[Openid-specs-ab] Review Comments on Dyn Reg

Anthony Nadalin tonynad at microsoft.com
Thu Nov 7 17:17:40 UTC 2013

There should be no requirement that the secret be tied to the client_id, this is an implementation choice on how authentication is done

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Richer, Justin P.
Sent: Thursday, November 7, 2013 9:01 AM
To: Torsten Lodderstedt
Cc: Openid-specs Ab
Subject: Re: [Openid-specs-ab] Review Comments on Dyn Reg

On Nov 7, 2013, at 8:03 AM, Torsten Lodderstedt <torsten at lodderstedt.net>

> Hi,
>>>> client_secret - "This MUST be unique for each client_id." - why 
>>>> must the client secret be _unique_? This seems to be a rather hard requirement.
>>> +1 on that
>> If you're handing out client secrets that aren't uniquely tied to 
>> client_ids, then you're going to end up with problems as some of your 
>> dynamically registered clients are going to be able to more easily 
>> impersonate each other. Normally this is a sufficiently random blob, 
>> but it can be a signed blob or something else of that nature, too. 
>> You can of course use credentials other than a client secret.
> Client secrets must indeed be tight to client_ids. But as I read the text it requires the OP to issue secrets, which are unique over _all_ client secrets. This is more challenging than "sufficiently random" as it prohibits any duplicates/collisions.

OK, I can buy that, though I think it's a bit of an arbitrary distinction. So if you've got a suggestion for more exact specification of this principle, please provide better text. (I'll make sure to copy it to the OAuth draft too.)

 -- Justin
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list