<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<base href="x-msg://2427/"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">About rotate_secret, there’s already a working group decision that it should go, so it’s been deleted. See
<a href="https://bitbucket.org/openid/connect/issue/745">https://bitbucket.org/openid/connect/issue/745</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Given that the registration server may want to change the client_secret when some kinds of parameters are changed by an update, especially if they pertain to
how the client authenticates, it seems odd/overly limiting to prohibit it from doing so. Vladimir, John, and I believe that that this needs to be allowed. If you still disagree for some reason, we can about it on tomorrow’s call. Otherwise, we should update
the text as John had suggested.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> Justin Richer [mailto:jricher@mitre.org]
<br>
<b>Sent:</b> Wednesday, February 06, 2013 7:11 AM<br>
<b>To:</b> John Bradley<br>
<b>Cc:</b> Mike Jones; openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-ab] Two questions about client_secret in Registration<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">I don't think #2 should go, nor do I think that the "rotate secret" operation should go. I like having the authentication-based bits be handled separately.<br>
<br>
-- Justin<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 02/06/2013 08:37 AM, John Bradley wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">They should both go. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">#2 was part of Yarons fixes around not rotating the client secret unless the client specifically requests it to prevent lockout from the registration endpoint. That is not relevant any more.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On 2013-02-05, at 8:42 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">1. We currently have this error at<span class="apple-converted-space"> </span><a href="http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse"><span style="color:purple">http://openid.bitbucket.org/openid-connect-registration-1_0.html#ErrorResponse</span></a>:<o:p></o:p></span></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span lang="EN" style="font-family:"Verdana","sans-serif"">invalid_client_secret</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div style="margin-left:96.0pt">
<p class="MsoNormal"><span lang="EN" style="font-family:"Courier New";color:#003366">client_secret</span><span class="apple-converted-space"><span lang="EN" style="font-family:"Verdana","sans-serif""> </span></span><span lang="EN" style="font-family:"Verdana","sans-serif"">provided
for accessing the registered client is not valid for the provided</span><span lang="EN" style="font-family:"Courier New";color:#003366">client_id</span><span lang="EN" style="font-family:"Verdana","sans-serif"">.</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I think this should be deleted, since we’re using an access token to authenticate to the registration endpoint – not a client_secret value. Vladimir pointed out the same
thing in a comment on<span class="apple-converted-space"> </span><a href="https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review"><span style="color:purple">https://bitbucket.org/openid/connect/issue/727/registration-brian-campbells-review</span></a>.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">2. The Client Update Response at<span class="apple-converted-space"> </span><a href="http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse"><span style="color:purple">http://openid.bitbucket.org/openid-connect-registration-1_0.html#ClientUpdateResponse</span></a><span class="apple-converted-space"> </span>currently
says:<o:p></o:p></span></p>
</div>
<p style="mso-margin-top-alt:5.0pt;margin-right:24.0pt;margin-bottom:5.0pt;margin-left:24.0pt">
<span lang="EN" style="font-family:"Verdana","sans-serif"">The Authorization Server MUST NOT include the Client Secret or Request Access Token in this response.</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I’m not sure why it’s forbidden to return the client_secret value upon an update. Is the assumption that the registration server may not change the secret? What if the
registration server decides that the updated parameters warrant a different secret? I think we should remove this restriction and instead say that clients should be prepared to receive and use an updated client_secret, if sent.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> -- Mike<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Openid-specs-ab mailing list<o:p></o:p></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><o:p></o:p></pre>
<pre><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>