| TOC |
|
This specification proposes an OAuth Dynamic Client Registration protocol.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”
This Internet-Draft will expire on January 29, 2011.
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
1.
Introduction
1.1.
Notational Conventions
1.2.
Terminology
2.
Requirements
2.1.
The client needs to be uniquely identifiable by the authorization server
2.2.
The authorization server must be able to retrieve metadata about
a client for later user interaction
2.3.
The authorization server must have the option of strongly
authenticating the client and its metadata
2.4.
Dynamic client registration must be possible from both web-server applications
and native applications
2.5.
Data integrity must be ensured in large deployments where data
propagation can be an issue
3.
Analysis of Registration Flow Options
4.
Discovery of client registration endpoint
5.
Client Registration with Pushed Metadata
5.1.
Overview
5.2.
Client Registration Request
5.3.
Client Registration Response
5.4.
Error Message
6.
Client Registration with Pulled Metadata
6.1.
Overview
6.2.
Client Registration Request
6.3.
Client Discovery
6.4.
Client Registration Response
6.5.
Unsuccessful Client Discovery
6.6.
Error Message
7.
Security Considerations
Appendix A.
TODOs
Appendix B.
Acknowledgements
Appendix C.
Document History
8.
Normative References
§
Authors' Addresses
| TOC |
In some use-case scenarios it is desirable or necessary to allow OAuth clients to obtain authorization from an OAuth authorization server without the two parties having previously interacted. Nevertheless, in order for the authorization server to accurately represent to end-users which client is seeking authorization to access the end-user's resources, a method for automatic and unique registration of clients is needed.
The goal of this proposed registration protocol is for an authorization server to provide a client with a client identifier and optionally a client secret in a dynamic fashion. To accomplish this, the authorization server must first be provided with information about the client, with the client-name being the minimal information provided. In practice, additional information will need to be furnished to the authorization server, such as the client's homepage, icon, description, and so on.
This informal draft discusses a number of requirements for and approaches to automatic registration of clients to the OAuth authorization server, with special emphasis on the needs of the OAuth-based User-Managed Access protocol [[provide citation]].
| TOC |
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in [RFC2119] (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.).
This document uses the Augmented Backus-Naur Form (ABNF) notation of [I‑D.ietf‑httpbis‑p1‑messaging] (Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” March 2010.). Additionally, the realm and auth-param rules are included from [RFC2617] (Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, “HTTP Authentication: Basic and Digest Access Authentication,” June 1999.).
Unless otherwise noted, all the protocol parameter names and values are case sensitive.
| TOC |
- resource server
- A server capable of accepting and responding to protected resource requests.
- client
- An application obtaining authorization and making protected resource requests.
- authorization server
- A server capable of issuing tokens after successfully authenticating the resource owner and obtaining authorization. The authorization server may be the same server as the resource server, or a separate entity.
- end-user authorization endpoint
- The authorization server's HTTP endpoint capable of authenticating the end-user and obtaining authorization.
- token endpoint
- The authorization server's HTTP endpoint capable of issuing tokens and refreshing expired tokens.
- client identifier
- An unique identifier issued to the client to identify itself to the authorization server. Client identifiers may have a matching secret.
- client registration endpoint
- The authorization server's HTTP endpoint capable of issuing client identifiers and optional client secrets.
| TOC |
In addition to the following general requirements for dynamic client registration, the User-Managed Access (UMA) protocol seeks to optimize for the design principles and requirements found in the UMA Requirements document [[provide citation]], for example, principles having to do with promoting simplicity and generativity (unexpected reuse), avoiding undue cryptography burden, and pushing complexity to the authorization server from other entities.
| TOC |
In order for an authorization server to do proper user-delegated authorization and prevent unauthorized access it must be able to identify clients uniquely. As is done today in OAuth, the client credentials should thus be issued by the authorization server and not simply accepted as proposed by the client.
| TOC |
In order for the authorization server to describe a client to the end-user in an authorization step it needs information about the client. This can be the client name at a minimum, but today servers usually request at least a description, a homepage URL, and an icon when doing manual registration.
| TOC |
In order to prevent spoofing of clients, the authorization server should have the option to verify the provided information. This might be solved using signature verification; relatively weaker authentication might be achieved in a simpler way by pulling metadata from a trusted client URL.
| TOC |
Native applications on (e.g.) mobile devices have special limitations, so alternative solutions to meeting this set of requirements must be sought.
