openid / connect / issues / #632 - Registration - 2.2.1 client_secret should not be REQUIRED

Issue #632 resolved

Nat Sakimura created an issue 2012-07-24

In the Response, currently it says:

{{{ client_secret REQUIRED. The Client secret. This MUST be unique for each client_id. }}}

Since the client may be a public client, client_secret should not be REQUIRED. It is only REQUIRED if the client type is confidential.

Note: If the client only uses implicit flow (such as self-issued), the client is a public client.

Comments (6)

Michael Jones
- assigned issue to
  
  John Bradley
- changed status to open
We should add some rationale for why a client_secret is present even for public clients.

We should also state that this is a requirement for the server to send a client_secret - not a requirement that the client use it.
- 2012-07-26T14:25:52+00:00
Michael Jones
We could eliminate the symmetric client secret for the registration endpoint by using an access token. The client_secret would then be optional, depending upon the client type.
- 2012-07-26T14:32:22+00:00
John Bradley
The new logigic is:

Access token is optional for client_associate. Clients get a access token in client_associate and rotate_secret. They use that access token to perform rotate_secret and client_update

client_secret is now optional

I eliminated client_id from the request as it is now implicit in the access token.
- 2012-09-13T04:13:07+00:00
John Bradley
- changed status to resolved
Fixes ~~#632~~ Added registration_access_token for updating and made client secret optional

→ 91b9e436d1c3
- 2012-09-13T13:51:48+00:00
John Bradley
Re ~~#632~~ add registration_access_token to example response

→ 4e5fe53670ce
- 2012-09-13T13:51:49+00:00
John Bradley
RE ~~#632~~ removed client_id from the request as it is now implicit in the access token for updates.

→ 2a43167d017b
- 2012-09-13T13:51:49+00:00
Log in to comment