<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-oauth-client-id-metadata-document-02" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CIMD">OAuth Client ID Metadata Document</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-client-id-metadata-document-02"/>
    <author fullname="Aaron Parecki">
      <organization>Okta</organization>
      <address>
        <email>aaron@parecki.com</email>
        <uri>https://aaronparecki.com</uri>
      </address>
    </author>
    <author fullname="Emelia Smith">
      <organization/>
      <address>
        <email>emelia@brandedcode.com</email>
        <uri>https://thisismissem.social</uri>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>Web Authorization Protocol</workgroup>
    <keyword>oauth</keyword>
    <abstract>
      <?line 100?>

<t>This specification defines a mechanism through which an OAuth client can
identify itself to authorization servers, without prior dynamic client
registration or other existing registration. This is through the usage of a URL
as a <tt>client_id</tt> in an OAuth flow, where the URL refers to a document containing
the necessary client metadata, enabling the authorization server to fetch the
metadata about the client as needed.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://drafts.oauth.net/draft-ietf-oauth-client-id-metadata-document/draft-ietf-oauth-client-id-metadata-document.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Web Authorization Protocol Working Group mailing list (<eref target="mailto:oauth@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/oauth/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/oauth/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/oauth-wg/draft-ietf-oauth-client-id-metadata-document"/>.</t>
    </note>
  </front>
  <middle>
    <?line 109?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>In order for an OAuth 2.0 <xref target="RFC6749"/> client to utilize an OAuth 2.0
authorization server, the client needs to establish a unique identifier, and
needs to provide the server with metadata about the application, such as the
application name, icon and redirect URIs. In cases where a client is interacting
with authorization servers that it has no relationship with, manual registration
is impossible.</t>
      <t>While Dynamic Client Registration <xref target="RFC7591"/> can provide a method for a
previously unknown client to establish itself at an authorization server and
obtain a client identifier, this is not always practical in some deployments and
can create additional challenges around management of the registration data and
cleanup of inactive clients.</t>
      <t>This specification describes how an OAuth 2.0 client can publish its
own registration information and avoid the need for pre-registering
at each authorization server.</t>
      <t>This approach works best for clients that have an established, stable, and
publicly accessible web presence, such as a web service, a website for a mobile app,
or a service that controls its own domain.
Clients that do not control a stable public URL, such as clients under active development
on a developer's local machine, or clients that cannot guarantee the longevity
of a URL, are less well served by this mechanism. Deployments that need to
support such clients should consider the guidance in <xref target="implementation_considerations"/>
and <xref target="cimd_services"/>.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="client-identifier-url">
      <name>Client Identifier URL</name>
      <t>This specification defines a URL format used as a client's identifier,
referred to in this document as a Client Identifier URL.</t>
      <t>A Client Identifier URL:</t>
      <ul spacing="normal">
        <li>
          <t><bcp14>MUST</bcp14> use the <tt>https</tt> URL scheme</t>
        </li>
        <li>
          <t><bcp14>MUST NOT</bcp14> contain a userinfo component defined by <xref target="RFC3986"/></t>
        </li>
        <li>
          <t><bcp14>MAY</bcp14> contain a port</t>
        </li>
        <li>
          <t><bcp14>MUST</bcp14> contain a path component</t>
        </li>
        <li>
          <t><bcp14>MUST NOT</bcp14> contain single-dot or double-dot path components</t>
        </li>
        <li>
          <t><bcp14>SHOULD NOT</bcp14> contain a query component</t>
        </li>
        <li>
          <t><bcp14>MUST NOT</bcp14> contain a fragment component</t>
        </li>
      </ul>
      <t>Client Identifier URLs <bcp14>MUST</bcp14> be compared using simple string comparison, as
defined in Section 6.2.1 of <xref target="RFC3986"/>. For example,
<tt>https://example.com/client</tt> and <tt>https://example.com:443/client</tt>
are not equivalent even though 443 is the default port for the <tt>https</tt> scheme.</t>
      <t>This specification places no restrictions on the brevity or longevity of a
Client Identifier URL beyond the requirements listed above. A short URL is
<bcp14>RECOMMENDED</bcp14>, since the URI may be displayed to the end user in the
authorization interface or in management interfaces. Usage of a stable URL
that does not change frequently for the client is also <bcp14>RECOMMENDED</bcp14>, as
changing the URL will appear to the authorization server to be an entirely
different Client Identifier URL as described in <xref target="client_id_url_changes"/>.</t>
      <t>Note that URL shortening services are generally not suitable as Client Identifier
URLs, since they typically operate using HTTP redirects, which conflicts
with the requirement in <xref target="client_information_discovery"/> when fetching the
Client ID Metadata Document. Using a path of <tt>/</tt> (e.g., <tt>https://example.com/</tt>)
is <bcp14>NOT RECOMMENDED</bcp14>, since the Client ID Metadata Document would then be served at
the root of the domain, conflicting with existing content that may be published there.</t>
      <t>A Client Identifier URL <bcp14>MUST</bcp14> be associated with a set of client metadata,
in the form of a Client ID Metadata Document as described in
<xref target="client_metadata_document"/>, available at the Client Identifier URL.</t>
    </section>
    <section anchor="client_metadata_document">
      <name>Client ID Metadata Document</name>
      <t>The Client ID Metadata Document is a JSON (<xref target="RFC8259"/>) document containing the metadata
of the client. The client metadata values are the values defined in
the OAuth Dynamic Client Registration Metadata OAuth Parameters registry
<eref target="https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata">https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata</eref>
as established by <xref target="RFC7591"/>.</t>
      <t>The Client ID Metadata Document <bcp14>MUST</bcp14> contain a <tt>client_id</tt> property whose value
<bcp14>MUST</bcp14> match the Client Identifier URL, which <bcp14>MUST</bcp14> also match the URL that the
authorization server used to fetch the document; comparisons <bcp14>MUST</bcp14> be made
using simple string comparison as defined in Section 6.2.1 of <xref target="RFC3986"/>. The
authorization server is responsible for validating this match as part of
processing the fetched document.</t>
      <t>The Client ID Metadata Document <bcp14>MUST</bcp14> be served with a 200 OK HTTP status code.
The Client ID Metadata Document <bcp14>MAY</bcp14> also be served with more specific content types
as long as the response is JSON and conforms to <tt>application/&lt;AS-defined&gt;+json</tt>.</t>
      <t>Other specifications <bcp14>MAY</bcp14> place additional restrictions on the contents of the
Client ID Metadata Document accepted by authorization servers implementing their
specification. For example, requiring the <tt>token_endpoint_auth_method</tt> property
be set to <tt>"private_key_jwt"</tt>, effectively requiring confidential clients.</t>
      <t>TBD: We may want a property such as <tt>client_id_expires_at</tt> for indicating that the client is ephemeral and not valid after a given timestamp, especially for documents issued by a service for development purposes.</t>
      <section anchor="client_authentication_restrictions">
        <name>Credential and Key Material Restrictions</name>
        <t>As there is no way to establish a shared secret to be used with client metadata
documents, the following restrictions apply to the contents of the
Client ID Metadata Document:</t>
        <ul spacing="normal">
          <li>
            <t>the <tt>token_endpoint_auth_method</tt> property <bcp14>MUST NOT</bcp14> include <tt>client_secret_post</tt>,
<tt>client_secret_basic</tt>, <tt>client_secret_jwt</tt>, or any other method based around
a shared symmetric secret</t>
          </li>
          <li>
            <t>the <tt>client_secret</tt> and <tt>client_secret_expires_at</tt> properties <bcp14>MUST NOT</bcp14> be used</t>
          </li>
          <li>
            <t>private key material <bcp14>MUST NOT</bcp14> be included in the Client ID Metadata Document;
only public keys, such as those published via the <tt>jwks</tt> or <tt>jwks_uri</tt>
properties, are permitted</t>
          </li>
        </ul>
        <t>See <xref target="client_authentication"/> for more details on establishing client
authentication using public/private key pairs.</t>
      </section>
      <section anchor="redirect-url-registration">
        <name>Redirect URL Registration</name>
        <t>According to <xref target="RFC9700"/>, the authorization server <bcp14>MUST</bcp14> require registration of
redirect URLs, and <bcp14>MUST</bcp14> ensure that the redirect URL in an authorization request
is an exact match, using simple string comparison, of a registered redirect URL.</t>
        <t>This method of client information discovery establishes
registered redirect URL(s) when the authorization server fetches
the contents of the Client ID Metadata Document.</t>
        <t>This specification is not limited to grant types that use a redirect URL.
For grant types that do not involve a redirect URL, such as the Client
Credentials Grant, or extension grants such as Token Exchange, the
requirements of this section do not apply, since no redirect URL is
registered or used. The other mechanisms described in this specification,
namely client identification and client metadata discovery, apply
regardless of which grant type is used.</t>
      </section>
      <section anchor="software_statement">
        <name>Relationship with software_statement</name>
        <t>The <tt>software_statement</tt> parameter defined in <xref target="RFC7591"/> <bcp14>MAY</bcp14> be used together
with a Client Identifier URL, for example by including it as a property of the
Client ID Metadata Document. Doing so can provide the authorization server with
an additional, independently verifiable signal about the client's identity or
provenance.</t>
        <t>Operators combining software statements with this specification should note
that the software statement is no longer presented inline by the client during
the authorization request; instead, it is retrieved by the authorization
server as part of fetching the Client ID Metadata Document. This means the
trustworthiness of the software statement's claims depends not only on the
issuer's signature over the statement itself, but also on the integrity of the
process used to retrieve the Client ID Metadata Document (including the
protections described in <xref target="ssrf_attacks"/>), as well as the relationship between
the client instance and the Client ID Metadata Document. Authorization servers should
evaluate whether this combination meets their assurance requirements before
relying on software statements delivered this way.</t>
      </section>
    </section>
    <section anchor="client_information_discovery">
      <name>Client Information Discovery</name>
      <t>Authorization servers <bcp14>SHOULD</bcp14> automatically fetch the Client ID Metadata
Document at the Client Identifier URL to retrieve the client metadata.