In the UMA context, one type of dynamic client registration may be in a sub-process of a larger process where a requester (an enhanced type of OAuth client) approaches an authorization manager (an enhanced type of OAuth authorization server), without having interacted before, seeking an access token. The requester may be any kind of OAuth client; we anticipate that web servers and native applications are the most important kinds of client for which a dynamic registration solution will be sought.
| TOC |
When a client sends information to a server endpoint, it might take time for this data to propagate through big server installations that spread across various data centers. Care needs to be taken that subsequent interactions with the user after the registration process, such as an authorization request, show the correct data.
In the UMA context, one type of dynamic client registration may be in a sub-process of a larger process where an authorizing user (an enhanced role for an OAuth end-user) introduces a host (an enhanced type of OAuth resource server) to an authorization manager (an enhanced type of OAuth authorization server) as a client of it. If this host has never "met" this authorization manager before, it must obtain unique credentials to use there. Even though such credentials are needed no matter which end-user caused the registration process to take place, the end-user may need to wait for the sub-process to finish in order to continue with the introduction and policy configuration process.
| TOC |
There are different approaches one can take to exchange client metadata for client credentials.
It seems impossible to specify a single registration flow that will satisfy all requirements, deployment needs, and client types. This document, therefore, presents as small a variety of options as possible, organized according to client capabilities much as OAuth's client profiles are.
| TOC |
Regardless of flow option, the client needs to discover the authorization server's client registration endpoint.
The client MUST use the [RFC5785] (Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs),” April 2010.) and [I‑D.hammer‑hostmeta] (Hammer-Lahav, E., “Web Host Metadata,” June 2010.) discovery mechanisms to learn about the URI of the client registration endpoint at the authorization server at which the client wants to register. The authorization server MUST provide a host-meta document containing a Link element with a rel value of: http://oauth.net/as/registration
For example:
<XRD>
<Host>http://server.example.com</Host>
<Link rel="http://oauth.net/as/registration"
href="https://server.example.com/register">
<Title>Client Registration Endpoint</Title>
</Link>
</XRD>
| TOC |
| TOC |
This registration flow is intended only for clients that do not support having an authorization server pull metadata from them, for example, web-server clients behind a firewall. It works as follows:
+--------+ +---------------+ | Client |--(A)--- Registration Request --->| Authorization | | | with Metadata | Server | | | | | | |<-(B)----Registration Response ---| | | | with Client Credentials | | +--------+ +---------------+
| Figure 1: Client Registration Flow with Pushed Metadata |
| TOC |
The client sends a JSON formatted document to the client registration endpoint. The client includes the following parameters in the request:
- type
- REQUIRED. This parameter must be set to "push".
- client_name
- REQUIRED. This field must contain the human-readable name of the client.
- client_url
- REQUIRED. This field contains the URL of the homepage of the client.
- client_desc
- REQUIRED. This field must contain the description of the client.
- client_icon
- OPTIONAL. If given, this field contains a URL to an icon for the client.
- redirect_url
- REQUIRED. This field contains the URL to which the authorization server should send its response. [[Must it use https?]]
The client MAY include additional metadata in the request and the authorization server MAY ignore this additional information.
[[Say something about how to sign the metadata, and how it can be verified.]]
