[Openid-specs-ab] Review Comments on Dyn Reg
torsten at lodderstedt.net
Thu Nov 7 02:11:56 UTC 2013
here are the comments on Dyn Reg.
grant_types - there is no grant type "implicit". I therefore suggest to
remove this bullet and all occurrences of "implicit" in the following
table of response type/grant type combinations.
I would an "implicit" client expect just to register the response types
token or id_token (and the respective combinations).
jwks_uri - How is this scheme supposed to work for native clients? I
assume any instance of such an application would use a distinct key
pair, which is stored locally. Is the client supposed to provide a web
server interface? I would rather expect this kind of client to provide
the public key data directly.
client_secret - "This MUST be unique for each client_id." - why must the
client secret be _unique_? This seems to be a rather hard requirement.
I would call section "implementation notes" and move it to the end of
the doc (or merge it into section 9). Right now it suddenly turns up
during registration and management, which might confuse people and
induce them to think it is normative.
"When stateless dynamic client registration is used by the Authorization
Server, read operations are likely to not be possible." Why?
"to be able to view and update its registered information" - I only see
a specification of the read operation. Where is the update? As the next
states "The only method defined for use at this endpoint by this
specification is the HTTP GET method" I think the update should be
What is the value of a read only management endpoint?
I would not return client_secret since this is the credential.
I would not return the registration_uri as the client already knows it.
It just sent a request to it.
More information about the Openid-specs-ab