Episode 149.5 - GluuFederation/identerati-office-hours GitHub Wiki

Title: OAuth Client ID Metadata Document

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Aaron Parecki, Director of Identity Standards at Okta

Channels

• Linkedin Event
• Youtube Video

Description

Clients identify themselves with their own URL, and host their metadata (name, logo, redirect URL) in a JSON document at that URL. They then use that URL as the client_id to introduce themselves to an authorization server for the first time.

The mechanism of clients identifying themselves as a URL has been in use in IndieAuth for over a decade, and more recently has been adopted by BlueSky for their OAuth API. The recent surge in interest in MCP has further demonstrated the need for this to be a standardized mechanism, and was the main driver in the latest round of discussion for the document! This could replace Dynamic Client Registration in MCP, dramatically simplifying management of clients, as well as enabling servers to limit access to specific clients if they want.

Homework

• IETF DataTracker Page
• Stytch Blog

Takeaways

• ⚡ CIMD fixes two important problems for federation: 1) defines RP entity id as a URI; 2) URI Resolves RP metadata.
• ⚡ For AS, eliminated pesky duplicate registrations. Leverages DNS trust model as a baseline--i.e. control of the URI.
• ⚡ Mobile apps and desktop apps can't publish Internet accessible URIs, so workarounds are needed. For mobile apps, platform attestations and OAuth ABC authentication is a good pattern. For desktop apps, hacky solutions may be needed.
• ⚡ Not in the livestream, but according to Leif Johanssen, apparently OpenID Federation 2.0 will support CIMD. (OpenID Federation 1.0 should be draft 43, if you're wondering.)

Livestream Audio Archive

Will be Here