Internet DRAFT - draft-hunt-oauth-software-statement
draft-hunt-oauth-software-statement
OAuth P. Hunt, Ed.
Internet-Draft Oracle Corporation
Intended status: Standards Track T. Nadalin
Expires: March 31, 2014 Microsoft
September 27, 2013
OAuth 2.0 Software Statement
draft-hunt-oauth-software-statement-00
Abstract
This specification defines a JWT authorization assertion known as a
'software statment' for use in an OAuth protected environment. A
software statement is a JWT assertion used by an OAuth client to
provide both informational and OAuth protocol related assertions that
aid service providers to recognize OAuth client software and its
expected behaviour within an OAuth Framework protected resource
environment.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 31, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Hunt & Nadalin Expires March 31, 2014 [Page 1]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Software Statement . . . . . . . . . . . . . . . . . . . . . 4
2.1. Software Statement Lifecycle . . . . . . . . . . . . . . 4
2.2. Statement Attributes . . . . . . . . . . . . . . . . . . 6
2.2.1. Singular Attributes . . . . . . . . . . . . . . . . . 7
2.2.2. Multi-valued Attributes . . . . . . . . . . . . . . . 9
2.2.3. Relationship Between Grant Types and Response Types . 10
2.2.4. Human Readable Client Metadata . . . . . . . . . . . 11
2.3. Software Statement Requirements . . . . . . . . . . . . . 12
3. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
3.1. OAuth Token Endpoint Authentication Methods Registry . . 13
3.1.1. Registration Template . . . . . . . . . . . . . . . . 14
3.1.2. Initial Registry Contents . . . . . . . . . . . . . . 14
4. Security Considerations . . . . . . . . . . . . . . . . . . . 14
5. Normative References . . . . . . . . . . . . . . . . . . . . 15
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 16
Appendix B. Document History . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction
The OAuth 2.0 Authorization Framework [RFC6749] is a framework by
which client applications use access tokens issued by authorization
servers to access to a service provider's software API endpoints. As
a framework, OAuth 2.0 enables many different flows by which a client
application may obtain an access token including delegated
authorization from a user.
This specification defines a JWT authorization assertion
[I-D.ietf-oauth-jwt-bearer] known as a 'software statment'. An
software statement is used by an OAuth client to provide both
informational and OAuth protocol [RFC6749] related assertions that
aid OAuth infrastructure to both recognize client software and
determine a client's expected requirements when accessing an OAuth
protected resource.
Applications using software statements, may typically go through 3
phases where:
Hunt & Nadalin Expires March 31, 2014 [Page 2]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
o A software statement is generated and associated with a client
application.
o A service provider approves client software for use within its
domain on the basic of software_id, developer, or software
statment signing organization.
o And finally, where a particular instance of a client possessing a
software statement associates with a particular serivce provider.
1.1. Notational Conventions
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
document are to be interpreted as described in [RFC2119].
Unless otherwise noted, all the protocol parameter names and values
are case sensitive.
1.2. Terminology
This specification uses the terms "Access Token", "Refresh Token",
"Authorization Code", "Authorization Grant", "Authorization Server",
"Authorization Endpoint", "Client", "Client Identifier", "Client
Secret", "Protected Resource", "Resource Owner", "Resource Server",
and "Token Endpoint" defined by OAuth 2.0 [RFC6749].
This specification uses the following additional terms:
Deployment Organization An administrative security domain under
which, a software API is deployed and protected by an OAuth 2.0
framework. In simple cloud deployments, the software API
publisher and the deployment organization may be the same. In
other scenarios, a software publisher may be working with many
different deployment organizations.
Software API Deployment A deployment instance of a software API that
is protected by OAuth 2.0 in a particular deployment organization
domain. For any particular software API, there may be one or
more deployments. A software API deployment typically has an
associated OAuth 2.0 authorization server endpoint as well as a
client registration endpoint. The means by which endpoints are
obtained (discovery) are out of scope for this specification.
Software API Publisher The organization that defines a particular
web accessible API that may deployed in one or more deployment
environments. A publisher may be any commercial, public,
private, or open source organization that is responsible for
publishing and distributing software that may be protected via
OAuth 2.0. A software API publisher may issue software
Hunt & Nadalin Expires March 31, 2014 [Page 3]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
assertions which client developers use to distribute with their
software to facilitate registration. In some cases a software
API publisher and a client developer may be the same
organization.
