[Openid-specs-ab] Registration: client_secret is used for more than token endpoint authentication
Michael.Jones at microsoft.com
Thu Dec 19 04:52:00 UTC 2013
You're right. We should change the second and third sentences to read:
This value is used by Confidential Clients to authenticate to the Token Endpoint as described in OAuth 2.0 Section 2.3.1 and for derivation of symmetric encryption key values. It is not needed for Clients selecting a token_endpoint_auth_method of private_key_jwt unless symmetric encryption is being used.
You're also right there's currently no way for the OP to tell if the RP will be doing symmetric encryption. I believe this is due to an editorial mistake, that I propose we correct. The mistake is this... We currently have these discovery parameters:
But only this corresponding registration parameter:
These corresponding parameters are missing, which I believe was an editor's error (probably mine!):
I propose that we correct this omission. Then the OP will be able to tell from the request_object_encryption_alg value whether symmetric encryption is going to be performed.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
Sent: Wednesday, December 18, 2013 3:36 PM
To: <openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] Registration: client_secret is used for more than token endpoint authentication
Currently the spec has:
OPTIONAL. Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. This value is used by Confidential Clients to authenticate to the Token Endpoint as described in OAuth 2.0 Section 2.3.1. It is not needed for Clients selecting a token_endpoint_auth_method of private_key_jwt.
but the value is also used if any symmetric JWE encryption is used. No?
It also seems that there's no way for a client to indicate that it intends to symmetrically encrypt a request object to the AS, which I think means that an AS can't tell with100% certainty from the content of the registration request, if a client_secret should be issued/returned. Or am I missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab