[Openid-specs-ab] Two questions about client_secret in Registration
Vladimir Dzhuvinov / NimbusDS
vladimir at nimbusds.com
Wed Feb 6 11:26:09 UTC 2013
I agree on both counts.
--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
-------- Original Message --------
Subject: [Openid-specs-ab] Two questions about client_secret in
Registration
From: Mike Jones <Michael.Jones at microsoft.com>
Date: Wed, February 06, 2013 3:42 am
To: "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>
1. We currently have this error at
http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
invalid_client_secret
client_secret provided for accessing the registered client is not valid
for the provided client_id.
I think this should be deleted, since we’re using an access token to
authenticate to the registration endpoint – not a client_secret value.
Vladimir pointed out the same thing in a comment on
https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.
2. The Client Update Response at
http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse
currently says:
The Authorization Server MUST NOT include the Client Secret or Request
Access Token in this response.
I’m not sure why it’s forbidden to return the client_secret value
upon an update. Is the assumption that the registration server may not
change the secret? What if the registration server decides that the
updated parameters warrant a different secret? I think we should remove
this restriction and instead say that clients should be prepared to
receive and use an updated client_secret, if sent.
-- Mike
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list