Client Developer The person or organization that builds a client
software package and prepares it for distribution. A client
developer obtains a software assertion from a software publisher,
or self-generates one for the purposes of facilitating client
association.
Software Statement A signed JWT authorization token
[I-D.ietf-oauth-jwt-bearer] that asserts information about the
client software that may be used by registration system to
qualify clients for eligibility to register. To obtain a
statement, a client developer may generate a client specific
assertion, or a client developer may registers with a software
API publisher to obtain a software assertion. The statement is
distributed with all copies of a client application and may be
used during the client-to-service provider association process.
2. Software Statement
As per the introduction, a software statement is an 'authorization'
bearer token (as defined in Section 2.1 of
[I-D.ietf-oauth-jwt-bearer]) that carries assertions about a software
that MAY be used in one or more deployment organizations and is
shared by all instances of a client application.
A software statement IS NOT an authentication assertion. A software
statement is a signed set of assertions fixing both OAuth related
protocol values as well as informational assertions as a signed
assertion from a trusted party. A deployment organization MAY use
the statement to set access policy and to recognize client software
during registration or association processes.
2.1. Software Statement Lifecycle
Software statements are used in 3 stages in the lifecycle of an OAuth
enabled client application. A typical lifecycle flow is illustrated
in Figure 1 describing when a developer obtains a software statement
and how it is used within a deployment organization.
Client App
Developer
O (A) Obtain Software Statement ****************
\|/ <-------------------------------------- * Software API *
Hunt & Nadalin Expires March 31, 2014 [Page 4]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
| * Publisher *
/ \ ****************
|
| |
| |
|D S | A
|i o | p
|s f | p
|t t | r (B)
A |r w | o
p |i a | v
p |b r | a
|u e | l
|t |
|i |
|o |
|n *************|********
v * v *
+------------+ * +---------------+ *
| Client App | (C) Present Software Statement * | OAuth 2.0 | *
| Instance | --------------------------------->| Authorization | *
+------------+ * | Server | *
* +---------------+ *
* OAuth 2.0 aware *
* Service Provider *
**********************
Legend:
O
\|/ - Developer
|
/ \
+----+
| | - Piece of software
| |
+----+
******
* * - Organization
* *
******
Figure 1: Client Statement Lifecycle
(A) A client developer registers a clent application with a software
API publisher. The software publisher, upon approval, generates
a signed software statement that is returned to the developer.
Alternatively, a developer may self-sign a software statement. A
Hunt & Nadalin Expires March 31, 2014 [Page 5]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
self-signed statement, while weaker from a trust perspective,
allows the provider to recognize and approve software (step B).
A statement ensures that all registration parameters for a client
are the same for every instance of a client deployed. The
advantage of having the software API publisher is that deploying
organizations MAY choose to pre-approve (step B) all software
signed by a common trusted organization.
This protocol and procedure for issuing a software statement to
the client app developer is out-of-scope of this document. This
document assumes that the client app developer has obtained such
a software statement already.
(B) When an administrator at a service provider obtains a software
statement, the administrator configures policies to accept or
reject a particular client software statement for use within a
deploying organization. An administrator may also configure
broader pre-approval policy that accepts software by name,
author, or signing organization, or other category that can be
derived from a software statement.
(C) A client instance conveys the software statement to the service
provider, as described in
[I-D.draft-hunt-oauth-client-association].
2.2. Statement Attributes
The following are attributes that may be included in a software
statement. For each attribute defined, a qualifier (OPTIONAL,
RECOMMENDED, REQUIRED) is included that indicates the usage
requirement for the client. Unless otherwise stated, all client
schema attributes are String based values. For example, URIs, email
addresses, identifiers, are all defined as Strings.
Authorization servers MUST reject statements if it does not
understand the values of any of the following singular or multi-
valued attributes. An authorization server MAY override any value
(including any omitted values) provided in a statement or separately
during the association process and replace the requested value with a
default at the server's discretion.
Extensions and profiles of this specification MAY expand this list,
and authorization servers MUST accept all fields in this list. The
authorization server MUST ignore any additional parameters sent by
the Client that it does not understand.
Hunt & Nadalin Expires March 31, 2014 [Page 6]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
2.2.1. Singular Attributes
The following is a list of attributes that MUST have only a SINGLE
value in a software statement.
software_id
REQUIRED. A unique identifier that identifies the software such
as a UUID. The identifier SHOULD NOT change when software
version changes or when a new installation instance is detected.
