[Openid-specs-ab] Review Comments on Dyn Reg

Torsten Lodderstedt torsten at lodderstedt.net
Thu Nov 7 02:11:56 UTC 2013

Hi Mike,

here are the comments on Dyn Reg.


grant_types - there is no grant type "implicit". I therefore suggest to 
remove this bullet and all occurrences of "implicit" in the following 
table of response type/grant type combinations.

I would an "implicit" client expect just to register the response types 
token or id_token (and the respective combinations).

jwks_uri - How is this scheme supposed to work for native clients? I 
assume any instance of such an application would use a distinct key 
pair, which is stored locally. Is the client supposed to provide a web 
server interface? I would rather expect this kind of client to provide 
the public key data directly.


client_secret - "This MUST be unique for each client_id." - why must the 
client secret be _unique_? This seems to be a rather hard requirement.


I would call section "implementation notes" and move it to the end of 
the doc (or merge it into section 9). Right now it suddenly turns up 
during registration and management, which might confuse people and 
induce them to think it is normative.

"When stateless dynamic client registration is used by the Authorization 
Server, read operations are likely to not be possible." Why?


"to be able to view and update its registered information" - I only see 
a specification of the read operation. Where is the update? As the next 
states "The only method defined for use at this endpoint by this 
specification is the HTTP GET method" I think the update should be 

What is the value of a read only management endpoint?

I would not return client_secret since this is the credential.
I would not return the registration_uri as the client already knows it. 
It just sent a request to it.

More information about the Openid-specs-ab mailing list