Dynamic Client Registration & Management

Comments (11)

1. 

   Joseph Heenan

   This came up on today’s call, in particular that lack of DCR and in particular the client management endpoint made it harder to perform some of the migrations necessary for OPs to move from the OpenBanking UK security profile over to FAPI - for example, it was hard at some banks to change a client from using RS256 to using PS256, or to move from client_secret_basic to private_key_jwt, and in particular to easily allow the change to be made at a time of the RPs choosing, and without registering a whole new client (which would invalidate existing refresh tokens/access tokens).

   • 2020-10-07T14:27:48+00:00
2. 

   Torsten Lodderstedt

   I consider such a migration a deployment/scheme specific exercise. I don’t think it requires a standardized client management API. Moreover, client management is an experimental RFC for good reasons. There is a lack of implementation experience.

   • 2020-10-10T10:05:40+00:00
3. 

   Daniel Fett

   I would also consider this deployment-specific. FAPI will be used in many environments where DCR is not applicable.

   • 2020-10-21T13:57:18+00:00
4. 

   Stuart Low

   I think it’s reasonable to not mandate DCR in FAPI 2 but a recommendation with existing experiences might be useful?

   • 2020-10-21T15:04:45+00:00
5. 

   Dima Postnikov

   I agree this is deployment specific. Although, for those deployments that require it, some recommendations, guidelines or even optional part of the specification would be helpful.

   Alternatively, every jurisdiction will do it their way which potentially creates additional threat vectors.

   • 2020-10-21T16:30:41+00:00
6. 

   Daniel Fett

   I wonder if we should start a “FAPI Best Practices” document. DCR (or client registration & management in general) might be one topic. The remarks from Francis on session management could also go into it: https://bitbucket.org/openid/fapi/issues/293/pkce-nonce-security-considerations#comment-57690949

   • 2020-11-08T11:00:31+00:00
7. 

   Torsten Lodderstedt

   Hi support this proposal. As far as I remember we had started a discussion re client management practices when Dima and Stuart joined the WG. @Dima Postnikov haven’t you started a document to compare approaches back then?

   • 2020-11-08T11:46:19+00:00
8. 

   Joseph Heenan

   wonder if we should start a “FAPI Best Practices” document. 

   We have an ‘implementation and deployment advice’ document, so I think this could potentially go in there.

   • 2020-11-09T10:34:16+00:00
9. 

   Daniel Fett

   Changing the component marker accordingly.

   • 2020-11-11T14:06:40+00:00
10. 

    Daniel Fett

    • changed component to Implementation & Deployment Advice

    • 2020-11-11T14:06:52+00:00
11. 

    Nat Sakimura

    • changed status to open

    We should get focus back on the deployment advise document.

    • 2023-07-05T14:39:44+00:00
12. Log in to comment