[Openid-specs-ab] Issue #1168: Federation: How should an OP signal to the RP that its registration has expired? (openid/connect)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Thu May 28 09:32:58 UTC 2020
New issue 1168: Federation: How should an OP signal to the RP that its registration has expired?
https://bitbucket.org/openid/connect/issues/1168/federation-how-should-an-op-signal-to-the
Vladimir Dzhuvinov:
In [https://openid.net/specs/openid-connect-federation-1\_0.html#rfc.section.9.2.3.2](https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.9.2.3.2) we have:
> If the signature on the registration request has expired it MUST mark the registration as invalid and demand that the RP MUST re-register
The spec currently has a gap about how the OP is to signal to the RP the fact that its registration has expired \(assuming that was the intent of “demand”\).
If we assume std RFC 6749 behaviour this would mean the `client_id` is no longer valid. But with a invalid client\_id the OP / AS is not allowed to redirect back to the RP.
[https://tools.ietf.org/html/rfc6749#section-4.1.2.1](https://tools.ietf.org/html/rfc6749#section-4.1.2.1)
One possible solution is to define a special error code and let the redirection proceed. The significant downside of that is the OP will need to store expired registrations, potentially indefinitely.
Perhaps the simple solution is to not have any explicit signalling from OP to RP at all, but let the RP figure out the time when its registration is going to expire. This will simplify the implementation of the OP.
More information about the Openid-specs-ab
mailing list