registration_ access_ token
Registry Context
A bearer token returned to the client or developer for authenticated management of a client's registration at its client configuration endpoint.
Technical Summary
A required top-level string member of the client information response. It is an OAuth 2.0 Bearer Token bound to the client identifier and used for all calls to the client configuration endpoint.
When Used
Returned in client information responses and presented on subsequent read, update, or delete requests to the client configuration endpoint.
Normative Requirements
Clients
RFC 7592 - Section 2
Use its registration access token as an OAuth 2.0 Bearer Token in all calls to the client configuration endpoint..
Condition: When calling the client configuration endpoint.
The client MUST use its registration access token in all calls to this endpoint as an OAuth 2.0 Bearer Token
RFC 7592 - Section Appendix A.1
Discard the old registration access token..
Condition: When a new registration access token is returned.
the old registration access token MUST be discarded by the client
Authorization servers
RFC 7592 - Section 5
Ensure the registration access token contains sufficient entropy to prevent random guessing attacks..
Condition: When issuing a registration access token.
the registration access token MUST contain sufficient entropy to prevent a random guessing attack
RFC 7592 - Section 5
Invalidate every outstanding registration access token for a client at the same time the client is deprovisioned..
Condition: When deprovisioning a client.
any outstanding registration access token for that client MUST be invalidated at the same time
RFC 7592 - Section 5
Treat requests using an outstanding registration access token for a deprovisioned client as having an invalid token and return HTTP 401 Unauthorized..
Condition: When receiving such a request after the client has been deprovisioned.
The authorization server MUST treat all such requests as if the registration access token was invalid by returning an HTTP 401 Unauthorized error
RFC 7592 - Section Appendix A.1
Include the client's current registration access token in the client information response..
Condition: When returning the client information response for a read or update request.
The client's current registration access token and client credentials (if applicable) MUST be included in the client information response.
RFC 7592 - Section 3
Include `registration_access_token` as a string containing the access token used at the client configuration endpoint..
Condition: When returning a client information response under RFC 7592.
registration_access_token REQUIRED. String containing the access token
RFC 7592 - Section 5
Allow the registration access token to expire..
Condition: While the client remains actively registered.
the registration access token SHOULD NOT expire while a client is still actively registered
RFC 7592 - Section Appendix A.1
Rotate the registration access token only in response to a read or update request to the client configuration endpoint..
Condition: When rotating a registration access token.
The registration access token SHOULD be rotated only in response to a read or update request
RFC 7592 - Section Appendix A.1
Discard the old registration access token if possible..
Condition: When a new registration access token is returned.
it SHOULD be discarded by the server, if possible
RFC 7592 - Section 5
Rotate the registration access token..
Condition: When the developer or client performs a read or update operation on the client configuration endpoint.
the registration access token MAY be rotated when the developer or client does a read or update operation
developer or client
RFC 7592 - Section 5
Protect the registration access token as described in RFC 6750..
it MUST be protected by the developer or client as described in the OAuth 2.0 Bearer Token Usage specification
Validation Guidance
Verify `registration_access_token` is present as a string in every RFC 7592 client information response.
Verify every call to the client configuration endpoint presents the registration access token as an OAuth 2.0 Bearer Token.
Verify read and update client information responses include the client's current registration access token.
Verify token rotation occurs only in a read or update response from the client configuration endpoint.
Verify the client discards the previous token after receiving a new registration access token.
Verify the server discards the previous token after rotation when possible.
Verify registration access tokens do not expire while their clients remain actively registered.
Verify registration access tokens are protected according to RFC 6750 and have sufficient entropy to resist guessing attacks.
Verify deprovisioning a client invalidates all its outstanding registration access tokens and subsequent use returns HTTP 401 Unauthorized.
Security Notes
RFC 7592 - Section 5
Possession of the token can authorize reading, modifying, or deleting a client's registration, including client credentials.
RFC 7592 - Section Appendix A
Sharing a registration access token between client instances can allow one instance to change or delete registration values for the others.
Reference
Details
- Entry Id
registration_access_ token - Client Metadata Name
registration_access_ token - Client Metadata Description
OAuth 2.0 Bearer Token used to access the client configuration endpoint- Change Controller
IESG- Reference
RFC7592