openid / connect / issues / #363 - Registration 2.2 - Why must client_secret change with each response?

Issue #363 resolved

Michael Jones created an issue 2011-11-21

The spec currently says that the client secret should change with each registration response. About this, Yaron Goland wrote:

Um… why? In fact given error recovery scenarios changing this on each request sounds like a bug, not a feature.

Comments (5)

Edmund Jay
- assigned issue to
  
  John Bradley
- changed status to on hold
Add comment on why secret changes (for rotating secrets). Ask Yaron directly on what the question means.
- 2011-11-22T01:11:23+00:00
Nat Sakimura
- changed title to Registration 2.2 - Why must client_secret change with each response?
- 2012-03-23T00:18:21+00:00
Michael Jones reporter
- assigned issue to
  
  Michael Jones
This may have to do with the "update" option, versus the "associate" option. Mike to ask Yaron for feedback.
- 2012-03-23T00:20:04+00:00
Michael Jones reporter
- assigned issue to
  
  John Bradley
- changed status to open
We should add an explicit parameter that requests a new client_secret and update the spec from saying that "This should change with each response" to reflect the addition of this parameter. We should also state that the client_secret must be different for different client_ids.
- 2012-04-19T15:41:22+00:00
John Bradley
- changed status to resolved
Fixes ~~#363~~ Make rotate secret a separate type and stop client secret changing with every response.

→ cc00482872eb
- 2012-05-01T05:20:42+00:00
Log in to comment