[Openid-specs-ab] Registration: client_secret is used for more than token endpoint authentication

Mike Jones Michael.Jones at microsoft.com
Thu Dec 19 07:40:15 UTC 2013


This is addressed in the third release candidates.  See the updated client_secret definition in http://openid.net/specs/openid-connect-registration-1_0-22.html#RegistrationResponse and the new request_object_encryption_{alg,enc} parameters in http://openid.net/specs/openid-connect-registration-1_0-22.html#ClientMetadata.

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Wednesday, December 18, 2013 8:52 PM
To: Brian Campbell; <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Registration: client_secret is used for more than token endpoint authentication

You're right.  We should change the second and third sentences to read:
This value is used by Confidential Clients to authenticate to the Token Endpoint as described in OAuth 2.0 Section 2.3.1 and for derivation of symmetric encryption key values. It is not needed for Clients selecting a token_endpoint_auth_method of private_key_jwt unless symmetric encryption is being used.

You're also right there's currently no way for the OP to tell if the RP will be doing symmetric encryption.  I believe this is due to an editorial mistake, that I propose we correct.  The mistake is this...  We currently have these discovery parameters:
               request_object_signing_alg_values_supported
               request_object_encryption_alg_values_supported
               request_object_encryption_enc_values_supported
But only this corresponding registration parameter:
               request_object_signing_alg
These corresponding parameters are missing, which I believe was an editor's error (probably mine!):
               request_object_encryption_alg
               request_object_encryption_enc

I propose that we correct this omission.  Then the OP will be able to tell from the request_object_encryption_alg value whether symmetric encryption is going to be performed.

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Brian Campbell
Sent: Wednesday, December 18, 2013 3:36 PM
To: <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: [Openid-specs-ab] Registration: client_secret is used for more than token endpoint authentication

Currently the spec has:
client_secret
OPTIONAL. Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. This value is used by Confidential Clients to authenticate to the Token Endpoint as described in OAuth 2.0 Section 2.3.1. It is not needed for Clients selecting a token_endpoint_auth_method of private_key_jwt.

but the value is also used if any symmetric JWE encryption is used. No?

It also seems that there's no way for a client to indicate that it intends to symmetrically encrypt a request object to the AS, which I think means that an AS can't tell with100% certainty from the content of the registration request, if a client_secret should be issued/returned. Or am I missing something?




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131219/cd174e3e/attachment.html>


More information about the Openid-specs-ab mailing list