Found 1 record.

Status: Reported (1)

RFC 7591, "OAuth 2.0 Dynamic Client Registration Protocol", July 2015

Errata ID: 7782
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Tim Würtele
Date Reported: 2024-01-25

Section 3.2.1 says:

client_id
      REQUIRED.  OAuth 2.0 client identifier string.  It SHOULD NOT be
      currently valid for any other registered client, though an
      authorization server MAY issue the same client identifier to
      multiple instances of a registered client at its discretion.

It should say:

client_id
      REQUIRED.  OAuth 2.0 client identifier string.  It MUST NOT be
      currently valid for any other registered client, though an
      authorization server MAY issue the same client identifier to
      multiple instances of a registered client at its discretion.

Notes:

Allowing the same client_id for multiple clients is a contradiction to:

1. This document, Section 1.3, (D), 2nd bullet point: "a client identifier that is unique at the server"

2. This document, Section 3.1: "The authorization server assigns this client a unique client identifier"

3. (normative reference) RFC 6749, Section 2.2: "The authorization server issues the registered client a client identifier -- a unique string representing the registration information provided by the client. [...] The client identifier is unique to the authorization server."

4. (non-normative reference) OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 2, Section 2: "Clients have metadata associated with their unique Client Identifier at the Authorization Server."; Section 3.1: "The Authorization Server assigns this Client a unique Client Identifier"; Section 3.2: "client_id REQUIRED. Unique Client Identifier. It MUST NOT be currently valid for any other registered Client. "

Report New Errata