[Openid-specs-ab] Does Connect support public clients?
ve7jtb at ve7jtb.com
Mon Feb 20 19:53:35 UTC 2012
All clients must register there redirect_url and get a client_id.
They are not required to use the client secret if they are public clients.
We talked about allowing a client_id of "public" and not requiring pre-registerd redirect_uri, but the feedback was that IdP were uncomfortable giving access tokens to unknown clients.
OAuth recommends against public clients with unregistered redirect_uri.
In a effort to have some balance we do have dynamic registration for clients.
If a user wants to revoke a client not having all of them with the same client_id is probably an advantage.
If it is something you think you need I am open to discussing it.
On 2012-02-20, at 3:58 PM, Torsten Lodderstedt wrote:
> Hi all,
> I'm unable to find out whether OpenID Connect supports public clients. It seems Connect assumes all clients register with the OP and obtain a client credential. If this observation is correct, what is the reason for being more restrictive than OAuth?
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4767 bytes
Desc: not available
More information about the Openid-specs-ab