Authorization servers <bcp14>SHOULD</bcp14> periodically re-fetch the Client ID Metadata Document
as the contents may change over time. See <xref target="metadata_caching"/> and
<xref target="client_metadata_changes"/> for additional considerations.</t>
      <t>An authorization server <bcp14>MAY</bcp14> instead associate a Client Identifier URL with
client metadata through other means, such as by pre-registering the URL as
described in <xref target="prereg_cimd_urls"/>.</t>
      <t>The Client ID Metadata Document <bcp14>MUST</bcp14> be served with a 200 OK HTTP status code.
The authorization server <bcp14>MUST</bcp14> treat all other HTTP status codes as an error response, as
described in <xref target="metadata_discovery_errors"/>. The authorization server <bcp14>MUST NOT</bcp14>
automatically follow HTTP redirects when fetching the Client ID Metadata Document.</t>
      <t>Special care should be taken to avoid Server Side Request Forgery (SSRF) Attacks
when fetching Client ID Metadata Documents, as described in <xref target="ssrf_attacks"/>.</t>
      <section anchor="metadata_discovery_errors">
        <name>Metadata Discovery Errors</name>
        <t>If the authorization server attempts to fetch the Client ID Metadata Document,
and fetching the metadata document fails, the authorization server <bcp14>SHOULD</bcp14> abort the
authorization request.</t>
      </section>
      <section anchor="metadata_caching">
        <name>Metadata Caching</name>
        <t>The authorization server <bcp14>MAY</bcp14> cache the client metadata it discovers at the
Client ID Metadata Document URL.</t>
        <t>The authorization server <bcp14>SHOULD</bcp14> respect HTTP cache headers <xref target="RFC9111"/> when caching client metadata,
but <bcp14>MAY</bcp14> define its own upper and/or lower bounds on an acceptable cache lifetime as well.</t>
        <t>The authorization server <bcp14>MUST NOT</bcp14> cache error responses. The authorization
server also <bcp14>MUST NOT</bcp14> cache documents which are invalid or malformed.</t>
      </section>
    </section>
    <section anchor="as-metadata">
      <name>Authorization Server Metadata</name>
      <t>Authorization servers that publish Authorization Server Metadata <xref target="RFC8414"/> <bcp14>MUST</bcp14> include the following property to signal support for Client ID Metadata Documents as described in this specification.</t>
      <dl>
        <dt><tt>client_id_metadata_document_supported</tt>:</dt>
        <dd>
          <t><bcp14>OPTIONAL</bcp14>. Boolean value specifying whether the authorization server supports retrieving client metadata from a <tt>client_id</tt> URL as described in this specification.</t>
        </dd>
      </dl>
      <t>This enables clients to avoid sending the user to a dead end, by only redirecting the user to an authorization server that supports this specification. Otherwise, the client would redirect the user and the user would be met with an error about an invalid client as described in <xref section="4.1.2.1" sectionFormat="of" target="RFC6749"/>.</t>
    </section>
    <section anchor="implementation_considerations">
      <name>Implementation Considerations</name>
      <section anchor="supporting-both-pre-registered-and-unregistered-clients">
        <name>Supporting Both Pre-Registered and Unregistered Clients</name>
        <t>If an authorization server wishes to support clients using Client ID Metadata Documents as well as clients where the authorization server generates the <tt>client_id</tt>, it <bcp14>SHOULD</bcp14> ensure that the <tt>client_id</tt> strings it generates do not start with <tt>https://</tt>. Given that most implementations of authorization servers generate random values for the <tt>client_id</tt>, this is not expected to be a problem in practice.</t>
        <t>The presence of the <tt>https://</tt> scheme in a <tt>client_id</tt> is not by itself a reliable signal of whether a client was registered using this specification, such as if an authorization server issues <tt>https://</tt> URLs as <tt>client_id</tt> values for other purposes like vanity identifiers or stable developer-facing identifiers, without treating them as Client Identifier URLs to be fetched. The determining factor for whether a <tt>client_id</tt> is subject to this specification is whether the authorization server fetches, or otherwise associates, a Client ID Metadata Document for that <tt>client_id</tt>. Authorization servers that support both approaches need a reliable way, internal to their own implementation, to distinguish clients registered via this specification from those registered by other means.</t>
      </section>
      <section anchor="prereg_cimd_urls">
        <name>Pre-Registering Client Identifier URLs</name>
        <t>An authorization server <bcp14>MAY</bcp14> pre-register Client Identifier URLs. This is a valid deployment pattern that leverages the namespacing and key-binding properties of Client Identifier URLs described in this specification, while not relying on the authorization server automatically fetching client metadata at request time. The authorization server <bcp14>SHOULD</bcp14> fetch the Client ID Metadata Document at the URL at the time of establishing this pre-registration, although other means of registering the metadata document are also valid.</t>
        <t>This deployment pattern is expected to be common in enterprise environments where enterprise customers wish to explicitly onboard particular clients into their environment. The Client Identifier URL can be registered with the identity provider, including establishing client authentication as described in <xref target="client_authentication"/>, where it can behave the same way as a pre-registered client. There is no obligation to support dynamic client onboarding by using the mechanisms described in this document.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>In addition to the security considerations in OAuth 2.0 Core <xref target="RFC6749"/>, and OAuth 2.0 Threat Model and Security Considerations <xref target="RFC6819"/>, and <xref target="RFC9700"/> the additional considerations apply.</t>
      <section anchor="redirect_uri_relationship">
        <name>Relationship between <tt>redirect_uris</tt> and <tt>client_id</tt> or <tt>client_uri</tt></name>
        <t>An authorization server may impose restrictions or relationships between the <tt>redirect_uris</tt> and the <tt>client_id</tt> or <tt>client_uri</tt> properties, for example to restrict the <tt>redirect_uri</tt> to the same-origin as the Client ID Metadata Document. Without restrictions like these, there are potential trust and safety issues where the client attempts to impersonate a more well-known client or otherwise act in a way which is malicious or puts the end-user at risk.</t>
        <t>Having no restrictions on the relationship between <tt>redirect_uris</tt> and <tt>client_id</tt> or <tt>client_uri</tt> was a common practice with <xref target="Solid-OIDC"/>'s Client ID Documents, so this ability is preserved for backwards compatibility between <xref target="Solid-OIDC"/> and this specification.</t>
        <t>Some restrictions on <tt>redirect_uris</tt> can make developer usage of Client ID Metadata Documents difficult. <xref target="cimd_services"/> discusses how a service offered by the authorization server can enable development usage of Client ID Metadata Documents for authorization servers that impose restrictions on the <tt>redirect_uri</tt>.</t>
      </section>
      <section anchor="client_authentication">
        <name>Client Authentication</name>
        <t>Since the client establishes its own registration data at the authorization server,
prior coordination of client credentials is not possible. However, establishing
credentials at the authorization server by using authentication methods that use
public/private key pairs is possible by publishing the public key in their metadata document.</t>
        <t>Clients that are capable of maintaining private key material and performing client authentication
<bcp14>SHOULD</bcp14> do so with an acceptable method, such as a method in the <eref target="https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method">OAuth Token Endpoint Authentication Methods registry</eref>.</t>
        <t>For example, the client <bcp14>MAY</bcp14> include the following properties in its metadata document
to establish a public key and advertise the <tt>private_key_jwt</tt> authentication method defined in <xref target="OpenID"/>:</t>
        <artwork><![CDATA[
{
  ...
  "token_endpoint_auth_method": "private_key_jwt",
  "jwks_uri": "https://client.example.com/jwks.json"
  ...
