[mitreid-connect] Enforcing some attributes during Dynamic Client Registration

[Luiz Omori]

Hi,

We want to enforce some attributes for Dynamic Client Registration. The following statement can be found in the section 12.3.3 Software Statements of the book OAuth2 in Action:

“But what if we had a way to present client metadata to the authorization server in a way that the authorization server could verify that it’s coming from a trusted party? With such a mechanism, the authorization server would be able to lock down certain metadata attributes in clients and have a higher assurance that the metadata is valid. The OAuth dynamic registration protocol provides such a mechanism in the software statement.”

All seems to fit well to our requirement however I took a look at the DynamicClientRegistrationEndpoint.java implementation and I’m a bit confused on how this could be enforced. Sure, if an Software Statement is present then its signature will be verified and its claims will take precedence over any duplicated ones presented by the caller. However, the caller can simply omit that Software Statement as its presence is optional? Or am I looking at the wrong module?

Regards,
Luiz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20170711/1d70a61c/attachment.html