<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I don't think #2 should go, nor do I think that the "rotate secret"
operation should go. I like having the authentication-based bits be
handled separately.<br>
<br>
-- Justin<br>
<br>
<br>
<div class="moz-cite-prefix">On 02/06/2013 08:37 AM, John Bradley
wrote:<br>
</div>
<blockquote
cite="mid:1AA896AD-B739-494F-BC20-B627D762DD24@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<base href="x-msg://2427/">They should both go.
<div><br>
</div>
<div>#2 was part of Yarons fixes around not rotating the client
secret unless the client specifically requests it to prevent
lockout from the registration endpoint. That is not relevant
any more.<br>
<div>
<div>On 2013-02-05, at 8:42 PM, Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div link="blue" vlink="purple" style="font-family:
Helvetica; font-size: medium; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: 2; text-align:
-webkit-auto; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width:
0px; " lang="EN-US">
<div class="WordSection1" style="page: WordSection1; ">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; ">1. We currently
have this error at<span class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse"
style="color: purple; text-decoration: underline; ">http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse</a>:<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif; "><span
style="font-size: 12pt; font-family: Verdana,
sans-serif; " lang="EN">invalid_client_secret<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 96pt; font-size:
11pt; font-family: Calibri, sans-serif; "><span
style="font-size: 12pt; font-family: 'Courier New';
color: rgb(0, 51, 102); " lang="EN">client_secret</span><span
style="font-size: 12pt; font-family: Verdana,
sans-serif; " lang="EN"><span
class="Apple-converted-space"> </span>provided for
accessing the registered client is not valid for the
provided</span><span style="font-size: 12pt;
font-family: 'Courier New'; color: rgb(0, 51, 102);
" lang="EN">client_id</span><span style="font-size:
12pt; font-family: Verdana, sans-serif; " lang="EN">.<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; ">I think this
should be deleted, since we’re using an access token
to authenticate to the registration endpoint – not a
client_secret value. Vladimir pointed out the same
thing in a comment on<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review"
style="color: purple; text-decoration: underline; ">https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review</a>.<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; ">2. The Client
Update Response at<span class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse"
style="color: purple; text-decoration: underline; ">http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse</a><span
class="Apple-converted-space"> </span>currently
says:<o:p></o:p></div>
<p style="margin-right: 24pt; margin-left: 24pt;
font-size: 12pt; font-family: 'Times New Roman',
serif; "><span style="font-family: Verdana,
sans-serif; " lang="EN">The Authorization Server
MUST NOT include the Client Secret or Request Access
Token in this response.<o:p></o:p></span></p>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; ">I’m not sure why
it’s forbidden to return the client_secret value upon
an update. Is the assumption that the registration
server may not change the secret? What if the
registration server decides that the updated
parameters warrant a different secret? I think we
should remove this restriction and instead say that
clients should be prepared to receive and use an
updated client_secret, if sent.<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; "><o:p> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; ">
-- Mike<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif; "><o:p> </o:p></div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>