[Openid-specs-ab] Two questions about client_secret in Registration

Mike Jones Michael.Jones at microsoft.com
Wed Feb 6 03:42:38 UTC 2013

1.  We currently have this error at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
client_secret provided for accessing the registered client is not valid for the provided client_id.

I think this should be deleted, since we're using an access token to authenticate to the registration endpoint - not a client_secret value.  Vladimir pointed out the same thing in a comment on https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.

2.  The Client Update Response at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse currently says:

The Authorization Server MUST NOT include the Client Secret or Request Access Token in this response.
I'm not sure why it's forbidden to return the client_secret value upon an update.  Is the assumption that the registration server may not change the secret?  What if the registration server decides that the updated parameters warrant a different secret?  I think we should remove this restriction and instead say that clients should be prepared to receive and use an updated client_secret, if sent.

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130206/0ba5863b/attachment.html>

More information about the Openid-specs-ab mailing list