[Openid-specs-ab] Two questions about client_secret in Registration

John Bradley ve7jtb at ve7jtb.com
Wed Feb 6 13:37:57 UTC 2013


They should both go.

#2 was part of Yarons fixes around not rotating the client secret unless the client specifically requests it to prevent lockout from the registration endpoint.  That is not relevant any more.
On 2013-02-05, at 8:42 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> 1.  We currently have this error at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
> invalid_client_secret
> client_secret provided for accessing the registered client is not valid for the providedclient_id.
>  
> I think this should be deleted, since we’re using an access token to authenticate to the registration endpoint – not a client_secret value.  Vladimir pointed out the same thing in a comment on https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.
>  
> 2.  The Client Update Response at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse currently says:
> The Authorization Server MUST NOT include the Client Secret or Request Access Token in this response.
> 
> I’m not sure why it’s forbidden to return the client_secret value upon an update.  Is the assumption that the registration server may not change the secret?  What if the registration server decides that the updated parameters warrant a different secret?  I think we should remove this restriction and instead say that clients should be prepared to receive and use an updated client_secret, if sent.
>  
>                                                             -- Mike
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130206/cf20a6f8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130206/cf20a6f8/attachment.p7s>


More information about the Openid-specs-ab mailing list