Add Security Consideration for Client Metadata Changes

[btiernay]

Add Security Consideration for Client Metadata Changes

Summary: The specification could benefit from a brief security consideration noting that client metadata documents can change over time, which authorization servers should consider when implementing caching and grant management policies.

Current Specification Language

From Section 6.3 Changes in Client Keys:

If the authorization server notices that the jwks_uri or the contents at the jwks_uri have changed compared to the last time it fetched the metadata, the authorization server MAY take actions such as revoking any tokens issued to this client, or revoking the user's consent for this client. The particular actions to take are left up to the discretion of the authorization server based on its own risk assessment.

This addresses key changes but doesn't mention the broader implications when other metadata fields change.

Rationale

Client metadata documents are served from URLs under client control and can be updated at any time. While Section 4.3 Metadata Caching provides HTTP caching guidance, authorization servers should consider the security implications when other fields change as well.

For example, changes to redirect_uris could potentially enable redirect hijacking if not properly validated, modifications to token_endpoint_auth_method change the authentication security model, and updates to scope or grant_types could affect the authorization scope of existing grants. Even changes to display fields like client_name or logo_uri could be part of client impersonation attacks.

This isn't about defining specific policies, but raising awareness that metadata mutability beyond just keys is something authorization servers should consider in their risk assessments.

Recommendation

Adding a brief paragraph to Section 6 Security Considerations:

Changes in Client Metadata

Authorization servers should be aware that client metadata documents can change over time since they are served from URLs under client control. Beyond the key changes addressed in Section 6.3, authorization servers should consider the security implications when other metadata fields change, such as redirect_uris, token_endpoint_auth_method, scope, grant_types, or display fields like client_name and logo_uri.

Significant changes to client metadata may affect the trust relationship between the authorization server and the client, and could impact the validity of previously granted user consent. Authorization servers may choose to invalidate existing grants, require fresh user consent, or implement other policies when certain types of metadata changes are detected. The appropriate response will depend on the authorization server's risk tolerance and operational requirements.

Related Work

• Builds on the existing guidance in Section 6.3 Changes in Client Keys
• Complements the HTTP caching guidance in Section 4.3 Metadata Caching

Implementation Impact

This adds minimal text while raising awareness of an important security consideration. It doesn't prescribe specific behaviors but helps implementers think about metadata mutability in their designs.

[ThisIsMissEm]

This seems reasonable as a recommendation to me.

[ThisIsMissEm]

Will be applied by #47

[jeffsec-aws]

+1 one on the proposal especially with the conversation on the mailing list around @dick hardt comment:

 When the AS receives a client_id either through an authorization request, a pushed authorization request, or similar flow, the AS fetches the document indicated by the client_id if it is not available in cache.

We need to be sure the cache is not preventing the AS to apply the latest and greatest of the client id metadata

[ThisIsMissEm]

So importantly here, caching is optional: https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html#name-metadata-caching

The authorization server MAY cache the client metadata it discovers at the client metadata document URL.

So having a line that says "if it is not available in cache" would be wrong, since the AS does not need to cache Client ID Metadata Documents, but it may.

Most likely for the comments from @dickhardt, a change to the wording in section 4 is required, unrelated to these changes: https://drafts.aaronpk.com/draft-parecki-oauth-client-id-metadata-document/draft-parecki-oauth-client-id-metadata-document.html#name-client-information-discover