters to the entity body of the HTTP response with a 400 status
500 code (Bad Request) using the "application/json" media type:
502 o "error" (REQUIRED).
504 o "error_description" (OPTIONAL). Human-readable text providing
505 additional information, used to assist in the understanding and
506 resolution of the error occurred.
508 o "error_uri" (OPTIONAL). A URI identifying a human-readable web
509 page with information about the error, used to provide the end-
510 user with additional information about the error.
512 An example error response (with line breaks for readability):
514 HTTP/1.1 400 Bad Request
515 Content-Type: application/json
516 Cache-Control: no-store
518 {
519 "error": "unauthorized_client",
520 "description": "This client is not on the
521 white list of this Authorization Server."
522 }
524 7. Client Registration with Pushed URL and Pulled Metadata
526 This registration flow works as follows:
528 1. The client sends its metadata URI to the client registration
529 endpoint. The client MAY sign the metadata as a JSON Token
530 issuer, using the mechanisms defined in [OAuth-Sig].
532 2. The authorization server verifies the signature as necessary, and
533 uses the [RFC5785] and [hostmeta] discovery mechanisms on this
534 URI to retrieve the host-meta document describing the client.
535 The host-meta document MUST contain the client name, description,
536 and redirection URI, and MAY contain a URI for the client icon.
538 +--------+ +---------------+
539 | Client |--(A)--- Registration Request --->| Authorization |
540 | | with URL | Server |
541 | | | |
542 | |<-(B)--- Client Discovery --------| |
543 | | | |
544 | |--(C)---- Host-Meta Document ---->| |
545 | | | |
546 | |<-(D)--- Registration Response ---| |
547 | | with Client ID Info | |
548 +--------+ +---------------+
550 Figure 2: Client Registration Flow with Pushed URL and Pulled
551 Metadata
553 7.1. Client Registration Request
555 The client sends a JSON formatted document to the client registration
556 endpoint. The client includes the following parameters in the
557 request:
559 type
560 REQUIRED. This parameter must be set to "pull".
562 client_url
563 REQUIRED. This field contains the URL of the homepage of the
564 client.
566 The client MUST NOT include other metadata parameters, such as those
567 defined in the pushed-metadata scenario.
569 For example, the client might send the following request:
571 POST /register HTTP/1.1
572 Host: server.example.com
573 Content-Type: application/json
575 {
576 type: "pull",
577 url: "http://onlinephotogallery.com"
578 }
580 The parameters are included in the entity body of the HTTP request
581 using the "application/json" media type as defined by [JSON]. The
582 parameters are serialized into a JSON structure by adding each
583 parameter at the highest structure level. Parameter names and string
584 values are included as JSON strings.
586 7.2. Client Discovery
588 The authorization server evaluates this request and MAY perform a
589 [RFC5785] and [hostmeta] discovery mechanism on the provided URL to
590 the host-meta document for the client.
592 For example:
594 GET /.well-known/host-meta HTTP/1.1
595 Host: onlinephotogallery.com
597 The authorization server retrieves the host-meta document, which MUST
598 contain:
600 o A "Property" element with a "type" value of
601 "http://oauth.net/client/name" containing the human-readable
602 client name. (REQUIRED)
604 o A "Property" element with a "type" value of
605 "http://oauth.net/client/description" containing the human
606 readable description of the client. (REQUIRED)
608 o A "Link" element with a "rel" value of
609 "http://oauth.net/client/redirect_uri" (REQUIRED).
611 o A "Link" element with a "rel" value of
612 "http://oauth.net/client/uri" (REQUIRED).
614 o A "Link" element with a "rel" value of
615 "http://oauth.net/client/icon" (OPTIONAL).
617 For example:
619
620 http://onlinephotogallery.com
621
622 Online Photo Gallery
623
624
625 Really nice Online Photo Gallery!
626
627
629 Client URI
630
631
633 Client Redirect URI
634
635
637 Client Icon
638
639
641 7.3. Client Registration Response
643 After receiving and verifying information retrieved from the client,
644 the authorization server issues the client identifier and an optional
645 client secret, and constructs the response by adding the following
646 parameters to the entity body of the HTTP response with a 200 status
647 code (OK):
649 o "client_id" (REQUIRED)
651 o "client_secret" (OPTIONAL)
653 The parameters are included in the entity body of the HTTP response
654 using the "application/json" media type as defined by [JSON]. The
655 parameters are serialized into a JSON structure by adding each
656 parameter at the highest structure level. Parameter names and string
657 values are included as JSON strings.
659 The authorization server MUST include the HTTP "Cache-Control"
660 response header field with a value of "no-store" in any response
661 containing the "client_secret".
663 For example the authorization server might return the following
664 response:
666 HTTP/1.1 200 OK
667 Content-Type: application/json
668 Cache-Control: no-store
670 {
671 "client_id":"5UO9XcL4TQTa",
672 "client_secret":"WdRKN3zeTc20"
673 }
675 7.4. Error Response
677 If the request for registration is invalid or unauthorized, the
678 authorization server constructs the response by adding the following
679 parameters to the entity body of the HTTP response with a 400 status
680 code (Bad Request) using the "application/json" media type:
682 o "error" (REQUIRED). A single error code.
