[Openid-specs-ab] Issue #865: Registration needs update too (openid/connect)

Anthony Nadalin tonynad at microsoft.com
Thu Aug 8 21:31:43 UTC 2013


I got it, let's invent a new way to do CRUD operations, schema extensibility, internationalization, etc.

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
Sent: Thursday, August 8, 2013 2:21 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Issue #865: Registration needs update too (openid/connect)

New issue 865: Registration needs update too https://bitbucket.org/openid/connect/issue/865/registration-needs-update-too

Brian Campbell:

Connect Dynamic Client Registration (draft 19) currently only allows a client to register and read it's own registration info.  

There was, at one time, an intentional decision that those two operations were sufficient. The thinking was that, if a client wanted to update some data (even a credential), it would just do a new registration. But there are a few problems with this:

1) All user approvals at the AS/OP for that client will be lost with this approach as the client will be assigned a new client id (Don Bradley pointed out this now rather obvious issue to me in Berlin last week).

2) The AS/OP looses its ability to log/audit/monitor interactions with the client across the update.

3) It will result in orphaned client records at the AS/OP, which could be a problem from a maintenance and even security perspective. 

All that and the current level of uncertanty in the IETF OAuth WG around registration suggests that a more robust set of operations (full CRUD) is needed in Connect registration.




_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list