"software_id" is intended to help a registration endpoint
recognize a client's assertion that it is a prticular piece of
software. Because of this, software identifier is usually
associated with a particular client name. While the
OAuth"client_id"is linked to a client software deployment
instance, the "software_id" is an identifier shared between all
copies of the client software. Registration servers MAY use the
supplied software identifier to determine whether a particular
client software is approved or supported for use in the
deployment domain.
software_version
RECOMMENDED. A version identifier such as a UUID or a number.
Servers MAY use equality match to determine if a particular
client is a particular version. "software_version" SHOULD change
on any update to the client software. Registration servers MAY
use the software version and identity to determine whether a
particular client version is authorized for use in the deployment
domain.
client_name
RECOMMENDED. A human-readable name of the client to be presented
to the user. If omitted, the authorization server MAY display
the raw "software_id" value to the user instead. It is
RECOMMENDED that clients always send this field. The value of
this field MAY be internationalized as described in Human
Readable Client Metadata (Section 2.2.4).
client_uri
RECOMMENDED. A URL of the homepage of the client software. If
present, the server SHOULD display this URL to the end user in a
clickable fashion. It is RECOMMENDED that clients always send
this field. The value of this field MUST point to a valid Web
page. The value of this field MAY be internationalized as
described in Human Readable Client Metadata (Section 2.2.4).
jwks_uri
OPTIONAL. A URL for the client's JSON Web Key Set
[I-D.ietf-jose-json-web-key] document representing the client's
Hunt & Nadalin Expires March 31, 2014 [Page 7]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
public keys. The value of this field MUST point to a valid JWK
Set. These keys MAY also be used for higher level protocols that
require signing or encryption.
logo_uri
OPTIONAL. A URL that references a logo image for the client. If
present, the server SHOULD display this image to the end user
during approval. The value of this field MUST point to a valid
image file. The value of this field MAY be internationalized as
described in Human Readable Client Metadata (Section 2.2.4).
policy_uri
OPTIONAL. A URL that points to a human-readable policy document
for the client. The authorization server SHOULD display this URL
to the End-User if it is given. The Policy usually describes how
an End-User's data will be used by the client. The value of this
field MUST point to a valid Web page. The value of this field
MAY be internationalized as described in Human Readable Client
Metadata (Section 2.2.4).
scope
OPTIONAL. A space separated list of scope values (as described
in Section 3.3 [RFC6749]) that the client can use when requesting
access tokens. The semantics of values in this list is service
specific. If omitted, an authorization server MAY register a
client with a default set of scopes.
targetEndpoint
RECOMMENDED. A generic URI of the service API the client is
registering for (often set by the software API publisher).
Clients requesting access to more than one target endpoint SHOULD
use a separate statement for each target.
token_endpoint_auth_method
OPTIONAL. Value containing the requested authentication method
for the Token Endpoint. The server MAY override the requested
value. Clients MUST check for a change in value in the
registration response. Values defined by this specification are:
* "none": The client is a public client as defined in OAuth 2.0
and does not have a client secret.
* "bearer": The client is will use a bearer assertion as defined
in Section 4.2 of [I-D.ietf-oauth-assertions].
Additional values can be defined via the IANA OAuth Token
Endpoint Authentication Methods registry Section 3.1. Absolute
URIs can also be used as values for this parameter. If
unspecified or omitted, the default is "bearer".
Hunt & Nadalin Expires March 31, 2014 [Page 8]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
tos_uri
OPTIONAL. A URL that points to a human-readable "Terms of
Service" document for the client. The authorization server
SHOULD display this URL to the End-User if it is given. The
Terms of Service usually describe a contractual relationship
between the End-User and the client that the End-User accepts
when authorizing the client. The value of this field MUST point
to a valid Web page. The value of this field MAY be
internationalized as described in Human Readable Client Metadata
(Section 2.2.4).
