[Openid-specs-ab] Review Comments on Dyn Reg
Torsten Lodderstedt
torsten at lodderstedt.net
Thu Nov 7 16:03:55 UTC 2013
Hi,
>>> client_secret - "This MUST be unique for each client_id." - why must
>>> the
>>> client secret be _unique_? This seems to be a rather hard
>>> requirement.
>>
>> +1 on that
>>
>>
>
> If you're handing out client secrets that aren't uniquely tied to
> client_ids, then you're going to end up with problems as some of your
> dynamically registered clients are going to be able to more easily
> impersonate each other. Normally this is a sufficiently random blob,
> but it can be a signed blob or something else of that nature, too. You
> can of course use credentials other than a client secret.
Client secrets must indeed be tight to client_ids. But as I read the
text it requires the OP to issue secrets, which are unique over _all_
client secrets. This is more challenging than "sufficiently random" as
it prohibits any duplicates/collisions.
regards,
Torsten.
More information about the Openid-specs-ab
mailing list