[Openid-specs-ab] Registration: client_secret is used for more than token endpoint authentication

Brian Campbell bcampbell at pingidentity.com
Wed Dec 18 23:36:21 UTC 2013


Currently the spec has:
client_secretOPTIONAL. Client Secret. The same Client Secret value MUST NOT
be assigned to multiple Clients. This value is used by Confidential Clients
to authenticate to the Token Endpoint as described in OAuth 2.0 Section
2.3.1. It is not needed for Clients selecting a token_endpoint_auth_methodof
private_key_jwt.

but the value is also used if any symmetric JWE encryption is used. No?

It also seems that there's no way for a client to indicate that it intends
to symmetrically encrypt a request object to the AS, which I think means
that an AS can't tell with100% certainty from the content of the
registration request, if a client_secret should be issued/returned. Or am I
missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131218/6b32a021/attachment.html>


More information about the Openid-specs-ab mailing list