2.2.2. Multi-valued Attributes
The following is a list of multi-valued attributes that may be used
in a software statement.
contacts
OPTIONAL. One or more email addresses for people responsible for
this client. The authorization server MAY make these addresses
available to end users for support requests for the client. An
authorization server MAY use these email addresses as identifiers
for an administrative page for this client.
redirect_uris
RECOMMENDED. One or more redirect URI values for use in
redirect-based flows such as the Authorization Code and Implicit
grant types. authorization servers SHOULD require registration
of valid redirect URIs for all clients that use these grant types
to protect against token and credential theft attacks.
grant_types
OPTIONAL. One or more OAuth 2.0 grant types that the client may
use. These grant types are defined as follows:
* "authorization_code": The Authorization Code Grant described
in OAuth 2.0 Section 4.1
* "implicit": The Implicit Grant described in OAuth 2.0
Section 4.2
* "password": The Resource Owner Password Credentials Grant
described in OAuth 2.0 Section 4.3
* "client_credentials": The "Client credentials Grant" described
in OAuth 2.0 Section 4.4
* "refresh_token": The Refresh Token Grant described in OAuth
2.0 Section 6.
* "urn:ietf:params:oauth:grant-type:jwt-bearer": The JWT Bearer
grant type defined in OAuth JWT Bearer Token Profiles
[I-D.ietf-oauth-jwt-bearer].
Hunt & Nadalin Expires March 31, 2014 [Page 9]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
* "urn:ietf:params:oauth:grant-type:saml2-bearer": The SAML 2
Bearer grant type defined in OAuth SAML 2 Bearer Token
Profiles [I-D.ietf-oauth-saml2-bearer].
Authorization servers MAY allow for other values as defined in
grant type extensions to OAuth 2.0. The extension process is
described in OAuth 2.0 Section 2.5, and the value of this
parameter MUST be the same as the value of the "grant_type"
parameter passed to the Token Endpoint defined in the extension.
response_types
OPTIONAL. One or more OAuth 2.0 response types that the client
may use. These response types are defined as follows:
* "code": The Authorization Code response described in OAuth 2.0
Section 4.1.
* "token": The Implicit response described in OAuth 2.0
Section 4.2.
Authorization servers MAY allow for other values as defined in
response type extensions to OAuth 2.0. The extension process is
described in OAuth 2.0 Section 2.5, and the value of this
parameter MUST be the same as the value of the "response_type"
parameter passed to the Authorization Endpoint defined in the
extension.
2.2.3. Relationship Between Grant Types and Response Types
The "grant_types" and "response_types" values described above are
partially orthogonal, as they refer to arguments passed to different
endpoints in the OAuth protocol. However, they are related in that
the "grant_types" available to a client influence the
"response_types" that the client is allowed to use, and vice versa.
For instance, a "grant_types" value that includes
"authorization_code" implies a "response_types" value that includes
code, as both values are defined as part of the OAuth 2.0
Authorization Code Grant. As such, a server supporting these fields
SHOULD take steps to ensure that a client cannot register itself into
an inconsistent state.
The correlation between the two fields is listed in the table below.
+-------------------------------------------------+-----------------+
| grant_types value includes: | response_types |
| | value includes: |
+-------------------------------------------------+-----------------+
| authorization_code | code |
| | |
Hunt & Nadalin Expires March 31, 2014 [Page 10]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
| implicit | token |
| | |
| password | (none) |
| | |
| client_credentials | (none) |
| | |
| refresh_token | (none) |
| | |
| urn:ietf:params:oauth:grant-type:jwt-bearer | (none) |
| | |
| urn:ietf:params:oauth:grant-type:saml2-bearer | (none) |
+-------------------------------------------------+-----------------+
Extensions and profiles of this document that introduce new values to
either the "grant_types" or "response_types" parameter MUST document
all correspondences between these two parameter types.
2.2.4. Human Readable Client Metadata
[[This needs to be updated to be compatible with SCIM. There is a
also a problem with how to limit the amount of localization data
exchange for an instance registration. Note that mobile clients tend
to only need one preferred language while web clients represent many
clients and may have more than 20 languages to support.]]
Human-readable Client Metadata values and client Metadata values that
reference human-readable values MAY be represented in multiple
languages and scripts. For example, the values of fields such as
"client_name", "tos_uri", "policy_uri", "logo_uri", and "client_uri"
might have multiple locale-specific values in some client
registrations.
To specify the languages and scripts, BCP47 [RFC5646] language tags
are added to client Metadata member names, delimited by a #
character. Since JSON member names are case sensitive, it is
RECOMMENDED that language tag values used in Claim Names be spelled
using the character case with which they are registered in the IANA
Language Subtag Registry [IANA.Language]. In particular, normally
language names are spelled with lowercase characters, region names
are spelled with uppercase characters, and languages are spelled with
mixed case characters. However, since BCP47 language tag values are
case insensitive, implementations SHOULD interpret the language tag
values supplied in a case insensitive manner. Per the
recommendations in BCP47, language tag values used in Metadata member
names should only be as specific as necessary. For instance, using
"fr" might be sufficient in many contexts, rather than "fr-CA" or
"fr-FR".
