> Do you disagree that this gives them control over which things talk to their servers?
Yes -- with a public client, I can impersonate a "real" app and it's basically non-detectable by the AS. For a theoretical example, if I wanted to use the Instagram API but they restrict which apps can upload photos to only their own mobile apps, I can find the client ID of their own app, then do an OAuth flow using their own client ID, and without a client secret it looks the same as their own client. I'm unlikely to be able to get arbitrary users to authorize my app because of limits and checks on the redirect URI, but I can certainly do it myself for my own account. This is the sort of false sense of security provided by the client registration step I'm talking about.
I'd love to solve the app identity problem too, but that's only possible with cooperation from the mobile OSs.
Aaron
On Fri, Feb 26, 2021 at 1:36 PM David Waite <david@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> On Feb 26, 2021, at 9:32 AM, Aaron Parecki <aaron@xxxxxxxxxxx> wrote:
> The point is that basically nobody uses it because they don't want to allow arbitrary client registration at their ASs. That's likely due to a combination of pre-registration being the default model in OAuth for so long (the Dynamic Client Registration draft was published several years after OAuth 2.0), as well as how large corporations have decided to run their ASs where they want to have (what feels like) more control over the things talking to their servers.
Do you disagree that this gives them control over which things talk to their servers?
FWIW my personal mental model here is pretty simple:
With users, there are services you provide anonymously and services you provide only to registered/authenticated/trusted parties for various reasons. Once you are delegating user access, you still have many of the same reasons to provide access to anonymous or registered/authenticated/trusted delegates.
Dynamic registration arriving later and requiring additional complexity has unfortunately encouraged registration in use cases where anonymous clients might have been acceptable, but shifting the timelines or complexity balance would not have changed business needs for authentication and trust of delegates. Omitting registration would have caused businesses to use other protocols that met their needs.
If AS’s are only getting what feels like proper control for their business needs, we should attempt to give them the actual control they require.
-DW