}
]]></artwork>
        <t>This establishes this client as a confidential client, and any communication with
the authorization server <bcp14>MUST</bcp14> include client authentication of the registered type.</t>
        <t>When a client declares <tt>token_endpoint_auth_method</tt> as <tt>private_key_jwt</tt>, the authorization server
<bcp14>MUST</bcp14> require client authentication according to <xref section="2.2" sectionFormat="of" target="RFC7523"/> using the corresponding key discovered from the client's metadata document.</t>
        <t>The particular method of how the client manages the private key is out of scope of this specification, but may include manual provisioning or methods such as "Attestation Based Client Authentication" <xref target="I-D.draft-ietf-oauth-attestation-based-client-auth"/> or "OAuth SPIFFE Client Authentication" <xref target="I-D.draft-ietf-oauth-spiffe-client-auth"/>. For example, the client developer could run a Client Attester Backend, using a native application's platform-specific APIs to authenticate to the backend service, where the private key corresponding to the <tt>jwks_uri</tt> key is managed by the backend service. This would allow a mobile app to request JWTs from the backend service that the mobile app could then use as client authentication to the authorization server.</t>
      </section>
      <section anchor="client_id_url_changes">
        <name>Changes in Client Identifier URL</name>
        <t>The Client Identifier URL is the client's identity from the perspective of
the authorization server. Because OAuth treats two different <tt>client_id</tt>
values as two entirely unrelated clients, a client that changes its Client
Identifier URL is, as far as any authorization server is concerned, a
brand new client with no relationship to the previous one. Any grants,
tokens, or user consent that had been associated with the old URL may not be
transferable to the new URL, and users may be prompted to re-authorize as
if encountering the client for the first time.</t>
        <t>Clients should therefore treat their Client Identifier URL with the same
degree of stability as they would treat any persistent identity. Operators
should plan for the URL to remain resolvable and under their control
indefinitely, as loss of control over the URL — for example through domain
expiry or reassignment — would allow a third party to assume the client's
identity.</t>
      </section>
      <section anchor="client_metadata_changes">
        <name>Changes in Client Metadata</name>
        <t>Authorization servers should be aware that Client ID Metadata Documents can change over time since they are served from URLs under client control. Authorization servers should consider the security implications when metadata properties change, such as <tt>redirect_uris</tt>, <tt>token_endpoint_auth_method</tt>, <tt>scope</tt>, <tt>grant_types</tt>, <tt>jwks</tt>, <tt>jwks_uri</tt>, or display properties like <tt>client_name</tt> and <tt>logo_uri</tt>.</t>
        <t>Significant changes to client metadata may affect the trust relationship between the authorization server and the client, and could impact the validity of previously granted user consent. Authorization servers may choose to invalidate existing grants, require fresh user consent, or implement other policies when certain types of metadata changes are detected. The appropriate response will depend on the authorization server's risk tolerance and operational requirements.</t>
        <section anchor="client_key_changes">
          <name>Changes in Client Keys</name>
          <t>If the authorization server notices that the <tt>jwks</tt>, <tt>jwks_uri</tt> or the contents at the <tt>jwks_uri</tt> have changed compared to the last time it fetched the metadata, the authorization server may take actions such as revoking any tokens issued to this client, or revoking the user's consent for this client. The particular actions to take are left up to the discretion of the authorization server based on its own risk assessment. However, periodic rotation of keys can also be expected as good security hygiene by the client.</t>
        </section>
      </section>
      <section anchor="oauth-phishing-attacks">
        <name>OAuth Phishing Attacks</name>
        <t>Authorization servers <bcp14>SHOULD</bcp14> fetch the <tt>client_id</tt> metadata document provided in the authorization request in order to provide users with additional information about the request, such as the application name and logo. If the server does not fetch the Client ID Metadata Document, then it <bcp14>SHOULD</bcp14> take additional measures to ensure the user is provided with as much information as possible about the request.</t>
        <t>The authorization server <bcp14>SHOULD</bcp14> display the hostname of the <tt>client_id</tt> on the authorization interface, in addition to displaying the fetched client information if any. Displaying the hostname helps users know that they are authorizing the expected application.</t>
        <t>If fetching the Client ID Metadata Document fails for any reason, the <tt>client_id</tt> URL is the only piece of information the user has as an indication of which application they are authorizing.</t>
      </section>
      <section anchor="ssrf_attacks">
        <name>Server Side Request Forgery (SSRF) Attacks</name>
        <t>Authorization servers fetching the Client ID Metadata Document and resolving URLs contained within it should be aware of possible SSRF attacks. Authorization servers <bcp14>MUST NOT</bcp14> fetch a Client ID Metadata Document URL or any URLs contained within a Client ID Metadata Document that resolve to special-use IP addresses as defined in <xref target="RFC6890"/>.</t>
        <t>Authorization servers deployed for development or testing purposes <bcp14>MAY</bcp14> relax this restriction to allow fetching from loopback addresses when the authorization server itself is also running on a loopback address and the resolved address matches the same loopback interface. Authorization servers <bcp14>MUST NOT</bcp14> apply this exception in production deployments, since doing so would allow an attacker-controlled Client Identifier URL to cause the authorization server to make requests against itself or other services on the loopback interface or special-use IP addresses.</t>
        <t>Authorization servers <bcp14>SHOULD</bcp14> consider network policies or other measures to prevent making requests to special-use addresses. Authorization servers which support non-http-based URI schemes are at additional risk of SSRF attacks.</t>
        <t>Authorization servers <bcp14>SHOULD</bcp14> ensure they only fetch or parse URLs with known and supported URI schemes. This can help avoid leading to compromises if a client uses a URI scheme such as <tt>javascript:</tt> in a metadata property.</t>
      </section>
      <section anchor="maximum-response-size-for-client-id-metadata-documents">
        <name>Maximum Response Size for Client ID Metadata Documents</name>
        <t>Since the authorization server does not control the size of the Client ID Metadata Document served by the client, it cannot limit the size of the response itself. Instead, authorization servers <bcp14>SHOULD</bcp14> limit the amount of data they read and process when fetching a Client ID Metadata Document, for example by stopping after a maximum number of bytes and treating the response as an error if that limit is reached before the document has been fully read. The recommended maximum size to read is 5 kilobytes.</t>
      </section>
      <section anchor="displaying_logos">
        <name>Displaying Logos to End-Users</name>
        <t>Authorization servers that wish to make use of the <tt>logo_uri</tt> property within Client ID Metadata Document <bcp14>SHOULD</bcp14> prefetch the file at <tt>logo_uri</tt> and cache it for the cache duration of the Client ID Metadata Document. This allows for moderation tools to verify the file contents (e.g., preventing usage of logos that look like other logos), as well as preventing the logo from being dynamically changed to confuse an end-user.</t>
        <t>Caching of the <tt>logo_uri</tt> response can additionally prevent cross-domain tracking through the <tt>logo_uri</tt> being requested by the client, since the cached file would be served not from the remote URI but instead from a URI that the Authorization server trusts.</t>
      </section>
      <section anchor="client-id-domain-trust">
        <name>Client ID Domain Trust</name>
        <t>The authorization server may choose to have its own heuristics and policies around the trust of domain names used as client IDs.</t>
        <t>For example, the authorization server could require that the first 100 users to authorize a <tt>client_id</tt> see an additional warning screen before the OAuth consent screen. The authorization server could check attributes of the domain reputation, such as how recently the domain was registered, and put up extra warnings for new domains. An authorization server may also maintain allowlists of trusted domain patterns, such as treating any Client Identifier URL under <tt>*.example.com</tt> as belonging to a known and trusted operator, and apply reduced friction for clients matching such patterns.</t>
      </section>
      <section anchor="cimd_services">
        <name>CIMD Services</name>
        <t>This section describes a pattern, referred to as a CIMD Service, through
which an authorization server can offer developers a way to obtain Client
Identifier URIs for use during development, without requiring the developer
to host a publicly accessible document themselves.</t>
        <t>Operating a CIMD Service has security and reputation implications, since it
is effectively acting as a proxy for static client registration for any
client it provisions. An authorization server operating a CIMD Service
should ensure that clients provisioned this way are clearly distinguished
from other clients when presented to end users, and should consider the
implications on the trust model described in this specification, since a
CIMD Service intermediates the relationship between the client and the
authorization server rather than the client publishing its own metadata
directly.</t>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <section anchor="authorization-server-fetch-side-channel">
        <name>Authorization Server Fetch Side Channel</name>
        <t>When the authorization server fetches a Client Identifier URL or other URLs
referenced within a Client ID Metadata Document, the act of fetching may reveal
information about end-user activity to the operator of the server hosting
those URLs. For example, the timing and frequency of requests to a Client
Identifier URI can indicate when, and how often, users are attempting to
authorize with a particular authorization server.</t>
        <t>Authorization servers that fetch client metadata on every authorization
request, rather than relying on cached data, are more susceptible to this
side channel. Authorization servers <bcp14>SHOULD</bcp14> respect cache headers as
described in <xref target="metadata_caching"/> to reduce the frequency of unnecessary
fetches.</t>
      </section>
      <section anchor="urls-referenced-in-client-id-metadata-documents">
        <name>URLs Referenced in Client ID Metadata Documents</name>
        <t>Client ID Metadata Documents may contain URLs, such as <tt>logo_uri</tt>, <tt>jwks_uri</tt>,
<tt>policy_uri</tt>, or <tt>tos_uri</tt>, that the authorization server fetches directly
or exposes to the end user, for example by rendering them or linking to them
in the authorization interface. When these URLs are fetched by the
authorization server, or their content is served to the end user's browser,
they may create cross-domain tracking opportunities for the operator of the
referenced URL.</t>
        <t>As described in <xref target="displaying_logos"/>, authorization servers that fetch and
cache the content of <tt>logo_uri</tt> rather than linking to it directly mitigate
the risk of cross-domain tracking through logo requests initiated by the
end user's browser. Authorization servers should consider similar
precautions for other URLs contained in the Client ID Metadata Document before
exposing them to end users.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="oauth-authorization-server-metadata-registry">
        <name>OAuth Authorization Server Metadata Registry</name>
        <t>The following authorization server metadata value is defined by this specification and registered in the IANA "OAuth Authorization Server Metadata" registry established in OAuth 2.0 Authorization Server Metadata <xref target="RFC8414"/>.</t>
        <ul spacing="normal">
          <li>
            <t>Metadata Name: <tt>client_id_metadata_document_supported</tt>:</t>
          </li>
          <li>
            <t>Metadata Description: JSON boolean value specifying whether the authorization server supports retrieving client metadata from a <tt>client_id</tt> URL.</t>
          </li>
          <li>