Hunt & Nadalin Expires March 31, 2014 [Page 11]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
For example, a client could represent its name in English as
""client_name#en": "My Client"" and its name in Japanese as
""client_name#ja-Jpan-JP":
"\u30AF\u30E9\u30A4\u30A2\u30F3\u30C8\u540D"" within the same
registration request. The authorization server MAY display any or
all of these names to the Resource Owner during the authorization
step, choosing which name to display based on system configuration,
user preferences or other factors.
If any human-readable field is sent without a language tag, parties
using it MUST NOT make any assumptions about the language, character
set, or script of the string value, and the string value MUST be used
as-is wherever it is presented in a user interface. To facilitate
interoperability, it is RECOMMENDED that clients and servers use a
human-readable field without any language tags in addition to any
language-specific fields, and it is RECOMMENDED that any human-
readable fields sent without language tags contain values suitable
for display on a wide variety of systems.
Implementer's Note: Many JSON libraries make it possible to reference
members of a JSON object as members of an Object construct in the
native programming environment of the library. However, while the
"#" character is a valid character inside of a JSON object's member
names, it is not a valid character for use in an object member name
in many programming environments. Therefore, implementations will
need to use alternative access forms for these claims. For instance,
in JavaScript, if one parses the JSON as follows, "var j =
JSON.parse(json);", then the member "client_name#en-us" can be
accessed using the JavaScript syntax "j["client_name#en-us"]".
2.3. Software Statement Requirements
In order to create and validate a software assertion, the following
requirements apply in addition to those stated in Section 3
[I-D.ietf-oauth-jwt-bearer].
1. The JWT MAY contain any claim specified in Section 2.2.
2. The JWT MUST contain an "iss" (issuer) claim that contains a
unique identifier for the entity that issued and signed the JWT.
The value MAY be the client developer, a software API publisher,
or a third-party organization (e.g. a consortium) that would be
trusted by deploying organizations.
3. The JWT MUST contain a "sub" (subject) claim that contains a
unique value corresponding to the "software_id". This number is
MAY be assigned by the software API publisher.
4. The JWT MUST contain an "aud" (audience) claim containing a value
that is ONE of the following:
Hunt & Nadalin Expires March 31, 2014 [Page 12]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
* A value that identifies one or more software API deployments,
where the client software MAY be registered.
* A value "urn:oauth:scim:reg:generic" which indicates the
assertion MAY be used with any software API deployment
environment.
5. The JWT MUST contain an "exp" (expiration) claim that limits the
time window during which the JWT can be used to register clients.
When registering clients, the registration server MUST verify
that the expiration time has not passed, subject to allowable
clock skew between systems, and reject expired JWTs. The
authorization server SHOULD NOT use this value to revoke an
existing client registration.
3. IANA Considerations
3.1. OAuth Token Endpoint Authentication Methods Registry
This specification establishes the OAuth Token Endpoint
Authentication Methods registry.
Additional values for use as "token_endpoint_auth_method" metadata
values are registered with a Specification Required ([RFC5226]) after
a two-week review period on the oauth-ext-review@ietf.org mailing
list, on the advice of one or more Designated Experts. However, to
allow for the allocation of values prior to publication, the
Designated Expert(s) may approve registration once they are satisfied
that such a specification will be published.
Registration requests must be sent to the oauth-ext-review@ietf.org
mailing list for review and comment, with an appropriate subject
(e.g., "Request to register token_endpoint_auth_method value:
example").
Within the review period, the Designated Expert(s) will either
approve or deny the registration request, communicating this decision
to the review list and IANA. Denials should include an explanation
and, if applicable, suggestions as to how to make the request
successful.
IANA must only accept registry updates from the Designated Expert(s)
and should direct all requests for registration to the review mailing
list.
Hunt & Nadalin Expires March 31, 2014 [Page 13]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
3.1.1. Registration Template
Token Endpoint Authorization Method name:
The name requested (e.g., "example"). This name is case
sensitive. Names that match other registered names in a case
insensitive manner SHOULD NOT be accepted.
Change controller:
For Standards Track RFCs, state "IETF". For others, give the name
of the responsible party. Other details (e.g., postal address,
email address, home page URI) may also be included.
