[Openid-specs-ab] Two questions about client_secret in Registration

Mike Jones Michael.Jones at microsoft.com
Wed Feb 6 19:07:16 UTC 2013


About rotate_secret, there's already a working group decision that it should go, so it's been deleted.  See https://bitbucket.org/openid/connect/issue/745.

Given that the registration server may want to change the client_secret when some kinds of parameters are changed by an update, especially if they pertain to how the client authenticates, it seems odd/overly limiting to prohibit it from doing so.  Vladimir, John, and I believe that that this needs to be allowed.  If you still disagree for some reason, we can about it on tomorrow's call.  Otherwise, we should update the text as John had suggested.

                                                            -- Mike

From: Justin Richer [mailto:jricher at mitre.org]
Sent: Wednesday, February 06, 2013 7:11 AM
To: John Bradley
Cc: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Two questions about client_secret in Registration

I don't think #2 should go, nor do I think that the "rotate secret" operation should go. I like having the authentication-based bits be handled separately.

 -- Justin

On 02/06/2013 08:37 AM, John Bradley wrote:
They should both go.

#2 was part of Yarons fixes around not rotating the client secret unless the client specifically requests it to prevent lockout from the registration endpoint.  That is not relevant any more.
On 2013-02-05, at 8:42 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:


1.  We currently have this error at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
invalid_client_secret
client_secret provided for accessing the registered client is not valid for the providedclient_id.

I think this should be deleted, since we're using an access token to authenticate to the registration endpoint - not a client_secret value.  Vladimir pointed out the same thing in a comment on https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.

2.  The Client Update Response at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse currently says:

The Authorization Server MUST NOT include the Client Secret or Request Access Token in this response.
I'm not sure why it's forbidden to return the client_secret value upon an update.  Is the assumption that the registration server may not change the secret?  What if the registration server decides that the updated parameters warrant a different secret?  I think we should remove this restriction and instead say that clients should be prepared to receive and use an updated client_secret, if sent.

                                                            -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab





_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130206/4816edba/attachment-0001.html>


More information about the Openid-specs-ab mailing list