Should registrations be indexed by client ID as well as issuer?

[junglebarry]

We've been tinkering with this library, and noticed that the database of registrations is queried by issuer alone (iss from the JWT). However, for platforms like Canvas cloud, the iss would be the same across all tenant instances, and the process of adding a tool to any individual instance would generate a new client ID.

Should registrations be keyed by <iss, clientId> pairs, rather than by iss alone?

[junglebarry]

Looks like there's a few different use-cases.

• First, checking platforms are registered during OIDC login (where client_id is optional in the spec);
• Second, validating the client in the LTI message launch itself (where client_id is available).
• Third, for JWKS - though that feels like it could operate without the client_id.

I can see why client_id isn't required on that basis, but I'm still interested in how to fit this up against the multiple-clients-for-issuer model used by (e.g.) Canvas.

[kpommerenke]

It makes sense to find the registration by issuer and client ID. However, Blackboard doesn't send the client ID initially, so you should be able to find the registration by issuer only. We use the following method signature in the class that implements the Database interface: public function find_registration($issuer, $clientID = ""){} If $clientID is provided, then it's used in the database query, otherwise ignored.

[junglebarry]

That makes a lot of sense - thank you!