Specification document(s):
Reference to the document(s) that specify the token endpoint
authorization method, preferably including a URI that can be used
to retrieve a copy of the document(s). An indication of the
relevant sections may also be included but is not required.
3.1.2. Initial Registry Contents
The OAuth Token Endpoint Authentication Methods registry's initial
contents are:
o Token Endpoint Authorization Method name: "none"
o Change controller: IETF
o Specification document(s): [[ this document ]]
o Token Endpoint Authorization Method name: "bearer"
o Change controller: IETF
o Specification document(s): [[ this document ]]
o Token Endpoint Authorization Method name: "client_secret_post"
o Change controller: IETF
o Specification document(s): [[ this document ]]
o Token Endpoint Authorization Method name: "client_secret_basic"
o Change controller: IETF
o Specification document(s): [[ this document ]]
4. Security Considerations
The authorization server MUST treat the overall software statements,
as self-asserted since there is no way to prove a client is the
software it asserts to be. A rogue client might use the name and
logo for the legitimate client, which it is trying to impersonate.
An authorization server needs to take steps to mitigate this phishing
risk, since the logo could confuse users into thinking they're
logging in to the legitimate client. For instance, an authorization
Hunt & Nadalin Expires March 31, 2014 [Page 14]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
server could warn if the domain/site of the logo doesn't match the
domain/site of redirect URIs. An authorization server can also
present warning messages to end users about untrusted clients in all
cases, especially if such clients have been dynamically registered
and have not been trusted by any users at the authorization server
before.
Authorization servers MAY assume that registered client software
sharing the same software assertion, software_id, and other metadata
SHOULD have similar operational behaviour metrics. Similarly,
Authorization server administrators MAY use software_id and
software_version to facilitate normal change control and approval
management of client software including:
o Approval of specific clients software for use with specific
protected resources.
o Lifecycle management and support of specific software versions as
indicated by software_version.
o Revocation of groups of client credentials and associated access
tokens when support issues or security risks identified with a
particular client software as identified by software_id and
software_version.
5. Normative References
[I-D.draft-hunt-oauth-client-association]
Hunt, P., Ed. and T. Nadalin, "OAuth Client Association",
.
[I-D.ietf-jose-json-web-key]
Jones, M., "JSON Web Key (JWK)", draft-ietf-jose-json-web-
key-16 (work in progress), September 2013.
[I-D.ietf-oauth-assertions]
Campbell, B., Mortimore, C., Jones, M., and Y. Goland,
"Assertion Framework for OAuth 2.0 Client Authentication
and Authorization Grants", draft-ietf-oauth-assertions-12
(work in progress), July 2013.
[I-D.ietf-oauth-jwt-bearer]
Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token
(JWT) Profile for OAuth 2.0 Client Authentication and
Authorization Grants", draft-ietf-oauth-jwt-bearer-06
(work in progress), July 2013.
[I-D.ietf-oauth-saml2-bearer]
Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0
Profile for OAuth 2.0 Client Authentication and
Hunt & Nadalin Expires March 31, 2014 [Page 15]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
Authorization Grants", draft-ietf-oauth-saml2-bearer-17
(work in progress), July 2013.
[IANA.Language]
Internet Assigned Numbers Authority (IANA), "Language
Subtag Registry", 2005.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, January 1999.
[RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, July 2006.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5646] Phillips, A. and M. Davis, "Tags for Identifying
Languages", BCP 47, RFC 5646, September 2009.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, March 2011.
[RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC
6749, October 2012.
[RFC6750] Jones, M. and D. Hardt, "The OAuth 2.0 Authorization
Framework: Bearer Token Usage", RFC 6750, October 2012.
Appendix A. Acknowledgments
This draft was based upon in large part upon the work in draft-ietf-
oauth-dyn-reg-14, draft-richer-oauth-dyn-reg-core-00 and draft-
richer-oauth-dyn-reg-12 and WG discussions. The authors would like
to thank Justin Richer and the members of the OAuth Working Group.
Appendix B. Document History
[[ to be removed by the RFC editor before publication as an RFC ]]
Hunt & Nadalin Expires March 31, 2014 [Page 16]
�
Internet-Draft OAuth-Software-Statement-00 September 2013
-00
o First draft.
Authors' Addresses
Phil Hunt (editor)
Oracle Corporation
Email: phil.hunt@yahoo.com
Tony Nadalin
Microsoft
Email: tonynad@microsoft.com
Hunt & Nadalin Expires March 31, 2014 [Page 17]
