oauth2.dev

software_id

IESG

Registry Context

`software_id` identifies client software rather than a particular registered instance. It should remain stable across instances, updates, and versions, and may be included in a software statement.

Technical Summary

RFC 7591 defines `software_id` as an optional client metadata string assigned by the client developer or software publisher. Registration endpoints use it to identify client software being dynamically registered. When trusted software-statement metadata and plain JSON metadata conflict, the software-statement value takes precedence.

When Used

During OAuth 2.0 dynamic client registration, particularly to identify related instances or versions of client software and when registration uses software statements.

Normative Requirements

Authorization servers

MUST
4
  1. RFC 7591 - Section 3.1.1

    give client metadata values conveyed in a software statement precedence over values conveyed using plain JSON elements.

    Condition: if the authorization server supports software statements

    If the server supports software statements, client metadata values conveyed in the software statement MUST take precedence over those conveyed using plain JSON elements.

  2. RFC 7591 - Section 5

    treat `software_id` and other client metadata as self-asserted.

    Condition: unless the metadata is used as a claim in a software statement

    Unless used as a claim in a software statement, the authorization server MUST treat all client metadata as self-asserted.

  3. RFC 7591 - Section 5

    take appropriate steps to mitigate impersonation or false-association risks by considering the entire registration request and client configuration.

    Condition: when processing self-asserted client metadata such as `software_id`

    an authorization server MUST take appropriate steps to mitigate this risk by looking at the entire registration request and client configuration.

  4. RFC 7591 - Section 5

    consider the full registration request, including the software statement, initial access token, and JSON client metadata values.

    Condition: when deciding whether to honor a registration request

    An authorization server MUST consider the full registration request, including the software statement, initial access token, and JSON client metadata values, when deciding whether to honor a given registration request.

SHOULD
1
  1. RFC 7591 - Section 5

    treat a suspected duplicate registration as suspect and reject it.

    Condition: if the client is not intended to have multiple simultaneous registrations and duplication can be inferred, such as from matching `software_id` and `software_version` values

    the server SHOULD treat the new registration as being suspect and reject the registration.

client developer or software publisher

SHOULD
2
  1. RFC 7591 - Section 2

    keep `software_id` the same for all instances of the client software.

    the "software_id" SHOULD remain the same for all instances of the client software.

  2. RFC 7591 - Section 2

    keep `software_id` the same across multiple updates or versions of the same software.

    The "software_id" SHOULD remain the same across multiple updates or versions of the same piece of software.

software statement producer

RECOMMENDED
1
  1. RFC 7591 - Section 2.3

    include the `software_id` claim in a software statement.

    Condition: to allow authorization servers to correlate different instances of software using the same software statement

    It is RECOMMENDED that software statements contain the "software_id" claim to allow authorization servers to correlate different instances of software using the same software statement.

Validation Guidance

warning

Verify that `software_id` remains stable across instances, updates, and versions of the same client software.

warning

When a software statement is intended to support cross-instance correlation, verify that it contains the `software_id` claim.

error

If the authorization server supports software statements and `software_id` appears in both sources, verify that the software-statement value takes precedence over the plain JSON value.

error

Do not treat a plain JSON `software_id` as independently verified identity; evaluate it with the entire registration request and client configuration for impersonation or false-association risks.

warning

Where only one simultaneous registration is expected, flag and reject suspected duplicates identified through matching `software_id`, `software_version`, or other registration characteristics.

Security Notes

RFC 7591 - Section 5

A rogue client can copy the `software_id` or `software_version` of legitimate software to create a false association. RFC 7591 therefore requires authorization servers to evaluate the complete registration request and client configuration rather than trusting these values alone.

RFC 7591 - Section 5

Even a signed or MACed software statement is presented by the client and is not generally sufficient by itself to identify a piece of client software.

Reference

Details

Entry Id
software_id
Client Metadata Name
software_id
Client Metadata Description
Identifier for the software that comprises a client
Change Controller
IESG
Reference
RFC7591