I guess we could check if we already have client info on file, and then reject only if we already have info AND the secrets don't match. I'm just trying to think if that results in possible information disclosure. I guess the secret is big enough that it shouldn't be a problem? Maybe? :P
Yes that was what I thought ACE did (but didn't get around to in AcDart and yeah I do hit the issue in your caveat) when I thought ACE did this already ;-). Patrick Streule Did I dream that you told me ACE already did this?
Comalatech is doing this in their implementation, that's probably what I mentioned once.
@sday_atlassian I agree, we should reject only if the secrets don't match and not generally. Unfortunately there are also some other cases that we need to take into account, namely the transition from OAuth to JWT, which shouldn't lead to rejections.