[Openid-specs-ab] BCP for client apps registration

Nat Sakimura sakimura at gmail.com
Mon Aug 5 19:19:21 UTC 2019


What would be the best way to register an app on a mobile device?

Using pkce as in  BCP 212 is great. However, if you want to implement a
layered permission model, it will hit a roadblock.

The flow I can think of is like this.

1. Use pkce to get an access token.
2. Send the access token to client registration end point to obtain client
ID on the client secret.

Thereafter, the app behaves as a confidential client.

What do you think?

Nat Sakimura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190806/dc485fce/attachment.html>

More information about the Openid-specs-ab mailing list