[Openid-specs-ab] request_uris parameter of Dynamic Client Registration

John Bradley ve7jtb at ve7jtb.com
Wed Nov 26 21:45:48 UTC 2014


Good point about multi Tennent.

The sector_identifyer covers multiple clients so is not useful for identifying a single client across registrations.

The right way to do it is the draft-ietf-oauth-dyn-reg-management,  or don’t use symmetric keys for client authentication.




> On Nov 26, 2014, at 6:19 PM, Chuck Mortimore <cmortimore at salesforce.com> wrote:
> 
> I don't think jwks_uri should be used as an identifier for.    For many large providers this key URL might be common across multiple tenants, and hence cannot be used to uniquely identify a client.   In addition, many providers may not choose to use URLs for their keys.
> 
> client_id really should be how clients are identified
> 
> On Wed, Nov 26, 2014 at 1:02 PM, Mike Schwartz <mike at gluu.org <mailto:mike at gluu.org>> wrote:
> On 2014-11-26 14:23, John Bradley wrote:
> 
> I think I recommended using the jwks_uri in registration for the
> client to publish an endpoint for it’s keys if it is going to rotate
> them.
> 
> 
> jwks_uri is a great idea...
> 
> To update the client secret, a new client is registered with the same jwks_uri?
> 
> And "Sector Identifier" also looks very interesting. Good point Mike Jones...
> 
> - Mike Schwartz
> Gluu
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20141126/17ecdb23/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4326 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20141126/17ecdb23/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list