[Openid-specs-ab] Two questions about client_secret in Registration

Wed Feb 6 07:12:28 UTC 2013

FYI, in responding to Brian's comments in https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review, based upon his comments, I deleted the invalid_client_secret error response.

                                                            -- Mike

From: Mike Jones
Sent: Tuesday, February 05, 2013 7:43 PM
To: openid-specs-ab at lists.openid.net
Subject: Two questions about client_secret in Registration

1.  We currently have this error at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
invalid_client_secret
client_secret provided for accessing the registered client is not valid for the provided client_id.

I think this should be deleted, since we're using an access token to authenticate to the registration endpoint - not a client_secret value.  Vladimir pointed out the same thing in a comment on https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.

2.  The Client Update Response at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse currently says:

The Authorization Server MUST NOT include the Client Secret or Request Access Token in this response.
I'm not sure why it's forbidden to return the client_secret value upon an update.  Is the assumption that the registration server may not change the secret?  What if the registration server decides that the updated parameters warrant a different secret?  I think we should remove this restriction and instead say that clients should be prepared to receive and use an updated client_secret, if sent.

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130206/1ecefd19/attachment.html>