oauth2.dev

software_statement

IESG

Registry Context

A registration parameter that carries a signed JWT software statement for client metadata. Servers can ignore it if unsupported, and statement values override conflicting plain JSON metadata.

Technical Summary

The `software_statement` client metadata member is used in dynamic client registration to convey client metadata inside a software statement JWT. When used in a registration request, it must be signed or MACed with JWS and include an `iss` claim; supported servers give it precedence over conflicting JSON metadata.

When Used

Used in dynamic client registration requests when client metadata is conveyed inside a software statement.

Normative Requirements

Authorization servers

MUST
1

  1. RFC 7591 - Section 3.1.1

    give client metadata values conveyed in the software statement precedence over those conveyed using plain JSON elements.

    Condition: if the server supports software statements

    MUST take precedence over those conveyed

MAY
1

  1. RFC 7591 - Section 3.1.1

    ignore the software statement.

    Condition: if it does not support this feature

    MAY ignore the software statement

software statement

MUST
2

  1. RFC 7591 - Section 2.3

    be digitally signed or MACed using JSON Web Signature (JWS).

    Condition: when presented to the authorization server as part of a client registration request

    MUST be digitally signed or MACed

  2. RFC 7591 - Section 2.3

    contain an "iss" (issuer) claim denoting the party attesting to the claims in the software statement.

    Condition: when presented to the authorization server as part of a client registration request

    MUST contain an "iss" claim

Validation Guidance

error

Reject or flag any software_statement value that is not a JWS or that lacks an iss claim when processed as part of registration.

error

If the server advertises support for software statements, verify that software_statement-derived values override conflicting JSON metadata.

warning

Allow software_statement to be ignored only when the implementation does not support software statements.

Reference

RFC7591

Details

Entry Id
software_statement
Client Metadata Name
software_statement
Client Metadata Description
A software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT.
Change Controller
IESG
Reference
RFC7591