[Openid-specs-ab] Comments on Registration Specification

George Fletcher gffletch at aol.com
Wed Dec 21 17:38:15 UTC 2011 

Comments identified below. Issues file for all items except these 
questions..

Section 2.1.1 -- [no issues filed]

4th paragraph -- It was unclear to me whether the TLS/SSL server 
certificate check MUST be done on the sector_identifier_url or on the 
returned redirect_uris.

5th paragraph -- It's unclear to me whether this mechanism overrides the 
need to specify the redirect_uris array. Or whether the values defined 
in the redirect_uris array MUST match those retrieved from the 
sector_identifier_url


---------
Abstract - second paragarph

This specification describes how an OpenID Client can obtain the 
necessary client credentials required by the OpenID Connect protocol suite.
[issue #481]

Section 2: Registration Endpoint

Possible clarifying text for this section.

The Client Registration Endpoint is an OAuth 2.0 Protected Resource that 
returns the required client credentials for the Client to configure 
itself for the OpenID Provider. The OpenID Provider may require an 
access_token provided out-of-band (and out of scope of this document) in 
order to restrict registration requests to only authorized clients. In 
order to support open registration the Client Registration Endpoint 
should accept requests with no OAuth 2.0 access tokens. If an Access 
Token is required for Client registration, the Client Registration 
Endpoint MUST accept Access Tokens as specified by the Bearer Tokens 
[OAuth.Bearer] specification.
[issue #482]

Section 2.1 Registration Request

typo - client_id - remove the ')' after client_id [issue #483]

typo - access_token -- "An Access Token obtained out of band to 
*authorize* the registrant." The parameter is only used if the client is 
provided the access_token out of band. [issue #484]

contacts - how is this relevant to client registration? Is this a 
generic use case? [issue #485]

application_type - it's unclear how this is used or what value it adds 
[issue #360]

application_name -- I'm assuming this value is any valid UTF8 string? or 
is it limited in some way? [issue #361]

logo_url -- "A URL that resolves to an image representing the client 
(i.e. the client's logo image)" [issue #213]

token_endpoint_auth_type -- add a reference to section 2.2.1 of the 
Messages spec [issue #486]

sector_identifier_url -- it is unclear how this is used, a reference to 
section 2.1.1 would be helpful [issue #487]


Security considerations

* In a situation where the OP is supporting open client registration, it 
must be extremely careful with any URL provided by the client that will 
be displayed to the user (e.g. logo_url and policy_url). A rogue client 
could specify a registration request with a reference to a drive-by 
download in the policy_url. The OP should check to see if the logo_url 
and policy_url have the same host as the hosts defined in the array of 
redirect_uris.
[issue #488]

More information about the Openid-specs-ab mailing list