[Openid-specs-ab] Two questions about client_secret in Registration
jricher at mitre.org
Wed Feb 6 15:10:55 UTC 2013
I don't think #2 should go, nor do I think that the "rotate secret"
operation should go. I like having the authentication-based bits be
On 02/06/2013 08:37 AM, John Bradley wrote:
> They should both go.
> #2 was part of Yarons fixes around not rotating the client secret
> unless the client specifically requests it to prevent lockout from the
> registration endpoint. That is not relevant any more.
> On 2013-02-05, at 8:42 PM, Mike Jones <Michael.Jones at microsoft.com
> <mailto:Michael.Jones at microsoft.com>> wrote:
>> 1. We currently have this error
>> client_secretprovided for accessing the registered client is not
>> valid for the providedclient_id.
>> I think this should be deleted, since we're using an access token to
>> authenticate to the registration endpoint -- not a client_secret
>> value. Vladimir pointed out the same thing in a comment
>> 2. The Client Update Response
>> The Authorization Server MUST NOT include the Client Secret or
>> Request Access Token in this response.
>> I'm not sure why it's forbidden to return the client_secret value
>> upon an update. Is the assumption that the registration server may
>> not change the secret? What if the registration server decides that
>> the updated parameters warrant a different secret? I think we should
>> remove this restriction and instead say that clients should be
>> prepared to receive and use an updated client_secret, if sent.
>> -- Mike
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> <mailto:Openid-specs-ab at lists.openid.net>
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab