<div dir="ltr">But again, what about HSxxx JWSs and AxxxKW (and do we allow for 'dir'?) JWEs? AFAICK, the client_secret is needed for those too.<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Feb 6, 2013 at 12:29 PM, Justin Richer <span dir="ltr"><<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
I think the problem stems from the fact that these values are
defined in Messages. Maybe instead of defining it in terms of the
exception, it should be defined as:<br>
<br>
"client_secret is required for auth_methods of type
client_secret_basic, client_secret_post, and client_secret_jwt, and
is forbidden otherwise."<span class="HOEnZb"><font color="#888888"><br>
<br>
-- Justin</font></span><div><div class="h5"><br>
<br>
<div>On 02/06/2013 02:27 PM, Mike Jones
wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Do
you have a specific text change in mind that would address
this, Justin?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
-- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Justin Richer [<a href="mailto:jricher@mitre.org" target="_blank">mailto:jricher@mitre.org</a>]
<br>
<b>Sent:</b> Wednesday, February 06, 2013 11:00 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> 'Brian Campbell';
'<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><openid-specs-ab@lists.openid.net></a>'<br>
<b>Subject:</b> Re: [Openid-specs-ab] Comments on
Registration (-14) Release Candidate D<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">That's not
private_key_jwt anymore, that's client_secret_jwt, which is a
different value. We probably want to have this be more
explicitly called out where these values are defined.<br>
<br>
-- Justin<br>
<br>
<u></u><u></u></p>
<div>
<p class="MsoNormal">On 02/06/2013 01:54 PM, Mike Jones wrote:<u></u><u></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Hi
Brian,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">There’s
one part of your comments that I didn’t know how to
address. Per the comment in the issue:</span><u></u><u></u></p>
<p style="margin-left:0in"><span>1.<span style="font:7.0pt "Times New Roman"">
</span></span><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#333333" lang="EN">You wrote:</span><u></u><u></u></p>
<p><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#333333" lang="EN">2.2.1. Client Register Operation Response</span><u></u><u></u></p>
<p><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#333333" lang="EN">says that "[client_secret] is not required for
clients selecting a token_endpoint_auth_method of
private_key_jwt" but what if they've selected HS256 (or
other HSxxx) for request_object_signing_alg or any of the
<em><span style="font-family:"Arial","sans-serif"">signed</span></em>
or
<em><span style="font-family:"Arial","sans-serif"">singing</span></em>
parameters?</span><u></u><u></u></p>
<p><span style="font-size:10.5pt;font-family:"Arial","sans-serif";color:#333333" lang="EN">Do you have a suggested text change in response
to this issue?</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
Thanks,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
-- Mike</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Mike Jones
<br>
<b>Sent:</b> Monday, January 28, 2013 12:21 PM<br>
<b>To:</b> Brian Campbell; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><openid-specs-ab@lists.openid.net></a><br>
<b>Subject:</b> RE: [Openid-specs-ab] Comments on
Registration (-14) Release Candidate D</span><u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I’ve
created
<a href="http://hg.openid.net/connect/issue/727/registration-brian-campbells-review" target="_blank">http://hg.openid.net/connect/issue/727/registration-brian-campbells-review</a>
to track these review comments.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
-- Mike</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>
[<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Brian Campbell<br>
<b>Sent:</b> Thursday, January 24, 2013 3:48 PM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank"><openid-specs-ab@lists.openid.net></a><br>
<b>Subject:</b> [Openid-specs-ab] Comments on Registration
(-14) Release Candidate D</span><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Some
comments/questions on <a href="http://openid.net/specs/openid-connect-registration-1_0-14.html" target="_blank">
http://openid.net/specs/openid-connect-registration-1_0-14.html</a>
follow:<br>
<br>
<a href="http://openid.net/specs/openid-connect-registration-1_0-14.html#ClientRegistration" target="_blank">http://openid.net/specs/openid-connect-registration-1_0-14.html#ClientRegistration</a><br>
2.1. Client Registration and Client Update Request<br>
<br>
The definition of access_token and the text near the bottom
about registration_access_token seem to suggest that the
(registration) access token need only be sent on
client_update requests. But surly it's also needed for
rotate_secret?