            <t>Change Controller: IETF</t>
          </li>
          <li>
            <t>Specification Document: <xref target="as-metadata"/> of [draft-ietf-oauth-client-id-metadata-document-02]</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC3986">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC6819">
          <front>
            <title>OAuth 2.0 Threat Model and Security Considerations</title>
            <author fullname="T. Lodderstedt" initials="T." role="editor" surname="Lodderstedt"/>
            <author fullname="M. McGloin" initials="M." surname="McGloin"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document gives additional security considerations for OAuth, beyond those in the OAuth 2.0 specification, based on a comprehensive threat model for the OAuth 2.0 protocol. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6819"/>
          <seriesInfo name="DOI" value="10.17487/RFC6819"/>
        </reference>
        <reference anchor="RFC6890">
          <front>
            <title>Special-Purpose IP Address Registries</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="L. Vegoda" initials="L." surname="Vegoda"/>
            <author fullname="R. Bonica" initials="R." role="editor" surname="Bonica"/>
            <author fullname="B. Haberman" initials="B." surname="Haberman"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>This memo reiterates the assignment of an IPv4 address block (192.0.0.0/24) to IANA. It also instructs IANA to restructure its IPv4 and IPv6 Special-Purpose Address Registries. Upon restructuring, the aforementioned registries will record all special-purpose address blocks, maintaining a common set of information regarding each address block.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="153"/>
          <seriesInfo name="RFC" value="6890"/>
          <seriesInfo name="DOI" value="10.17487/RFC6890"/>
        </reference>
        <reference anchor="RFC7591">
          <front>
            <title>OAuth 2.0 Dynamic Client Registration Protocol</title>
            <author fullname="J. Richer" initials="J." role="editor" surname="Richer"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="M. Machulak" initials="M." surname="Machulak"/>
            <author fullname="P. Hunt" initials="P." surname="Hunt"/>
            <date month="July" year="2015"/>
            <abstract>
              <t>This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7591"/>
          <seriesInfo name="DOI" value="10.17487/RFC7591"/>
        </reference>
        <reference anchor="RFC8259">
          <front>
            <title>The JavaScript Object Notation (JSON) Data Interchange Format</title>
            <author fullname="T. Bray" initials="T." role="editor" surname="Bray"/>
            <date month="December" year="2017"/>
            <abstract>
              <t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t>
              <t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="90"/>
          <seriesInfo name="RFC" value="8259"/>
          <seriesInfo name="DOI" value="10.17487/RFC8259"/>
        </reference>
        <reference anchor="RFC8414">
          <front>
            <title>OAuth 2.0 Authorization Server Metadata</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8414"/>
          <seriesInfo name="DOI" value="10.17487/RFC8414"/>
        </reference>
        <reference anchor="RFC9700">
          <front>
            <title>Best Current Practice for OAuth 2.0 Security</title>
            <author fullname="T. Lodderstedt" initials="T." surname="Lodderstedt"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="A. Labunets" initials="A." surname="Labunets"/>
            <author fullname="D. Fett" initials="D." surname="Fett"/>
            <date month="January" year="2025"/>
            <abstract>
              <t>This document describes best current security practice for OAuth 2.0. It updates and extends the threat model and security advice given in RFCs 6749, 6750, and 6819 to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0. Further, it deprecates some modes of operation that are deemed less secure or even insecure.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="240"/>
          <seriesInfo name="RFC" value="9700"/>
          <seriesInfo name="DOI" value="10.17487/RFC9700"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="IndieAuth" target="https://indieauth.spec.indieweb.org/">
          <front>
            <title>IndieAuth</title>
            <author initials="A." surname="Parecki" fullname="Aaron Parecki">
              <organization/>
            </author>
            <date year="2022" month="February" day="12"/>
          </front>
        </reference>
        <reference anchor="Solid-OIDC" target="https://solidproject.org/TR/2022/oidc-20220328">
          <front>
            <title>Solid-OIDC</title>
            <author initials="A." surname="Coburn" fullname="Aaron Coburn">
              <organization>Inrupt</organization>
            </author>
            <author initials="" surname="elf Pavlik" fullname="elf Pavlik">
              <organization/>
            </author>
            <author initials="D." surname="Zagidulin" fullname="Dmitri Zagidulin">
              <organization/>
            </author>
            <date year="2022" month="March" day="28"/>
          </front>
        </reference>
        <reference anchor="OpenID" target="https://openid.net/specs/openid-connect-core-1_0.html">
          <front>
            <title>OpenID Connect Core 1.0</title>
            <author initials="N." surname="Sakimura" fullname="N. Sakimura">
              <organization>NAT.Consulting</organization>
            </author>
            <author initials="J." surname="Bradley" fullname="J. Bradley">
              <organization>Yubico</organization>
            </author>
            <author initials="M." surname="Jones" fullname="M. Jones">
              <organization>Self-Issued Consulting</organization>
            </author>
            <author initials="B. de" surname="Medeiros" fullname="B. de Medeiros">
              <organization>Google</organization>
            </author>
            <author initials="C." surname="Mortimore" fullname="C. Mortimore">
              <organization>Disney</organization>
            </author>
            <date year="2023" month="December" day="15"/>
          </front>
        </reference>
        <reference anchor="OpenID.Federation" target="https://openid.net/specs/openid-federation-1_0.html">
          <front>
            <title>OpenID Federation 1.0</title>
            <author initials="R." surname="Hedberg" fullname="R. Hedberg">
              <organization>independent</organization>
            </author>
            <author initials="M.B." surname="Jones" fullname="M.B. Jones">
              <organization>Self-Issued Consulting</organization>
            </author>
            <author initials="A.Å." surname="Solberg" fullname="A.Å. Solberg">
              <organization>Sikt</organization>
            </author>
            <author initials="J." surname="Bradley" fullname="J. Bradley">
              <organization>Yubico</organization>
            </author>
            <author initials="G. D." surname="Marco" fullname="G. De Marco">
              <organization>independent</organization>
            </author>
            <author initials="V." surname="Dzhuvinov" fullname="V. Dzhuvinov">
              <organization>Connect2id</organization>
            </author>
            <date year="2024" month="May" day="17"/>
          </front>
        </reference>
        <reference anchor="I-D.draft-ietf-oauth-attestation-based-client-auth">
          <front>
            <title>OAuth 2.0 Attestation-Based Client Authentication</title>
            <author fullname="Tobias Looker" initials="T." surname="Looker">
              <organization>MATTR</organization>
            </author>
            <author fullname="Paul Bastian" initials="P." surname="Bastian">
              <organization>Bundesdruckerei</organization>
            </author>
            <author fullname="Christian Bormann" initials="C." surname="Bormann">
              <organization>SPRIND</organization>
            </author>
            <date day="25" month="May" year="2026"/>
            <abstract>
              <t>   This specification defines an extension to the OAuth 2.0 protocol
   [RFC6749] that enables a client instance to include a key-bound
   attestation when interacting with an Authorization Server or Resource
   Server.  This mechanism allows a client instance to prove its
   authenticity verified by a client attester without revealing its
   target audience to that attester.  It may also serve as a mechanism
   for client authentication as per OAuth 2.0.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-attestation-based-client-auth-09"/>
        </reference>
        <reference anchor="I-D.draft-ietf-oauth-spiffe-client-auth">
          <front>
            <title>OAuth SPIFFE Client Authentication</title>
            <author fullname="Arndt Schwenkschuster" initials="A." surname="Schwenkschuster">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Pieter Kasselman" initials="P." surname="Kasselman">
              <organization>Defakto Security</organization>
            </author>
            <author fullname="Scott Rose" initials="S." surname="Rose">
              <organization>NIST</organization>
            </author>
            <author fullname="Stian Thorgersen" initials="S." surname="Thorgersen">
              <organization>IBM</organization>
            </author>
            <author fullname="Nancy Cam-Winget" initials="N." surname="Cam-Winget">
              <organization>Cisco Systems</organization>
            </author>
            <date day="15" month="June" year="2026"/>
            <abstract>
              <t>   This specification profiles the Assertion Framework for OAuth 2.0
   Client Authentication and Authorization Grants [RFC7521], the JWT
   Profile for OAuth 2.0 Client Authentication and Authorization Grants
   [RFC7523], and OAuth 2.0 Attestation-Based Client Authentication
   [I-D.draft-ietf-oauth-attestation-based-client-auth] to enable the
   use of SPIFFE Verifiable Identity Documents (SVIDs) as client
   credentials in OAuth 2.0.  It defines how OAuth clients with SPIFFE
   credentials can authenticate to OAuth authorization servers using
   their JWT-SVIDs, WIT-SVIDs, or X.509-SVIDs without the need for
   client secrets.  This approach enhances security by enabling seamless
   integration between SPIFFE-enabled workloads and OAuth authorization
   servers while eliminating the need to distribute and manage shared
   secrets such as static client secrets.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-oauth-spiffe-client-auth-02"/>
        </reference>
        <reference anchor="RFC7523">
          <front>
            <title>JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="B. Campbell" initials="B." surname="Campbell"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for client authentication.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7523"/>
          <seriesInfo name="DOI" value="10.17487/RFC7523"/>
        </reference>
        <reference anchor="RFC9111">
          <front>
            <title>HTTP Caching</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.</t>
              <t>This document obsoletes RFC 7234.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="98"/>
          <seriesInfo name="RFC" value="9111"/>
          <seriesInfo name="DOI" value="10.17487/RFC9111"/>
        </reference>
      </references>
    </references>
    <?line 515?>

<section numbered="true" anchor="cimd-service-appendix">
      <name>CIMD Services for Development Purposes</name>
      <t>This appendix describes a non-normative pattern, referred to as a CIMD
Service, that an authorization server <bcp14>MAY</bcp14> offer to make development against
this specification easier.</t>
      <t>An authorization server may have restrictions on what it accepts as valid
<tt>redirect_uris</tt>, for instance, limiting them to the same-origin as the
<tt>client_id</tt> or <tt>client_uri</tt> properties, as discussed in
<xref target="redirect_uri_relationship"/>. However, if an authorization server does
place additional restrictions on the accepted <tt>redirect_uris</tt> then it is
<bcp14>RECOMMENDED</bcp14> that it provide at least one CIMD Service which is exempt from
these restrictions, to support developers as described below.</t>
      <t>When developing applications against an authorization server which uses
this specification, developers often encounter the issue of "how do I serve
a Client ID Metadata Document at a publicly accessible https URL whilst
developing my application on my localhost?".</t>
      <t>To enable developers to author applications on their machines, without
exposing their machines to the public internet, an authorization server <bcp14>MAY</bcp14>
offer a CIMD Service.</t>
      <t>A CIMD Service is a web service through which developers can acquire a
stable Client Identifier URL that resolves to a Client ID Metadata Document.
