[Openid-specs-ab] Issue #863: Stateless Registration Discovery/Messages (openid/connect)

John Bradley issues-reply at bitbucket.org
Thu Jul 25 13:41:14 UTC 2013

New issue 863: Stateless Registration  Discovery/Messages

John Bradley:

OpenID Connect currently requires registration for clients.

Clients using a self issued IdP may register as part of the authorization request, by sending the "registration" parameter containing a JSON object, and using there redirect_uri as the client_id.

There is a desire by some IdP to allow clients that are not pre-registerd to access a minimal set of claims for a user.   This could be done with the existing method by using the existing "registration" parameter to signal that the has not pre registered.

Almost everything needed for this is in the current spec.
The needed additions would be an indication in Discovery that the Authorization server supports this, and something in messages saying that if the client is not pre-registerd it MUST send the "registration" parameter with at-least {} as the contents if no other parameters are needed.

The AS would formulate a normal response verifying the client_id and the redirect_uri match as is specified for the self_issued AS, then issue a normal code or implicit response.   

This would allow a IdP to return the "sub" claim to a client for SSO only without any real security concerns as the Audience prevents replaying across clients, and nonce if used (I think should be recommended) prevents replay across browsers.

More information about the Openid-specs-ab mailing list