[Openid-specs-ab] Review Comments on Dyn Reg

Richer, Justin P. jricher at mitre.org
Thu Nov 7 17:01:00 UTC 2013


On Nov 7, 2013, at 8:03 AM, Torsten Lodderstedt <torsten at lodderstedt.net>
 wrote:

> Hi,
> 
>>>> client_secret - "This MUST be unique for each client_id." - why must the
>>>> client secret be _unique_? This seems to be a rather hard requirement.
>>> +1 on that
>> If you're handing out client secrets that aren't uniquely tied to
>> client_ids, then you're going to end up with problems as some of your
>> dynamically registered clients are going to be able to more easily
>> impersonate each other. Normally this is a sufficiently random blob,
>> but it can be a signed blob or something else of that nature, too. You
>> can of course use credentials other than a client secret.
> 
> Client secrets must indeed be tight to client_ids. But as I read the text it requires the OP to issue secrets, which are unique over _all_ client secrets. This is more challenging than "sufficiently random" as it prohibits any duplicates/collisions.

OK, I can buy that, though I think it's a bit of an arbitrary distinction. So if you've got a suggestion for more exact specification of this principle, please provide better text. (I'll make sure to copy it to the OAuth draft too.)

 -- Justin


More information about the Openid-specs-ab mailing list