This service <bcp14>MAY</bcp14> expire clients from time to time, and <bcp14>MAY</bcp14> require
developers to provide additional information about the client being
developed.</t>
      <t>The only requirement on a CIMD Service is that it <bcp14>MUST</bcp14> return valid Client
ID Metadata Documents for the <tt>client_id</tt>s that it provisions, or return a
status code indicating an error response (e.g., 404 Not Found). How a CIMD
Service creates or stores metadata documents is outside of the scope of
this document.</t>
      <t>By providing at least one CIMD Service, an authorization server can enable
developers to create applications, and still indicate to non-technical
people that the client that they are about to authorize is currently
under-development and may not be trustworthy or secure.</t>
      <t>Operating a CIMD Service effectively means the authorization server is
performing a form of static client registration on behalf of the developer,
mediated through a URL rather than a direct registration API. Authorization
servers offering a CIMD Service should consider the security and reputation
implications discussed in <xref target="cimd_services"/>, and should ensure that clients
provisioned through a CIMD Service are not afforded the same level of trust
as clients that publish their own Client ID Metadata Document.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The idea of using URIs as the <tt>client_id</tt> in OAuth based authorization requests is not new, and has previously been specified in varying ways by <xref target="IndieAuth"/>, <xref target="Solid-OIDC"/>, and <xref target="OpenID.Federation"/>. This specification is largely inspired by the work of Aaron Coburn, elf Pavlik, and Dmitri Zagidulin in their <xref target="Solid-OIDC"/> specification which defined dereferenceable Client Identifier Documents.</t>
      <t>The authors would like to thank the following people for their contributions and reviews of this specification: Bobby Tiernay, Brian Campbell, Bryan Newbold, Dick Hardt, Filip Skokan, Jeff Lombardo, Joe DeCock, Justin Richer, Leif Johansson, Matthieu Sieben, Meghna Dubey, Orie Steele, Pieter Kasselman, and Takahiko Kawasaki.</t>
    </section>
    <section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t>(This appendix to be deleted by the RFC editor in the final specification.)</t>
      <t>-02</t>
      <ul spacing="normal">
        <li>
          <t>Clarified loopback exception for SSRF checks</t>
        </li>
        <li>
          <t>More strongly recommend doing client authentication</t>
        </li>
        <li>
          <t>Clarified scope of applicability in the Introduction</t>
        </li>
        <li>
          <t>Renamed "client identifier" to "Client Identifier URL" to avoid implying all OAuth client identifiers are URLs</t>
        </li>
        <li>
          <t>Reformatted Client Identifier URL requirements as a list, and aligned terminology with RFC3986 (userinfo, authority)</t>
        </li>
        <li>
          <t>Clarified that Client Identifier URL comparison uses simple string comparison without default port normalization</t>
        </li>
        <li>
          <t>Clarified that URL shorteners are incompatible with the no-redirect requirement</t>
        </li>
        <li>
          <t>Clarified the relationship between associating and fetching client metadata</t>
        </li>
        <li>
          <t>Split "what is in the document" and "how to fetch the document" into separate top-level sections</t>
        </li>
        <li>
          <t>Moved the 200 OK requirement to the fetching process rather than the document definition</t>
        </li>
        <li>
          <t>Split client credential/key restrictions into their own subsection, and added a discussion of software_statement</t>
        </li>
        <li>
          <t>Moved Client ID Metadata Documents for Development Purposes to a non-normative appendix, and added discussion of its security and reputation implications</t>
        </li>
        <li>
          <t>Clarified applicability of redirect URI registration requirements to non-redirect-based grant types</t>
        </li>
        <li>
          <t>Moved Supporting Both Pre-Registered and Unregistered Clients and Pre-Registering Client ID Metadata Document URLs to a new Implementation Considerations section</t>
        </li>
        <li>
          <t>Removed normative language from Security Considerations where it was purely explanatory</t>
        </li>
        <li>
          <t>Clarified the SSRF loopback exception applies only to development and testing deployments</t>
        </li>
        <li>
          <t>Clarified the maximum response size guidance applies to how much data the authorization server reads, not the size of the file itself</t>
        </li>
        <li>
          <t>Added discussion of domain allowlists to Client ID Domain Trust</t>
        </li>
        <li>
          <t>Added a Privacy Considerations section</t>
        </li>
      </ul>
      <t>-01</t>
      <ul spacing="normal">
        <li>
          <t>Added security consideration for changes in Client Metadata</t>
        </li>
        <li>
