[Openid-specs-ab] Dynamic Client Registration

John Bradley ve7jtb at ve7jtb.com
Sat Feb 2 00:29:17 UTC 2013

The registration spec originally used the same secret for updating and authentication to the token endpoint.

We added rotate_secret to stop the secret from rotating each time as it did in the original spec because there were legitimate concerns about clients getting locked out if they did not receive a response for some reason and lost the new secret.

Later we separated the authentication to the registration endpoint from the client secret string, however we kept the rotate secret thinking that perhaps a client might want to rotate it's secret.

In OAuth client secret provisioning and rotation if there is such a thing are out of scope. 

We did add some additional security that might never get used.

We later also added the assertion profile for authenticating to the token endpoint using asymmetric keys.

I think anyone interested in security should be using this and not worrying about rotating symmetric client secrets.

The Rotate secret verb is I think a bit of cruft that collected and really has no practical use any more.

Low security clients won't use it, and high security clients don't need it.

For asymmetric you would just use your access token to update your signing key to rotate.

I would like to remove rotate_secret as it is not restful for those that care and not especially useful.

If people agree this can be take  to the OAuth list.  Honestly adding a new endpoint for redundant functionality in a new spec should probably be avoided:)

John B.

More information about the Openid-specs-ab mailing list