Add software_version to identify metadata changes#67
Add software_version to identify metadata changes#67itsvs wants to merge 1 commit intooauth-wg:mainfrom
software_version to identify metadata changes#67Conversation
|
Vaguely related to #57 as well |
|
In the wild these two different URLs would be treated as two distinct clients, with no carry over between them. Is that what you're intending here? |
|
Yes. Authorization servers may wish to enforce different policies based on client capabilities, so if those vary across client versions, the versions should be treated as different clients. Updating the same client wouldn't work since multiple versions of a client might exist at any given time (e.g. if users need to update the client app). That being said, I don't think clients have to host every new software version at a separate URL. If it's something like a logo change, the client might just update |
|
As mentioned in #55, I want to dial back the answer above. I said:
But after following the trust boundary thread, I think this is more of a "may" than a "should." The different versions can link to each other to suggest to the AS that they are the same, and then it remains up to the AS to decide whether to treat them as the same client or different ones. |
3 participants
The -01 draft suggests that clients should refrain from updating metadata too frequently, and that authorization servers should expect occasional changes to metadata. It might be helpful for clients to make it easy for servers to identify when metadata has changed.
RFC 7591 provides a
software_versionfield that we could use for this purpose. This PR introduces a couple of recommendations along these lines:I briefly chatted about this with Aaron before making this PR, and I am very much open to discussing further!