[Openid-specs-ab] Two questions about client_secret in Registration
Justin Richer
jricher at mitre.org
Wed Feb 6 15:10:55 UTC 2013
I don't think #2 should go, nor do I think that the "rotate secret"
operation should go. I like having the authentication-based bits be
handled separately.
-- Justin
On 02/06/2013 08:37 AM, John Bradley wrote:
> They should both go.
>
> #2 was part of Yarons fixes around not rotating the client secret
> unless the client specifically requests it to prevent lockout from the
> registration endpoint. That is not relevant any more.
> On 2013-02-05, at 8:42 PM, Mike Jones <Michael.Jones at microsoft.com
> <mailto:Michael.Jones at microsoft.com>> wrote:
>
>> 1. We currently have this error
>> athttp://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse:
>> invalid_client_secret
>> client_secretprovided for accessing the registered client is not
>> valid for the providedclient_id.
>> I think this should be deleted, since we're using an access token to
>> authenticate to the registration endpoint -- not a client_secret
>> value. Vladimir pointed out the same thing in a comment
>> onhttps://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review.
>> 2. The Client Update Response
>> athttp://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponsecurrently
>> says:
>>
>> The Authorization Server MUST NOT include the Client Secret or
>> Request Access Token in this response.
>>
>> I'm not sure why it's forbidden to return the client_secret value
>> upon an update. Is the assumption that the registration server may
>> not change the secret? What if the registration server decides that
>> the updated parameters warrant a different secret? I think we should
>> remove this restriction and instead say that clients should be
>> prepared to receive and use an updated client_secret, if sent.
>> -- Mike
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130206/8d1bb4d5/attachment.html>
More information about the Openid-specs-ab
mailing list