Dynamic RC instance management

[jricher]

§3.5 Returning Dynamically-bound Reference Handles: Editor's note:

The client-bound "instance_id" could serve as the hook we would need for RFC7592 style dynamic client management, including additional components like key rotation. If the AS returns an object instead of a string here, that could include everything that the client would need in order to make REST-style management calls, similar to token management.

{
    "client": {
        "instance_id": "7C7C4AZ9KHRS6X63AJAO",
        "manage": "https://example.server.com/client/7C7C4AZ9KHRS6X63AJAO",
        "access_token": {
            "value": "4TB8N6BW7OZB8CDFONP219RP1LT0OS9M2PMHKUR6",
            "key": true
        }
    }
}

The client would sign all requests with its key and use the presented access token. A "POST" or "PATCH" request would update client information, including having a method for key rotation using nested signatures. A "DELETE" request would un-register the client, etc.

[aaronpk]

The AS may also want to prevent some clients from updating certain information after a user has authorized it, such as when the user goes through a consent flow, wanting to make sure the user can continue to identify the client it has authorized later.

But aside from that I agree it's a short leap to enable a management protocol this way.

[jricher]

If anything, this should be in an extension.