684 o "error_description" (OPTIONAL). Human-readable text providing
685 additional information, used to assist in the understanding and
686 resolution of the error occurred.
688 o "error_uri" (OPTIONAL). A URI identifying a human-readable web
689 page with information about the error, used to provide the end-
690 user with additional information about the error.
692 An example error response (with line breaks for readability):
694 HTTP/1.1 400 Bad Request
695 Content-Type: application/json
696 Cache-Control: no-store
698 {
699 "error": "unauthorized_client",
700 "description": "This client is not on the
701 white list of this Authorization Server."
702 }
704 If the host-meta discovery was not successful, the authorization
705 server MUST use the error code "hostmeta_error".
707 An example error response (with line breaks for readability):
709 HTTP/1.1 404 Not Found
710 Content-Type: application/json
711 Cache-Control: no-store
713 {
714 "error": "hostmeta_error",
715 "description": "The hostmeta document could
716 not be retrieved from the URL."
717 }
719 8. Native Application Client Registration
721 For a native application serving as an UMA host, we anticipate that
722 the need for dynamic client registration to introduce this app to an
723 UMA authorization manager may typically happen only once (or very
724 infrequently), likely to a single authorization manager, and
725 registration could usefully take place at the time the app is
726 provisioned onto a device. By contrast, for a native app serving as
727 an UMA requester, it may need to register at multiple authorization
728 managers over time when seeking access tokens, at moments much later
729 than the original provisioning of the app onto the device.
731 When a native application is provisioned on a device, such as through
732 an app store model, often it has an associated "home base" web server
733 application component with which it registers (outside of any UMA-
734 related or OAuth-related interactions). This pairwise relationship
735 can be exploited in a number of ways to allow trustable, unique
736 metadata to be conveyed to an OAuth server and for this instance of
737 the app to receive a client identifier and optional secret. We have
738 discussed "device-initiated" and "home base-initiated" pattern
739 options for OAuth dynamic client registration in these circumstances.
740 Device-initiated flows seem more generically applicable (for example,
741 for both UMA host and UMA requester needs). However, a home base-
742 initiated flow may be preferable in case it is necessary to pre-
743 determine a trust level towards an OAuth server. In this case, the
744 home base server could initiate the registration process if and only
745 if there exists a trust relationship between the two parties.
747 Following is one option for a device-initiated flow:
749 1. User provisions native app on device and registers with and
750 authenticates to app's home-base web application.
752 2. Home base provisions native app with home base-signed metadata.
754 3. Whenever user tries to use native app to access a protected
755 resource, native app provides home base-provided metadata to
756 server.
758 4. Server verifies home base signature by pulling public key from
759 home base URL and generates client identifier and secret for
760 native app.
762 5. Server returns client identifier and secret to native app.
764 9. Security Considerations
766 Following are some security considerations:
768 o No client authentication: The server should treat unsigned pushed
769 client metadata as self-asserted.
771 o Weak client authentication: The server should treat unsigned
772 pulled client metadata as self-asserted unless the the domain of
773 the client matches the client metadata URL and the URL is well-
774 known and trusted.
776 o Strong client authentication: The server should treat signed
777 client metadata (pushed or pulled) and a signed metadata URL as
778 self-asserted unless it can verify the signature as being from a
779 trusted source.
781 Appendix A. Acknowledgements
783 The authors thank the User-Managed Access Work Group participants,
784 particularly the following, for their input to this document:
786 o Domenico Catalano
788 o George Fletcher
790 o Thomas Hardjono
792 o Nat Sakimura
794 Appendix B. Document History
796 [[ to be removed by RFC editor before publication as an RFC ]]
798 10. References
800 10.1. Normative References
802 [JSON] Crockford, D., "The application/json Media Type for
803 JavaScript Object Notation (JSON)", 2006,
804 .
806 [OAuth-Sig]
807 Balfanz, D., "OAuth Signature proposals", 2010, .
811 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
812 Requirement Levels", BCP 14, RFC 2119, March 1997.
814 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
815 Leach, P., Luotonen, A., and L. Stewart, "HTTP
816 Authentication: Basic and Digest Access Authentication",
817 RFC 2617, June 1999.
819 [RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
820 Uniform Resource Identifiers (URIs)", RFC 5785,
821 April 2010.
823 [hostmeta]
824 Hammer-Lahav, E., "Web Host Metadata", 2010, .
828 10.2. Non-Normative References
830 [UMA-Core]
831 Scholz, C., "UMA Requirements", 2010, .
835 [UMA-Reqs]
836 Maler, E., "UMA Requirements", 2010, .
840 [UMA-UC] Akram, H., "UMA Explained", 2010, .
844 Authors' Addresses
846 Christian Scholz (editor)
847 COM.lounge GmbH
849 Email: cs@comlounge.net
850 URI: http://comlounge.net
852 Maciej Machulak
853 Newcastle University
855 Email: m.p.machulak@ncl.ac.uk
856 URI: http://ncl.ac.uk/
858 Eve Maler
859 PayPal
861 Email: eve@xmlgrrl.com
862 URI: http://www.paypal.com/