[Openid-specs-ab] Issue #865: Registration needs update too (openid/connect)

Brian Campbell bcampbell at pingidentity.com
Thu Aug 8 21:35:36 UTC 2013


Right on cue Tony. Well done.

On Thu, Aug 8, 2013 at 3:31 PM, Anthony Nadalin <tonynad at microsoft.com> wrote:
> I got it, let's invent a new way to do CRUD operations, schema extensibility, internationalization, etc.
>
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
> Sent: Thursday, August 8, 2013 2:21 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Issue #865: Registration needs update too (openid/connect)
>
> New issue 865: Registration needs update too https://bitbucket.org/openid/connect/issue/865/registration-needs-update-too
>
> Brian Campbell:
>
> Connect Dynamic Client Registration (draft 19) currently only allows a client to register and read it's own registration info.
>
> There was, at one time, an intentional decision that those two operations were sufficient. The thinking was that, if a client wanted to update some data (even a credential), it would just do a new registration. But there are a few problems with this:
>
> 1) All user approvals at the AS/OP for that client will be lost with this approach as the client will be assigned a new client id (Don Bradley pointed out this now rather obvious issue to me in Berlin last week).
>
> 2) The AS/OP looses its ability to log/audit/monitor interactions with the client across the update.
>
> 3) It will result in orphaned client records at the AS/OP, which could be a problem from a maintenance and even security perspective.
>
> All that and the current level of uncertanty in the IETF OAuth WG around registration suggests that a more robust set of operations (full CRUD) is needed in Connect registration.
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list