          <t>Added guidance for an AS that supports both registered and unregistered clients</t>
        </li>
        <li>
          <t>Require HTTP 200 response for fetching metadata</t>
        </li>
        <li>
          <t>Added additional SSRF considerations</t>
        </li>
      </ul>
      <t>-00</t>
      <ul spacing="normal">
        <li>
          <t>Initial draft</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA8V9/XLcRrbf/3iKDlWVtZ2ZkSjLa5u72V1KlGx69RVRjmvj
cpE9g54hTAwwFw1wNKti1f3nvsF9gDxL8iZ5kpyv/sIAQ+lWqrK1VaYwQKP7
9OlzfucT0+k0a4u2NCfq6M1p116rZ2Vhqladn6lXptW5brU6qxfdGi4eZXo+
b8wt3Pvs/NXZUbbQrVnVze5E2TbPsrxeVHoNQ+WNXrbTwrTLaa1h0OmCBp0W
+XQtg05zGXT66HFmu/m6sLaoq3a3gefPn79/kVXdem6akwzuNifZoq6sqWxn
T1TbdCaDSXyd6cZomMyFWXRN0e6Osm3d3KyautvA1V/MXOGK6qb4p25hbPW2
qdt6UZdH2Y3Zwa35SabUVNEUs1tTdQYvfMrzSvFEj36BFxbVSv2AD+H1tS5K
uE5j/g0pMKubFf6wKtrrbu5+mm5XDz+HSjhCCYSwLYxw3bYbe/KQB7AzenhW
mfazRvysm2fX7RqWnWmiB5Nt2ZUlb/epbpA6sBuLmwJ+UwrWrCsh24l6c9Nq
umyYOhrv/9uG758t6jX9CFt4otzS6Jb0jviNz9emLLS6WANR45ENXf/bvNFV
bvJFnZvh4dvrwhYWec6sZ7ZeFLrMsqpu1jDjW+KCdy+eff39d3+UP//47ZPv
3Z/fHYc/v38kf377zffH8ud3j79xN3z35PiJ/Pn9t4/g3qyolvFbzqu8MMhk
JzRHdxL95SO+rJuVacPsC/yZNt1uzGJG/9yaOXLaQ3qAjox6/OjxYzhd0+PH
dDHsHf5vqsb27lP24qIugU3enJ89Sycerh/tTeTr6ePvBpdj8aFNU/9uFi2t
4f27h/jIw7rIF1P869HX8uihNTyr511T+SXAQCBIqqbbtL3bTbmEBd+WxY2/
uajswHX3wBmwWVOo/6FXRd6VBb7jzcZU52fp4vkazKOqYCXw38ao49mjHiW+
hv2YHn8zSIkaRihyOsq4s1YuTBc8JPy3MdPjy0d0HA8Q5PVMXeibYt01OqXH
69P3M5if7coWpFbvqZ9m6mmj89Ls0of+0c2LRd27+dVM/VRXxqa3XgANp+fW
diZXo+95OlO5Ae2Sm6KpewP8UNer0vQeeDZTr+qmLdaw/PT2s8JWNF2m/ewF
DNqw1BnamvDzwMY8mT76Znr87WdtzNIP+Cnb8m6mfjQ5KLVVugo4wAbGy0HQ
7lH56X+czqez//1vMzyq+2+8KG76r/qs3f9hps5gC3Xjf7l3Kf8dHvnndXdb
VPVt+owcmMdFjhJxejbb00y6Rc3HdJ5ra3Knq7SIzsGn7KZYLk3/VhLWj792
Yvn4GOR2BjcAfsBrF89fvgCG+fUzIcxvoByn06nSc9s2etFm2XtQMQqZpVgW
C+a53CwL2Eql1dosrkFB2rVqrwE5rK7V9rpYXCtdKUZh/Da10FVWIDGL5U4V
rUUR1dbCXg6WWNPcmsZO1Ba0Yd21atMUdaPyHRC+WMhQWWNWBc6NHoGf6/ba
NMp8gIsIYOKfZ4omD/93s4N7VWf1yqh6CdP/+d3LTOM6rnjwyyK/gq0P01+W
9RbmA28w9Cw8AG9Ywixp+spRToFka3VRIfPifcAHxlrd7BwBHK0nylR6XuJM
8b4hAuDIS9MuaLaZexB2BEmCD8mQMPHKwLnNZ7xl6yIHrs+yB6At2qbOuwUO
mmXnSCY43go0dljZ49kj9fGjQIK7OzcovLtri7L4p0luzYYmOolng1MhoiCD
wwItMIHqquJfOqNk5wt8BABN5u8FZXkLP9I4snjcezWwaL3ZlMJ/E2U75DFL
BIp+oBM6UXDMcQtz2Km8aFCF/fzu3M6ALMCHFviW91O7qSOLVK1Bdsf9oxkM
cia8T8PtrbpG2tcwfkm/2+tiQxOfAGyuOl0mXJjh+OtNDXbBvDSwWb9cF6VR
Z8LWYqe8i9maNgahGG4M7IOjEx44mFfOW5ltwIYp6s6WO6D0TVVvq2gbwz7I
eYOpw1CDHIebUs+RgSOqRJvWyjGqahij3OqdhSkhuRawVnjI1msDUmFT1js8
DZYGxIkvwLBpYd55XuD74G6QF2VpqhWKDziTsEtAMjiQdIrgUOJeJ0ec+QDH
Kw0Qd4M3FRW+/NYxn52NiCm7aIo5vOm63qacH8SS2nSeShlSMHm5h7nCUfoW
sJziE254G2ATpvyMaZB9gMxGL4Y5yM0TeLap8Sa086yCKbY0liyH+exa39Ih
9BtpcuB8/NvwMaKZL2Dz9QKlDXKXAviMMwITc2HCOdF0HedQ4GX6py1gY4iP
1LqeI0fCrCYZXZA7eR4o2pq6tEghhRTKazBSqln2LJ5tXhN3yM04Bs2UybtA
wRmm45YJu4/Mx1uZm1tT1hvkgwyp7S6Y5g9WlTVy2hpIBopnovqkgn3El686
DQZTa1iglDVw2S2ow8zJelg5nPsSaAUEKEvelFzNd8zgXpkhKAi8TG+g7W5r
sPA3G4BwvBQ3Bwvaqsxx7bbAFeHbV12Ra9gEPB4fP8L5L4nFiRsu3Z0sPe7u
MuStjx8XxTq/FNrD1RnKcgAVt3gQ4T7iwDPUvXSYLDKTUTdmh2wEAvXo1c8X
748m/F/1+g39/e75f/v5/N3zM/z74sfTly/9H5nccfHjm59fnoW/wpPP3rx6
9fz1GT8MV1VyKTt6dfqPI2JFAKZv35+/eX368gjXS9T0qhFpDvJobljKAne2
QEttM3c+c3zm6bO3/+t/Hj8BKvwnkH2Pj49RKfE/vjv+9gn8A6R2xW+rK2B6
/ieQeocqwOiGFDfs6kJvilaXgCM0bQ1wLMp7oOZXvyJlfjtRf54vNsdP/iIX
cMHJRUez5CLRbP/K3sNMxIFLA6/x1Eyu9yidzvf0H8m/Hd2ji3/+K8ALo6bH
3/31LxmxkHjCvEAnGPPxgUeC7vq0a8q7exAfPsoyEYAU7aNXGXBOI6WREU5q
6NgMMAU+Njgx2KfT4V8A336laMPgzXTIrsiuuaJJ2cU1nDB3B9JQMBniEIuy
eVnDJVDEFQ7NK6LDT9oWnSRwEOHx039ET+Jhd2NGVzVCWzfW0DstqILSALJu
UVjlNUhB/lf6qIVnA3dEbwDYhODx0Cu0WjZ6JejT3ZcNUs7y03AE8U6Nm9Lh
DGGaKJhAVqPqkh8LixCLzieTCN51YQhMqj/OHs+OUQNHNJupFzUCcI1DTbIr
Z2vKFfS0PGQGuaLTO3TDyZMnX7ub0BtKusT8S1fc6hKXA6oAOYgwPNzKkB51
xlKDyUi7RLosZgpmiGFosCk1iFjGcLj4BQvYuqIR0DcMegN3zisRMhiGqQt0
3dVVLtAFJt0Y1hwlgoIcQeytmalTFEZNS08UNotO+ATZZeEsjHPQczvcq7yw
MM8dnyD8DexRYmU+TqYHykm6LmFdOG+4I8JV/idAwT8H80dUNFpBosMNYzzU
g3DTElcDz4O0dcQNkBkkbK2SRQDL0IPOuMGFbguQyCKfZRVjNs+c0Q4QFnD1
LsvR6G3wZcNEBwmSKBBQn86GuwQ5dslrYDX6um4FzJCkwG0wFfG/KFtSUitT
gUouYbVIA9sVTB540d4MMjxU0bbt0I+OaBgeRsiCoJdP2I/v37/1hgjatmQf
wxleAiyC80/WRo9z0uUECHoJHLEAXmp2og7ZThR6e+YciHjgtuNtIrpg968e
XqkvzGw1mwweyIdXX6Ld0lNFMaMeeBvgEcRDLc5wbhzM0i2Zxk1de6DPSHLi
yYFTJIJ4cx6FHRk0uHlyLgSxG3oDKfYRheGlnrbkG8fDyNYdzIkm0bfOMz5Z
pOH4jBxaZo8FM79nbrxLp+/u7uB43OqiZI5qEwr21d+Dgy91envgJQwIDz2M
51b9dPHmtfqCJDj6+O/uvhzyY9AU3Tsy2TB+NfpVTJ92CkR1JycJb5V/BiVC
u88m2CHb10+ab30LkB5egda3WGa77M+OYbfb7awAMUfedtjkYlWR5H3Irq6N
f3bvwuwD+jgdBHJr+At6gyJ7y6MDtsVn9xO4BxRivxKYfCAZWkSutRX6ZHQ/
nG729gyzhBMadC+J3fAAcjmdjX19IJKVUFrsUvKb/adI4QeEsNa5yQ6jA2b8
TwQH78cmVuCO2g2aQngoUMMATcBqapn70CKjdcLb4MV4XjOgIZm6wp60JpiE
D+994gYFoSTi4PGjR+rN31lYo4O2AyMVg273DwdokbakNyS6+D3mCFJstzEW
eQxhhTiwHBEMEoSOJoIklIggg8hLdhW5uB7++fRiKrT/y3/5HTbjChb9hnyg
CcSxNDXCObH7ZQjuyOysSOVDeoRcDZuWT8awj8yburJJRZMlE0vhoqg9t6FX
bX1jqksAOpsaQMslvuKSfV7hAGVEa3JyXR1tGsCIrbkEM/jy9217dDVRBoAD
+RRAGYfhkaJsnqAXKviNnp6dqF8M6ZatxhWGg+r8FeEUX5oPG1DS9lIDmF0S
zsppXTR/3fYwktkgBAVMQXuKqII4XOlli44PtSoI1xZrlDnrDUydSEUwYkl2
A5MdnW8UI0Gqe+8M3RG8JqAXmw1IFlzVA9AhADpktfjyvwNGeaXRRwUX3sVc
4BUKEhuf4H26jFkFVMupZXXLfkCg1a7v7bXXZFlYs2h4d+aGpQ+diJ66yPza
JqJxy7Lesgc/mhyy/s4hx89gVLIVP5mjgnEF8KbscuO3nBdzCXRtr8C2Sa/O
tS0WwHC9y8CGV+Sj0tVOwhPitqWYj/g9s0Cw3Rp+hyUL6dzMk1HFdkrfFHOj
