I would like to encourage people to read the client association draft before monday. http://tools.ietf.org/html/draft-hunt-oauth-client-association-00.txt and the related http://tools.ietf.org/html/draft-hunt-oauth-software-statement-00.txt
Most of the draft just focuses on background and taxonomy. If you are not interested, focus in on the dynamic association section. I believe you will find this alternate stateless approach to be very simple to implement and uses a well established pattern. My position is that while the new approach represents a major change to OIDC implementors, the benefits outweigh the costs as it will make Connect much easier to support for service providers. The key difference in approaches is that the software statement serves as a way to lock-down registration profiles that allow servers (and their policy systems) to recognize different types of client software. Note that nothing about using software statements prevents developers from self-asserting registration. Those scenarios can continue to work. The key benefit to service providers and client developers is that the number of variations for registration options is dramatically reduced. The registration becomes a simple assertion swap with any allowable per-client overrides as an exception rather than the norm. IOW -- client association places different emphasis on what happens when. Client association assumes software characteristics are known at packaging time and does not vary widely (from the client side) other than having to handle different authentication policies of the various service providers. I've already spent more text here explaining the difference than the core of the draft takes to explain the registration. So please read the draft before our discussion on monday. Phil @independentid www.independentid.com phil.h...@oracle.com
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
