[Openid-specs-ab] Registration: client_secret is used for more than token endpoint authentication
sakimura at gmail.com
Thu Dec 19 04:23:00 UTC 2013
I am not sure if we are currently supporting symmetric JWE.
Is not the pub key crypto or TLS option adequate?
=nat via iPhone
Dec 19, 2013 8:36、Brian Campbell <bcampbell at pingidentity.com> のメッセージ:
> Currently the spec has:
> OPTIONAL. Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. This value is used by Confidential Clients to authenticate to the Token Endpoint as described in OAuth 2.0 Section 2.3.1. It is not needed for Clients selecting a token_endpoint_auth_method of private_key_jwt.
> but the value is also used if any symmetric JWE encryption is used. No?
> It also seems that there's no way for a client to indicate that it intends to symmetrically encrypt a request object to the AS, which I think means that an AS can't tell with100% certainty from the content of the registration request, if a client_secret should be issued/returned. Or am I missing something?
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab