Phil, I think the horse is out of the barn on implicit flow.
Many websites use implicit rather than code now, it is no worse, and perhaps better than using code flow with a client that is not confidential( though Dynamic registration can dix the public client code flow problem for native apps etc) Implicit as you well know relies on registration of the redirect URI to identify the client. There may be multiple JS apps in browsers all using JS from the same redirect URI, but I don't think that should preclude the backend website from using an API to register. Turning off dynamic registration entirely for implicit flow is overkill. A registration server is free to not allow dynamic registration of implicit clients if that is it's policy. In general I have a hard time seeing implicit clients with a server component using dynamic registration directly. I suppose there may be HTML5 based clients that are loaded as browser extensions and use implicit, without having a server based redirect. Those can be as long lived as any native app. If clean up is an issue it is one for code flow as well. John B. On 2013-05-24, at 2:35 PM, Phil Hunt <phil.h...@oracle.com> wrote: > I wanted to bring out a quick discussion to ask the question if it makes > sense to support implicit clients in dynamic registration. > > By definition, implicit clients are unauthenticated. Therefore the only > purpose to register an implicit client is to obtain a client_id with a > particular AS instance. > > A few issues to consider: > * Implicit clients typically run in browsers (javascript). Do we really want > each occurrence of a browser running a client to register? > --> This could mean even the same browser running implicit flow repeat > times, would register repeatedly. > --> If registration occurs per occurrence, what is the value? > > * What use cases typically occur for deployment against different AS and > Resource API instances? > --> Eg. I can see a javascript component of a web site that uses a > corresponding resource API. So it may be possible that the javascript and > the resource API are running in the same domain. In this case, the > javascript code, though written as part of a shared library/distribution, is > still bound to a configured AS deployment. Is it really dynamic? If this is > the case, wouldn't an OOB registration that updates the client_id in the > deployment be better suited? > --> Are there any examples of javascript clients that need to connect to > one or more AS servers on a truly dynamic basis? > > * Is there a DOS attack possible (even unintentionally) because implicit > clients will start to register frequently creating huge numbers of client_ids > that cause spin-off provisioning issues depending on how AS registration, > token, and policy systems are implemented? > > Apparently OIDC and UMA had these profiles supported before, but I'm really > trying to understand why implicit clients should have dynamic registration > support. Would appreciate any discussion on this. At minimum, there are > probably some security considerations we need to think through and document. > > Thanks for your comments, > > Phil > > @independentid > www.independentid.com > phil.h...@oracle.com > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