For example, the client might send the following request:
POST /register HTTP/1.1
Host: server.example.com
Content-Type: application/json
{
type: "push",
client_name: "Online Photo Gallery",
client_url: "http://onlinephotogallery.com",
client_desc: "Not only uploading, but also editing capabilities!",
client_icon: "http://onlinephotogallery.com/icon.png",
redirect_url: "https://onlinephotogallery.com/client_reg"
}
The parameters are included in the entity body of the HTTP request using the "application/json" media type as defined by [RFC4627]. The parameters are serialized into a JSON structure by adding each parameter at the highest structure level. Parameter names and string values are included as JSON strings.
| TOC |
After receiving and verifying information received from the client, the authorization server issues the client identifier and an optional client secret, and constructs the response by adding the following parameters to the entity body of the HTTP response with a 200 status code (OK):
- client_id
- REQUIRED.
- client_secret
- OPTIONAL.
- issued_at
- OPTIONAL. Specifies the timestamp when the credentials were issued. The timestamp value MUST be a positive integer. The value is expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
- expires_in
- OPTIONAL; if supplied, the issued_at parameter is REQUIRED. Specifies the valid lifetime, in seconds, of the credentials. The value is represented in base 10 ASCII.
The parameters are included in the entity body of the HTTP response using the "application/json" media type as defined by [RFC4627]. The parameters are serialized into a JSON structure by adding each parameter at the highest structure level. Parameter names and string values are included as JSON strings.
The authorization server MUST include the HTTP Cache-Control response header field with a value of no-store in any response containing client_secret.
For example, the authorization server might return the following response:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
client_id: "5UO9XcL4TQTa",
client_secret: ”WdRKN3zeTc20”
}
| TOC |
If the request for registration is invalid or unauthorized, the authorization server constructs the response by adding the following parameters to the entity body of the HTTP response with a 400 status code (Bad Request) using the “application/json” media type:
An example error response (with line breaks for readability)
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error": "unauthorized_client",
"description": "This client is not on the
white list of this Authorization Server"
}
| TOC |
| TOC |
This registration flow is intended generally for most clients, which are expected to support having an authorization server pull metadata from them, for example, web-server clients that are not behind a firewall, and instances of native-app clients that have a server-side application that functions as a "registration proxy" for them. It works as follows:
+--------+ +---------------+ | Client |--(A)--- Registration Request --->| Authorization | | | with URL | Server | | | | | | |<-(B)--- Client Discovery --------| | | | | | | |--(C)---- Host-Meta Document ---->| | | | | | | |<-(D)--- Registration Response ---| | | | with Client Credentials | | +--------+ +---------------+
| Figure 2: Client Registration Flow with Pulled Metadata |
| TOC |
The client sends a JSON formatted document to the client registration endpoint. The client includes the following parameters in the request:
- type
- REQUIRED. This parameter must be set to "pull".
- client_url
- REQUIRED. This field contains the URL of the homepage of the client.
The client MUST NOT include other metadata parameters, such as those defined in the pushed-metadata scenario. [[Correct? Need error condition for this?]]
For example, the client might send the following request:
POST /register HTTP/1.1
Host: server.example.com
Content-Type: application/json
{
type: "pull",
url: "http://onlinephotogallery.com"
}
The parameters are included in the entity body of the HTTP request using the "application/json" media type as defined by [RFC4627]. The parameters are serialized into a JSON structure by adding each parameter at the highest structure level. Parameter names and string values are included as JSON strings.
| TOC |
The authorization server evaluates this request and MAY perform a [RFC5785] (Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs),” April 2010.) and [I‑D.hammer‑hostmeta] (Hammer-Lahav, E., “Web Host Metadata,” June 2010.) discovery mechanism on the provided URL to the host-meta document for the client.
For example:
GET /.well-known/host-meta HTTP/1.1
Host: server.example.com
The authorization server retrieves the host-meta document, which MUST contain:
For example:
<XRD>
<Host>http://onlinephotogallery.com</Host>
<Property type="http://oauth.net/client/name">
Online Photo Gallery
</Property>
<Property type="http://oauth.net/client/description">
Not only uploading, but also editing capabilities!
