software_ id
Registry Context
`software_id` identifies client software rather than a particular registered instance. It should remain stable across instances, updates, and versions, and may be included in a software statement.
Technical Summary
RFC 7591 defines `software_id` as an optional client metadata string assigned by the client developer or software publisher. Registration endpoints use it to identify client software being dynamically registered. When trusted software-statement metadata and plain JSON metadata conflict, the software-statement value takes precedence.
When Used
During OAuth 2.0 dynamic client registration, particularly to identify related instances or versions of client software and when registration uses software statements.
Normative Requirements
Authorization servers
RFC 7591 - Section 3.1.1
give client metadata values conveyed in a software statement precedence over values conveyed using plain JSON elements.
Condition: if the authorization server supports software statements
If the server supports software statements, client metadata values conveyed in the software statement MUST take precedence over those conveyed using plain JSON elements.
RFC 7591 - Section 5
treat `software_id` and other client metadata as self-asserted.
Condition: unless the metadata is used as a claim in a software statement
Unless used as a claim in a software statement, the authorization server MUST treat all client metadata as self-asserted.
RFC 7591 - Section 5
take appropriate steps to mitigate impersonation or false-association risks by considering the entire registration request and client configuration.
Condition: when processing self-asserted client metadata such as `software_id`
an authorization server MUST take appropriate steps to mitigate this risk by looking at the entire registration request and client configuration.
RFC 7591 - Section 5
consider the full registration request, including the software statement, initial access token, and JSON client metadata values.
Condition: when deciding whether to honor a registration request
An authorization server MUST consider the full registration request, including the software statement, initial access token, and JSON client metadata values, when deciding whether to honor a given registration request.
RFC 7591 - Section 5
treat a suspected duplicate registration as suspect and reject it.
Condition: if the client is not intended to have multiple simultaneous registrations and duplication can be inferred, such as from matching `software_id` and `software_version` values
the server SHOULD treat the new registration as being suspect and reject the registration.
client developer or software publisher
RFC 7591 - Section 2
keep `software_id` the same for all instances of the client software.
the "software_id" SHOULD remain the same for all instances of the client software.
RFC 7591 - Section 2
keep `software_id` the same across multiple updates or versions of the same software.
The "software_id" SHOULD remain the same across multiple updates or versions of the same piece of software.
software statement producer
RFC 7591 - Section 2.3
include the `software_id` claim in a software statement.
Condition: to allow authorization servers to correlate different instances of software using the same software statement
It is RECOMMENDED that software statements contain the "software_id" claim to allow authorization servers to correlate different instances of software using the same software statement.
Validation Guidance
Verify that `software_id` remains stable across instances, updates, and versions of the same client software.
When a software statement is intended to support cross-instance correlation, verify that it contains the `software_id` claim.
If the authorization server supports software statements and `software_id` appears in both sources, verify that the software-statement value takes precedence over the plain JSON value.
Do not treat a plain JSON `software_id` as independently verified identity; evaluate it with the entire registration request and client configuration for impersonation or false-association risks.
Where only one simultaneous registration is expected, flag and reject suspected duplicates identified through matching `software_id`, `software_version`, or other registration characteristics.
Security Notes
RFC 7591 - Section 5
A rogue client can copy the `software_id` or `software_version` of legitimate software to create a false association. RFC 7591 therefore requires authorization servers to evaluate the complete registration request and client configuration rather than trusting these values alone.
RFC 7591 - Section 5
Even a signed or MACed software statement is presented by the client and is not generally sufficient by itself to identify a piece of client software.
Reference
Details
- Entry Id
software_id - Client Metadata Name
software_id - Client Metadata Description
Identifier for the software that comprises a client- Change Controller
IESG- Reference
RFC7591