[Openid-specs-ab] Two questions about client_secret in Registration

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Wed Feb 6 11:26:09 UTC 2013


I agree on both counts.

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
 


-------- Original Message --------
Subject: [Openid-specs-ab] Two questions about client_secret in
Registration
From: Mike Jones <Michael.Jones at microsoft.com>
Date: Wed, February 06, 2013 3:42 am
To: "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>

  1.  We currently have this error at 
http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
 invalid_client_secret
 client_secret provided for accessing the registered client is not valid
for the provided client_id.
  
 I think this should be deleted, since we’re using an access token to
authenticate to the registration endpoint – not a client_secret value.
 Vladimir pointed out the same thing in a comment on 
https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.
  
 2.  The Client Update Response at
http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse
currently says:
 The Authorization Server MUST NOT include the Client Secret or Request
Access Token in this response.
 I’m not sure why it’s forbidden to return the client_secret value
upon an update.  Is the assumption that the registration server may not
change the secret?  What if the registration server decides that the
updated parameters warrant a different secret?  I think we should remove
this restriction and instead say that clients should be prepared to
receive and use an updated client_secret, if sent.
  
                                                             -- Mike
  
 
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list