rKUwNqxGNgAGlGNC3qK1Y4P4Pll4LrbFIaH3p4wcMOLZgxFt7JFH3RYQ2m2h
eTG/b2/AJgOi0F+A0IurLEyZPXPwj3XRgnTJsgtjAgROGROwL3I+Sdgc5laU
JMk8J9Jh51hR+qAgcp73w5giG100cmzehZjBywSYwAlYLOomp6Nes47DZAiE
dqNmDVFYkH3qWQZlFoUn0JjA/aX7MT2oMUGexPdJdCp9GZlptkXAjhbUB71o
WXVO7jXzCeM697VJQiYvnekszBvgcuwV9yZJhJtsNjLiF/ZLtltGCcYa3WYD
x/0QSw5b+RKxKAvgKgZBK/QPsxpm+qInSfdWjfpp70bxbxfVbV3e9p9JIlIy
zywIYKt+wOFIJpgPsCbMEONXWP/ke5RT6vkHtluJp7LEm0BUwDUK3JIZkYR0
hhk5NGJuSbaiZjTI8N0JJvF596zpdo+akwyja+WuHx9ahOhI3yLwvDHhWeJc
dJOTAx5Ww6g2UBr3i+aXyUnsRdeUrZftFgTFJUI0I9bQ/kWxg672f7lS3gKI
AWwcbkPU5PRWW68MUklCgmPofBnwDCpolqR40Arxc3o1c7/emsFfdGLrJPA3
el5wZhkKBA/xJnHuAmwX3AVzJbsT7SOEA71IsvfbkssLpTKgEoxdILIkZ0bd
IB5ez9kwdHRVnq5WiRtj7whKaAQY1WReoO0PIKCCvG2NBLBa2hzyZVOExgOr
vGtcnH1QDv4J06Bao/MJ7gCZGSD4jA/19B7LXBDUmxmJW+Wg2FEiIHXFwei2
6Wy7rZsW41TWS679Bf8Bo2C6oGOHe8WSivQqo/KMEB/GvmjXWtQI9a0ElyK6
UWx3ouZdy3aIYHr0+K2aIvCcWE7eHHQ0udeX80XgZxmnNQLOev43a5slQJFW
L27s3d2XFH+hOJs3dKIDPTft1hh2Cni1AutCKabFmXqQ8qeD1gfzW2bQukbt
DtqG5ByxJrMwP7A2hmJ7YJ+ge6hr6M2JwJ2bJSZqoTcSV49vGeD83JSA4inO
ge8AXDxLoi6RrjzzutJj7mHvHmCNwdVJqADYt8Zn2N8YDPt9emXBcDvgc9rj
h54gnx2eDoiIos5lNo2ZHpqQ38BMmMIreTTAxO/MfA5W0UwxDvSurgVFgFcg
pzEAvu9v805fjmxHaQdJxBVdhiOpECj/RXwEt+GY7Gfx21d7LtnIaVgQDgEg
gATqZQx4P04/JPrxI9wJN15SXLhrSvvpLqjP83CMY9cWEzgorMqr6T9vScMB
6GwaILhzZUwG1hLclY7NL+khK06iA5MAEyXr8TxZiz3n+r5L/B7IeMHGNmha
PNKsqYBwrUYkhvldlO1xwTO5QD38jjUMujBWeI6/uLh49+JLdcpCL0sncODl
HJw+KD/ZHAlPetnxnKgGImScoll2vhzHDJiFuN60NvUKHpjthPITEsIGjOfY
bomG2AFTyMmuOcbA9r2Vort7q37G5z1erBMB2QHOxRAu3DYozBATOIJZEYsH
XV7OEjq8roZcNy2zJL/8GmQIvoNNxePjYxe1kSXsRx9Qi+PkGZv6hJtus+Ek
rYcUkdzCP+boQiC7F8EfOeUI4vGbywI2C+Sn08CH5h/iyvRoepDtwNH0eAnh
Ru/p4LCSPFD0F1Xs9EKbXZeo7gjiP+hpcDlmnv4fH2jrHfOjGpEwpUvhumfA
j1LJgCgfp+18Pan7yYN1OB0CmF3SD+qUQ4d670zvA2JYeORN3AvhXMqrTH51
kp0ol90xU0/rGtPfOGogQxIqCQBnZH9lRI+CBxhPLZt63YtWDIVYB5dDCJiS
Wk3I7PLCE3C8g44cuua0WdSu8MsE1SGBXifE9+4dUdO0735pAxNT5BPfFtYk
aaocmfQ2sn+Vg5z0j63TBEAg0Z9Ow7HtpCvP1SEZtyfNXVTkyezYxUV8ti0j
xPMkKYzy3wNEAf4/nDRGgvKCKYBUe1pjtAygxbtg8OOqfq4iD4Ck7JF+GCPt
llw4xP7C9z5fz96n1mLI754K2dODr+Ooe2ts4vQEFiTrTaRr3yUWcyp7tTA9
MRpLnCOAVBrZQh/lvpqpH9jvTjHlGtR5Smky24aDG+4FCguz4MxIkNOnnsSz
j5NmzQdUDmx5YTwapQwcmDWyimTSGhHSLnvT2Y5h3pLRovYii/KSuU+tR+9U
mdj85G5hSeEzfLfaxq6/zvq4W+r48di1GGcaslZtPFlKO0qCJ1cxuRhOupAF
aKwbDIlWaLGGJDKLSkOyVHw66HSpF+RdCbeFkgHCqyJE1oOpGzwx3geJH7KS
y9EttGYXB7yirTljPpCtR3LbzX8nGVIPOT4Ke79oFmfnxJcxoLgKVgeCxINI
n9kOmDia2ZhhHAtMQA8o0yQJ2XAdQcw0YMROOGkIeYejL2AnIxZJj8oEf8w5
V6NDFewOfcRXHALYIxDpHA4XRDfPd7HZxGgwFmqxAOpt6ccHe+bSYTMvtsNG
Bg0VJFpCdyHLHVNpkEJM2hLYs9ErEWPoKrUb5lMUwjdmN50XrAqjQA2cypHF
3OeMRXxVcppc5J8Yh/z7HoMhHKBbh8PF/L4P9X6S+eB8DwQp+E8Cp7D6JGhD
ywyb0shKdSmJfxFj4LN9E3rfJEH0SSiVts5hlYEdRASTSuhFvV5TTh0mpGHS
Mp5MU90WTV2tI7UW/broLBAZzxpqUAqOfsC4fdGSU29e6yYnD2Ox6EodMtjh
nLkDFr2AaT/sdUDP8Dw5Nj6LzDtyxXPcTCJ/9ECITPVCZKNZdf0YnKuKKlqZ
DpUrkHMSeJ/Cw+L7DofMOLhEi/OhZNCExYpfH4GOtOzLERBnDjKis2HXDwQw
orwQwFuuvL6HtKhCyrmKXKjZuntT1IUjhyoSqoyNiqg4hhd+f39N3pNXdW44
CD8yAxnju2M/RhRd5EM95sniwMpsP2Ai/lV15bAuhlxtGkVGRYYRWfknxmRB
isYPXMY+2wPiFJ13VONkehkmTeL1tX5ahGwGptYHd/3pxSHjOO7Shkze/bGv
/K4Ca05h8quiSoN1Iz7mXwRVJGsiqAKPimWBMgZj13XLwT5FMQBajNUgH3cO
GwUc7I5e5IcB4oHkgA0mZyPFthFHT5OqrhQmLFpGgnjU2NqmjCmUOHVHpN90
7OJGU2vKZg6spbA3wC8/arIERzKgh1z1n81KW64NYEnqUC6LKjCPfIX93d0f
bLQNkYvMCrLS86IkYGgZHZNfE3d/rhc3W421LxTTbgu50c04fY0w2IANe4H1
a3069JeLYm6tbyIkGkpJD9pEmMmMMh8Yaq/Gh1xRnbWuSM0n99SU/TwcsXKn
bkH50jE6Jq32abMiB/mBKseh0zxwbq8k24hfdZpqk5HUIhAkFz6PWHg7yh7w
fq+BOsB2lBqTjMuFFzUlabgsC1/qF0XjxV7yJZnqx3prqKA11pBZ/MiBFwd9
1NOlnDcREg2yscwTYmyZDAUIuggTmSjRRpJzimYf7MyytB4PZdJCb4g5gAqY
Z+0SewdzgfBsAEuje24UHWSC+sC4hqPpHCOR95FXHNcdSu6IJBX9yrpRUh0k
JavPNK+EbC7d97cv/p+l+1Iu2NTlglEp/ZRn+CXQL8lLjFiTQ0IHfIUI5WGF
yLZ7+5L1kuSizaSC0vwWB3D1TL1sxqthlkpzF7gnxN3dSUbtCD5KU4LZbCZ/
HY2nwB2dqL0Myol7zCVqHUWtegS/xZUCeNsMM1GPem92pWTx0eY4rPeZ6aG0
TIZAmDyHuqOr3OIp2HY41cpt0zC4TcqLOWS723BFtokqn3OzAHyO3oxDuYPo
2uhv13j4I0sywUawd5pf5hyIj2ePxXmI/R5AZQTwC/ezp56eQp5ykQ1UkGxg
R1keQ0KDXE7BKAm5XqiO4vAJVRMxnIgFCGwnIiR4AF68MSFLKTVXMbJBIFE2
SOrkyUrBbCgyYBsvMp0AOToNHTPUU8qeHNQ0R+rXz2+48Ru+UbqFXbw9f/Hi
+ecNvt+X47decnOctOJBw4Jd0F0VvDu8SvjtKQAa8ouLQlGox26T7gewjxsA
Zyiopz7B/PTtuXUNNWTixoHeOY8Zyr8DEI03MuUleTYka7rNZj7wuKQ3uPhL
2IGuKUYbl5czTGcHw0+/vLeBR3vjBE9v9PAiVBVR2p4dOUcH6swktewZpwmg
/By2sEN+RlpMlkbf02ekJnE/p8ovEiH+hlPTMf9zdJLqqVloXCLzJvk0YfBt
rUJRXAS8M1d5w/cYqaBTXUUw3lvd5E8UknHZvCND6wB4trcmClQvdcNx/uGk
f0W5NQDomgp7FOiM+papymy9qxmxQr9jhuyT62IB8BKrJOEdnBk5yUj8snuU
rBfunSeTv9YYokG53SvuwjFrYBScP4occo1japauLBCPgIq8GmfIfQGkstL6
GjPYs03rUqWmbtXIdVmxBBoDM1aR80nW6QIBS0B14kMLuEwyDMhmxMwiSa5g
QDeeX+It1yw3q8aQiEWNyqYOm7E7V3LH6RpAQ+Q11HI+U7PdzZTP5stkLiBJ
Kj9pnwmEYBGRf13ecr0aUqeSzgZF45o8ZJhoSN0IDGagUlkL57y5LhA+YQ2H
/j//+u+pyS5pMlwEmFEu+449BgHb0VOpOAH1Io40itFi8tbaJEcv8yseOe1R
kHksg2gs4BzSRPRWu5DUQUOL+qD0EpviylFKPhGbFiUF+X+Z3M52YXIeznlL
2094/xX6631JEGUfeBQQoVeXdOwrXlLbd3IQCsGvpPvxDzq6l5Q3jf+krP9J
pEboMEthczwBcqo4mYbec3EvlPWqdmbmBfAEQYoqiC5ggL4TG0+wphIgdjWT
O2bQoTHuLhdPVIxHWfsAObUMTE5lybCMOvEQBUyeSKyxneOctxoNbWqSIPVv
JtS/iij0yHEJx/I6GZso6qMyLq5WoxvIyI6DYKZ6RE5nR2vQ0cqRUXMtBXnA
xeuP0SHABxTsdBVqVM3NCauHwg2g/NDLBGsqTeMzOrkuupAytJBnSYd06JT+
3eyi6iTE2OFwHspvAoFPNd0hWrzHhsqVs7vsw/hOvoP82fzCPLRNEMVRahHv
6P92VYhxEOJAIhRuOqaYUeMbPJXu0AEP1TccMULJhrrP1X25GKNjSJKScrdL
W/iD9QqSJbq/n3c0QvnuzTgszYTa4ixb1XmtjIZEY2Kzadj3QZi8roLPBjde
