[Openid-specs-ab] Does Connect support public clients?

John Bradley ve7jtb at ve7jtb.com
Mon Feb 20 19:53:35 UTC 2012


All clients must register there redirect_url and get a client_id.

They are not required to use the client secret if they are public clients.

We talked about allowing a client_id of  "public" and not requiring pre-registerd redirect_uri, but the feedback was that IdP were uncomfortable giving access tokens to unknown clients.

OAuth recommends against public clients with unregistered redirect_uri.    

In a effort to have some balance we do have dynamic registration for clients.

If a user wants to revoke a client not having all of them with the same client_id is probably an advantage.

If it is something you think you need I am open to discussing it.

John B.
On 2012-02-20, at 3:58 PM, Torsten Lodderstedt wrote:

> Hi all,
> 
> I'm unable to find out whether OpenID Connect supports public clients. It seems Connect assumes all clients register with the OP and obtain a client credential. If this observation is correct, what is the reason for being more restrictive than OAuth?
> 
> regards,
> Torsten.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120220/8f066b52/attachment.p7s>


More information about the Openid-specs-ab mailing list