[Openid-specs-ab] Review Comments on Dyn Reg

Torsten Lodderstedt torsten at lodderstedt.net
Thu Nov 7 16:03:55 UTC 2013


>>> client_secret - "This MUST be unique for each client_id." - why must 
>>> the
>>> client secret be _unique_? This seems to be a rather hard 
>>> requirement.
>> +1 on that
> If you're handing out client secrets that aren't uniquely tied to
> client_ids, then you're going to end up with problems as some of your
> dynamically registered clients are going to be able to more easily
> impersonate each other. Normally this is a sufficiently random blob,
> but it can be a signed blob or something else of that nature, too. You
> can of course use credentials other than a client secret.

Client secrets must indeed be tight to client_ids. But as I read the 
text it requires the OP to issue secrets, which are unique over _all_ 
client secrets. This is more challenging than "sufficiently random" as 
it prohibits any duplicates/collisions.


More information about the Openid-specs-ab mailing list