</Property>
<Link rel="http://oauth.net/client/uri"
href="http://onlinephotogallery.com">
<Title>Client URI</Title>
</Link>
<Link rel="http://oauth.net/client/redirect_uri"
href="https://onlinephotogallery.com/client_reg">
<Title>Client Redirect URI</Title>
</Link>
<Link rel="http://oauth.net/client/icon"
href="http://onlinephotogallery.com/icon.png">
<Title>Client Icon</Title>
</Link>
</XRD>
| TOC |
After receiving and verifying information retrieved from the client, the authorization server issues the client identifier and an optional client secret, and constructs the response by adding the following parameters to the entity body of the HTTP response with a 200 status code (OK):
The parameters are included in the entity body of the HTTP response using the "application/json" media type as defined by [RFC4627]. The parameters are serialized into a JSON structure by adding each parameter at the highest structure level. Parameter names and string values are included as JSON strings.
The authorization server MUST include the HTTP Cache-Control response header field with a value of no-store in any response containing the client_secret.
For example the authorization server might return the following response:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"client_id":"5UO9XcL4TQTa",
"client_secret":”WdRKN3zeTc20”
}
| TOC |
If the host-meta discovery was not successful, the authorization server constructs the response by adding the following parameters to the entity body of the HTTP response with a 404 status code (Not Found) using the application/json media type:
An example error response (with line breaks for readability)
HTTP/1.1 404 Not Found
Content-Type: application/json
Cache-Control: no-store
{
"error": "hostmeta_error",
"description": "The hostmeta document could
not have been retrieved from the URL."
}
| TOC |
If the request for registration is invalid or unauthorized, the authorization server constructs the response by adding the following parameters to the entity body of the HTTP response with a 400 status code (Bad Request) using the “application/json” media type:
An example error response (with line breaks for readability)
HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
{
"error": "unauthorized_client",
"description": "This client is not on the
white list of this Authorization Server"
}
| TOC |
[[TBS: Thomas has suggested we include the merits of pull over push and the vulnerabilities in the native-app scenario here.]]
| TOC |
| TOC |
[[ Add further WG contributors ]]
| TOC |
[[ to be removed by RFC editor before publication as an RFC ]]
| TOC |
| [I-D.hammer-hostmeta] | Hammer-Lahav, E., “Web Host Metadata,” draft-hammer-hostmeta-13 (work in progress), June 2010 (TXT). |
| [I-D.ietf-httpbis-p1-messaging] | Fielding, R., Gettys, J., Mogul, J., Nielsen, H., Masinter, L., Leach, P., Berners-Lee, T., and J. Reschke, “HTTP/1.1, part 1: URIs, Connections, and Message Parsing,” draft-ietf-httpbis-p1-messaging-09 (work in progress), March 2010 (TXT). |
| [RFC2119] | Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” BCP 14, RFC 2119, March 1997 (TXT, HTML, XML). |
| [RFC2617] | Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., and L. Stewart, “HTTP Authentication: Basic and Digest Access Authentication,” RFC 2617, June 1999 (TXT, HTML, XML). |
| [RFC5785] | Nottingham, M. and E. Hammer-Lahav, “Defining Well-Known Uniform Resource Identifiers (URIs),” RFC 5785, April 2010 (TXT). |
| TOC |
| Christian Scholz (editor) | |
| COM.lounge GmbH | |
| Email: | cs@comlounge.net |
| URI: | http://comlounge.net |
| Maciej Machulak | |
| Newcastle University | |
| Email: | m.p.machulak@ncl.ac.uk |
| URI: | http://ncl.ac.uk/ |
| Eve Maler | |
| PayPal | |
| Email: | eve@xmlgrrl.com |
| URI: | http://www.paypal.com/ |