[Openid-specs-ab] Issue #865: Registration needs update too (openid/connect)

Justin Richer jricher at mitre.org
Fri Aug 9 14:16:34 UTC 2013


One could say the same thing about the entire OpenID Connect stack 
because there were old ways to do identity protocols (SAML, WS-*, OpenID 
2.0, IMI, etc...), but I really hope that nobody in this working group 
is that short sighted to suggest something so asinine.

But "the best thing about reinventing the wheel is that eventually 
you'll get a round one."

  -- Justin

On 08/08/2013 05:31 PM, Anthony Nadalin wrote:
> I got it, let's invent a new way to do CRUD operations, schema extensibility, internationalization, etc.
>
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
> Sent: Thursday, August 8, 2013 2:21 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Issue #865: Registration needs update too (openid/connect)
>
> New issue 865: Registration needs update too https://bitbucket.org/openid/connect/issue/865/registration-needs-update-too
>
> Brian Campbell:
>
> Connect Dynamic Client Registration (draft 19) currently only allows a client to register and read it's own registration info.
>
> There was, at one time, an intentional decision that those two operations were sufficient. The thinking was that, if a client wanted to update some data (even a credential), it would just do a new registration. But there are a few problems with this:
>
> 1) All user approvals at the AS/OP for that client will be lost with this approach as the client will be assigned a new client id (Don Bradley pointed out this now rather obvious issue to me in Berlin last week).
>
> 2) The AS/OP looses its ability to log/audit/monitor interactions with the client across the update.
>
> 3) It will result in orphaned client records at the AS/OP, which could be a problem from a maintenance and even security perspective.
>
> All that and the current level of uncertanty in the IETF OAuth WG around registration suggests that a more robust set of operations (full CRUD) is needed in Connect registration.
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list