[Openid-specs-ab] Two questions about client_secret in Registration

Justin Richer jricher at mitre.org
Wed Feb 6 15:10:55 UTC 2013


I don't think #2 should go, nor do I think that the "rotate secret" 
operation should go. I like having the authentication-based bits be 
handled separately.

  -- Justin


On 02/06/2013 08:37 AM, John Bradley wrote:
> They should both go.
>
> #2 was part of Yarons fixes around not rotating the client secret 
> unless the client specifically requests it to prevent lockout from the 
> registration endpoint.  That is not relevant any more.
> On 2013-02-05, at 8:42 PM, Mike Jones <Michael.Jones at microsoft.com 
> <mailto:Michael.Jones at microsoft.com>> wrote:
>
>> 1.  We currently have this error 
>> athttp://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
>> invalid_client_secret
>> client_secretprovided for accessing the registered client is not 
>> valid for the providedclient_id.
>> I think this should be deleted, since we're using an access token to 
>> authenticate to the registration endpoint -- not a client_secret 
>> value.  Vladimir pointed out the same thing in a comment 
>> onhttps://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.
>> 2.  The Client Update Response 
>> athttp://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponsecurrently 
>> says:
>>
>> The Authorization Server MUST NOT include the Client Secret or 
>> Request Access Token in this response.
>>
>> I'm not sure why it's forbidden to return the client_secret value 
>> upon an update.  Is the assumption that the registration server may 
>> not change the secret?  What if the registration server decides that 
>> the updated parameters warrant a different secret?  I think we should 
>> remove this restriction and instead say that clients should be 
>> prepared to receive and use an updated client_secret, if sent.
>> -- Mike
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net 
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130206/8d1bb4d5/attachment.html>


More information about the Openid-specs-ab mailing list