o0PLsg/V+1Zcmqhq6tbbY1g9RBLSFVH6OAwQZFXXeZBk17sVLKaXDC6ATmqF
r8Vr4vLxDuethuBV7MXcDyNJKMV7MQYT1/BHbrMW9TVjSMGOkuDBT5pK+Vx8
GSctJek3N6ODhDJxpuQEyD741g2fltDHKDrkVzAXhCmuQQV3DctXn3sh2THk
hRWK8NJAkOGck3VFHq29NX5COp1TEfjUdW1bWrzLiIh9zkNb4ttdTMhDHoV2
ZNh+/fBAXRPlOgBkOkuf8HO5NuXGygajk95LG1bobkLuucDWYUdnJMY+NV+V
Eyylid+OQFLNDZD28rbEEuEqvcJwLkm8OL+X2MiOE3hdISsfS8nei7hvaGVy
+D49QRbLdeIk17ED+sk04S5/CFTxbkJOUnwvzEluuT3QhhrbcSdOUMmExvS0
z3Lk03U4KwN3QDZpeEKHHyc+4jURKpCKYIzfqPO3yM3wozW2V4QvIcTvH1F2
2fAyOPItsZM4YoDqwjDg8Bk56PVE1PSBNUkUCCDUTWDc7xMB17KuN2jHR3M8
XOwn2UqumUzTVZUkMui9wTwmE9Lk/geqdBTPFMWe/aNeDty7r1JmTN7KD+jO
ZjGCgk76aMbtDV21Xe5KtRIDpRJuMs1UgHsZ3Fb7hRds6Y/SqK056CSiE+iw
0lif4IjnU6l8Kxs53/tUoGSqEW4a5RmRx964qAzWN90EhOknEOsMxMPsNbzh
km6ZfI+fw+tHNojlkEsJqOpqio5oduVRqyROiWMAi5Zv1OkAgQgc9OR837PK
oOokLZXPO4ZSdWMNn2fSeRyXpSCvy9iN5yN+MAQ2qCgkGbY02jnXEFDCmSnw
kKCqcSqos9JlzQ0VTLLf9a3GBIdNe8JNavcsObF3X+kPxbpbY5U/w/YLdFzc
l7wcx+QGOTF0hxLrng4cDn1/fW7SajHYVYVv3Ug1unsjhtYYxOzYwlUK+4Yj
l7KNYTC9RjcNDieVOYY0J2fGupK4tGrjoHTeK/a0bb3Z0GPS0mEtxOevPuCb
5ztMSCXxFSUnhrXFBTTFkuU/r4DEriaEMhePUZRjT8qbPGD4PQFeFyN9MNzr
9RorQHM/HyIreXdg9TDwN+qmKGuam6jxCOm8BIRJh/V5lU9/Jozz8UHATpeI
QMe1N63A5UCR8MKz7sCbt+ijhjisFw/xjys1w6aCDuAuC+6lFA1JhjpVIhTB
GSelCZ2vvL8/8YO7tKI8t9JswDdcb2vshQoro8LaXZiJtyWlrZbIQKSnj8iX
TFja4rq+YbcHi0/6KS2ajEZgib6qWdPODV6TDClK6XOGKomWaknCtfJ5H+iE
lJqT/W3wjLhI6ojLnZfiiwbA0pT9dArbgovdGXpqR8Px3ETi7x/50EBswZxN
tPMZ9yInyJJxbvPGrLF/G8pEDCO56jwpWsDL3tIfYkj2ANkkT4HyTGg57/HH
A/ZI6qIhp4Azda8NOsfApubT7TWi9DUOzicUP/w2ygv1jTMXbjJ2KPo8nPIh
9QvsDfLrZn/z8aNHYpFEvdVNL3PZGmKNSFMCJOa6bjD4qWObFzXSw128Cvz7
gaRQnhzsKsK2FuAibJfxRdBCgsZsOpc87HQbxhpBaBkqWI/uTTPU2Q8HT6Ob
wnwARnRT50OK3nx+EPHEgUw16aFVSJcuPObYqpFnijtGLaVoBpIhGnc4cUIc
Af4wqmPn7dVXcZicAsZzgxXuAgF0BCLcW2tx0EsInFAprLxbkHNY4HfcKZrA
L20eTs/NVnj9/NUZGWcECz8+SFOPXMcM103CN8vWbpiJilu4csfWaMiJkwCZ
7/k/mqVE2UwhBmolba3F5E/ahKHw0zlvK8oyLvmPbZaQ8p92kPLvwMQLtNZ9
zkXaKDsP9pZZA7i4JT3IARKBAdFaSdd6TxRbnY6NExe7E3AFdWOJO1Fxd3nf
EOIDd3ii4LRPck0SnsTSd+XFRRui5Qf4ux5ZgYv4xJU0jon8uFEROycQAWJt
yl2c4W/yjAQvK62oxqeK2jaQ10giaszKAzGKLAlNiNXCAnNNGbP35sAzqXWW
7BSZO2uTF76maNT378LHLKyHu9QBMbmGQyfPRClaTh2EzlYUOeGsXPUWQ+yL
/ZzjByP1jy8I3pAvBT3ilSklPWVUJUgVyWiNujfQ0HrhrsxYX/Rp7ghRRYu0
LQYKUcQGusz2nZkh2RRZv2h9+y4n3HxXDJ4/HlLu51GLiTWQRdEWa1dLIV1p
FzsuAgiWpR6WIiSAxL1loi7iqHRqQO3VRJQm25CUk8siOgs6VKroYx/6cHrB
AUjMyLUfroK7DNV1p0W23h0cM2BU6iHoiWMNOHPuONhZ8l74GHdhM2Q7wofA
S2N2dq+IOa1fPlDLH/oxkGmBiorxSLxHXeU/h5IJs7KCInP6XWDIwzaAzQ6V
aUswTTpvSnteZzp7dJqEIrMrgmy7EJi8amsXpvTQ6uCZc0c9I35lx1mvWfOe
ydigYeb01ZqaTBfVTUi6WWeDcYbImeXkgfNI4PY7VzbD7ZHvtdRxBJ+UinWI
uzfrPwBYacD6wbxaspqJuvw1j2FzoCY3SIffJogqIntnPhY/0ut9r+Bkz868
GzP3o1PFHxzxJf+yPOxzHBk60UmKSE79AHgbFVjdWIpiuFOxeJAOmz9klXkx
RN9m0MHuyfYJ+qlhfAsiDwQNfuVlAesnLblMhHnkWr6/a59rZ0Ns6rkv1tSk
r85PX58OKSs2BQ5X2L9zDXrJnAppssNAPOkbrIrgzXbf40jrBRl0+cxNWTBN
9+gTJnfk84mTBr9JPc/h1f0q7QN+m9F3CNzl1/RVsE8u6o+ePDPszivw25LU
+XX+/6HKfwZT4tg7bju7qxv5dOlX6iLZA99dE45p3J3hjrv+/mf86NgdWBb8
QSr0PlMnpMQOQRY+i2IPb13AgQ2UqRgoU2waD0r7w1328YSdaSb/r0f4zdSj
u/AZHbolMV7QSey/gHmPKZNFpsyBzyNhKIQtGOfQioMn4pDPBnjWaFswKjhg
jZJPoV9nsZUvTXFyPQV7KDkk28vM4S603Dlrwo7D+HS7qEha9pQlMdQDNVYY
ZJIKFWlxPl4edhcF+w+UiqMfOfukxsS+2XC/FMdFr9PPKCj3eS7/uSwsy8VM
DbBsUnPO10uZDwj36GhkrFHjiUySgsTIeo2VFhr1W5dELjeR1NtE5o2L2ow2
XaAJofd/gI8m8bsJsoYERCIUZYngGTxCUJvX6pzHze7pXz9mHFO2PycgXhcl
8Ha0rPUuiQtjUcKOv8+EQP6vRxjcr3tlSYlLKiVM7Sta+ONOoZY/0VTRDT5v
lCspuEzdUJbW6PHN+PimJjF/OCCxHXufylLpVw2j1ZCvdMFeOJ1Ji4KRGF8U
0E3slJG2VOKW4Qmg6OEuv97WZr8o5h4hIYq1kdaxFK+lGWUp2f1xuC8FRRQG
eXD9GLlka0iblvCRCgrT9snnjqCUO7RdU0nhvLPNRovRepkMNj3Ols8jJT7R
qER114Ys7sO9143MOeSfPHqiXteYm9BV+ZckrHp6QBCutJ2oMZi5lw5kpeSB
zCpnyUrpQ9avOn7qCrFpYmPiaJx1Q4Vfb0/dh/U2seuJHC0t5uh5c7etSSG2
ZnGNdTRltjE1J9+mzcp72SvMErETGaOZXdOQizYjB+c0UYL0IT+XbK1CH0zK
6CXPmTnkX4s9Zb6d5liyeRYVqmn/rY4DrrSaC9QxXL5MvYSTTFxFuT/r/I2r
2FjQYiCkg56+Pe9B+cxBeZI2A6s8mKmbehVT71isg/eLSBMX24CDL0sdfG6Z
ydTcR5f0colpbHmUToG08q7xLOrskzTfan2LkIPSDft+LdDxXZp8xWZ9jO+W
urQC8KiZgSYHguXsnnPr8uJ632tlCC/d1Yey83zNZ2W24v2R+Jpk7VIcVZQu
U/lWNwy98WuXYJL86j9m/ttE/Rrqin/j8X7d+3LzbxJG3OsLU+JHmUushbIo
2H2IjPIqYLnxZ8An0de8+UX9j3iHmtB4Ur23Ov3FBlZuvBk+ore8ZE5S9Vxh
D1fA13Q4btjfE0oiWb4sE1cDRYIK9wlDpLrZRg2t46meqKf1HAjyvsDmM7uJ
etoUcASf6fUGgFaJ/97Bv1+b7bwu84k6KxY36kfd5AAAXhRlsVEXN/WNBsL9
BDJFvazXc/ixhn/WBuyOZ/UC6PhThy5H9Q6IgmD1pQG4+lMNq7GUU/cKjIbr
wnTqojBz9A++MqvrCri4mxuY0RswsNRFaww6J98W1E3675jyWq61+Bbf6xt9
XdzUcH2rrb4puAOFR14/FqhedsOs/0Vq3HBDkhzeFoVTwRZVILja2n0MTMHW
Yqu6pLL9SzDEHj1Gc/UZMB2zts8LColOuFmUJkOhO/wm3StyJoIxWK1I60s+
gWQ8DRcHxy/xtYCioFwBvxjt8feJv1LvDIZFc3XkIh2eD49w8UeDsOoo9JhD
SUlHFduUJp+djjtJoYAjDzi+kNFPO5qXlfQBJnMRA4QSlSuLFQlS6hZVl/WK
MxiUfPRGfeE+N+j9Vu3uy4Q8SdFIr7dL+MoO5QKNfoPHhb+Sb+CR4Vs6dbT3
yujrZ44kReVaJ5QmlBtV9dT3yIto0RtxJLTiCrK8w36k3RC5F4Av1BFbu9bx
hwNQR/xtUapEHfqA0RH3zrEGC70J7GymrK0kqsmsfCuTlRa4MYYVU8LP0KUE
9aM+PlqY+8+v+tnvNRh4eENZRpE9G7X4QQVpu7lMUDgqz6n/lmh5SVLZb1/v
V3NvY4dBBwuZHql7xAmZeB7pLDC69SmBz4Q10lNPYZrwJe4URSUnTdCqu1vy
/KJvMXgK/AcbH9IPY/3ERpJ5HeHM9p6OjbKnJGDWNaexOEKXulp1mr6pCNbb
WB8g31IJEx82HVVxYhMpXWlSF/3jR0J7QKAT/SkVlD+e00fqLtk3ymndG9sl
jnkrijLI/GeN3Ssoyr7lAgCXYzeM2zHzDIwURGH9PD/KAeIcP5jH6QAbivc9
ytWAF48k87gR9Ejw1W8UKMfjzN8+3PKJsy1GKwj9054wHLZXpxcq7VFKPfea
lEW7aq81FusndixQL2GUWn4PcPAQhe3PITLwWZ333PjTR49wuecUoygVFbRn
/xcDFc+2OosAAA==

-->

</rfc>