<br>
<br>
Changing from requiring client id and secret on
client_update (and I assume rotate_secret) to needed the
registration access token suggests that (short of some
additional work) clients provisioned by some other means
than this registration endpoint cannot update themselves or
rotate their secret via the registration endpoint. I guess
that could be a feature or a bug (or just meh) depending on
how you look at it. But it just occurred to me and the
change is relatively recent so I thought I'd mention it.<br>
<br>
Honestly, it feels pretty awkward that the nature of the
access token and if it's required or not differs based on
the value of the operation parameter. It can work but means
that the code that's doing the authn/z will need to examine
the operation parameter in the request body in order to know
what to do and the content of the token and how it's
processed might be very different based on the operation.
Anyway, I'm not necessarily objecting to it but still feel
compelled to mention that it leaves kind of a bad taste.<br>
<br>
jwk_url and x509_url say they are used for "signing Token
Endpoint Requests" but there's nothing specified anywhere
about signing Token Endpoint Requests, is there? Is it
intended to mean signing the jwt when authenticating to the
token endpoint using the private_key_jwt method?<br>
<br>
All the jwk and x509 basically say that if both jwk and x509
are registered then. "the keys contained in both formats
SHOULD be the same" but Messages 4.2
<a href="http://openid.net/specs/openid-connect-messages-1_0-15.html#sigenc.key" target="_blank">http://openid.net/specs/openid-connect-messages-1_0-15.html#sigenc.key</a>
has a MUST. Shouldn't these be consistent?<br>
<br>
Issues 703 and 704 likely will impact the key parameters
too.<br>
<br>
A number of places say "The valid values are listed in
Section 3.1 of <a href="http://openid.net/specs/openid-connect-registration-1_0-14.html#JWA" target="_blank">JWA</a>
[JWA]" with respect to signing. But is "none" an
acceptable/reasonalbe value for any or all of these?
<br>
<br>
<br>
<a href="http://openid.net/specs/openid-connect-registration-1_0-14.html#ClientRegisterResponse" target="_blank">http://openid.net/specs/openid-connect-registration-1_0-14.html#ClientRegisterResponse</a><br>
2.2.1. Client Register Operation Response<br>
<br>
says that "[client_secret] is not required for clients
selecting a token_endpoint_auth_method of private_key_jwt"
but what if they've selected HS256 (or other HSxxx) for
request_object_signing_alg or any of the *signed* or
*singing* parameters?
<br>
<br>
This section and 2.2.3 have "Additionally, the server MUST
include all registered metadata about a client as described
in
<a href="http://openid.net/specs/openid-connect-registration-1_0-14.html#ClientRegistration" target="_blank">Section 2.1</a>,
including any fields that the server has provisioned on the
client's behalf." What is the expected behavior for default
values from 2.1 (that very well might not be stored
anywhere).<br>
<br>
<a href="http://openid.net/specs/openid-connect-registration-1_0-14.html#ErrorResponse" target="_blank">http://openid.net/specs/openid-connect-registration-1_0-14.html#ErrorResponse</a><br>
2.3. Client Registration Error Response<br>
<br>
I don't think invalid_client_id or invalid_client_secret are
valid anymore?<br>
<br>
<br>
<a href="http://openid.net/specs/openid-connect-registration-1_0-14.html#Security" target="_blank">http://openid.net/specs/openid-connect-registration-1_0-14.html#Security</a><br>
5. Security Considerations<br>
"Requests to the Registration Endpoint for <tt><span style="font-size:10.0pt">client_update</span></tt> MUST
have some rate limiting on failures to prevent the Client
secret from being disclosed though repeated access
attempts." Which is true, I suppose, but no longer applies
to the client secret but rather to the registration access
token. Also doesn't it apply to rotate_secret as well?<br>
<br>
<br>
<a href="http://openid.net/specs/openid-connect-registration-1_0-14.html#Acknowledgements" target="_blank">http://openid.net/specs/openid-connect-registration-1_0-14.html#Acknowledgements</a><br>
Appendix A. Acknowledgements<br>
<br>
Is empty. What does it take to get on there? ;) I'm sure I'm
not the only one either...<br>
<br>
<br>
Thanks,<br>
Brian<br>
<br>
<br>
P.S. I'll try and look at the other RC docs in the next few
days but it's very time consuming and not the only thing on
my (or anyone's I'm sure) plate. I just happened to be
trying to update some of my (limited) registration code
today so it was right in front of me.<br>
<br>
<br>
<br>
<u></u><u></u></p>
<p class="MsoNormal"><br>
<br>
<br>
<u></u><u></u></p>
<pre>_______________________________________________<u></u><u></u></pre>
<pre>Openid-specs-ab mailing list<u></u><u></u></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><u></u><u></u></pre>
<pre><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></pre>
</blockquote>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>