[Openid-specs-ab] Two questions about client_secret in Registration

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Wed Feb 6 11:26:09 UTC 2013

I agree on both counts.

Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com

-------- Original Message --------
Subject: [Openid-specs-ab] Two questions about client_secret in
From: Mike Jones <Michael.Jones at microsoft.com>
Date: Wed, February 06, 2013 3:42 am
To: "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>

  1.  We currently have this error at 
 client_secret provided for accessing the registered client is not valid
for the provided client_id.
 I think this should be deleted, since we’re using an access token to
authenticate to the registration endpoint – not a client_secret value.
 Vladimir pointed out the same thing in a comment on 
 2.  The Client Update Response at
currently says:
 The Authorization Server MUST NOT include the Client Secret or Request
Access Token in this response.
 I’m not sure why it’s forbidden to return the client_secret value
upon an update.  Is the assumption that the registration server may not
change the secret?  What if the registration server decides that the
updated parameters warrant a different secret?  I think we should remove
this restriction and instead say that clients should be prepared to
receive and use an updated client_secret, if sent.
                                                             -- Mike
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list