[Openid-specs-ab] [openid/connect] Registration - Clarify what is allowed for Update (issue #754)

Nat Sakimura issues-reply at bitbucket.org
Thu Feb 7 05:57:20 UTC 2013


--- you can reply above this line ---

New issue 754: Registration - Clarify what is allowed for Update
https://bitbucket.org/openid/connect/issue/754/registration-clarify-what-is-allowed-for

Nat Sakimura:

Both in d14 and d15, any parameter seems to be able to be updated. 
For example, if the tos_url and policy_url was updated, do not we have to ask the user for consent again? If the tos_url, policy_url and contacts were updated, can we still regard it as the same client? (I suspect, in this case, they should register as a new client.) 

Since we are talking about consent, just the fact that client_id is the same probably would not be good enough to consider it as the same client. 

These behavior are not defined right now, and I can conceive of an attack by a malicious client. 




--

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.


More information about the Openid-specs-ab mailing list