[mitreid-connect] Enforcing some attributes during Dynamic Client Registration

[Justin Richer]

You are correct that currently nothing in the server requires a software statement. That could be added with a fairly simple configuration switch if you wanted to try that and send in a pull request against that class. At the very least, feel free to file an issue to make it optionally required.

 — Justin

> On Jul 11, 2017, at 2:29 PM, Luiz Omori <luiz.omori at duke.edu> wrote:
> 
> Hi,
>  
> We want to enforce some attributes for Dynamic Client Registration. The following statement can be found in the section 12.3.3 Software Statements of the book OAuth2 in Action:
>  
> “But what if we had a way to present client metadata to the authorization server in a way that the authorization server could verify that it’s coming from a trusted party? With such a mechanism, the authorization server would be able to lock down certain metadata attributes in clients and have a higher assurance that the metadata is valid. The OAuth dynamic registration protocol provides such a mechanism in the software statement.”
>  
> All seems to fit well to our requirement however I took a look at the DynamicClientRegistrationEndpoint.java implementation and I’m a bit confused on how this could be enforced. Sure, if an Software Statement is present then its signature will be verified and its claims will take precedence over any duplicated ones presented by the caller. However, the caller can simply omit that Software Statement as its presence is optional? Or am I looking at the wrong module?
>  
> Regards,
> Luiz
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20170712/a8c52d7e/attachment.html