1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Registration - Add Configuration Read

Issue #751 resolved
Nat Sakimura created an issue

There is a question about whether the server is allowed to change the currently registered values It is not clear from the current text. It needs to be clarified. ( #753 )

Now, if it is (and I suspect yes, for some security reasons etc.), the client needs to have a way to read the current setting. This is the Client Read.

Proposal:

Add the following: (copied from my Discussion Draft)

4.Client Read

The client may request the client URL at the server to obtain the current registered values about the client. To do so, the client sends the HTTP GET request to the client URL.

4.1. Client Read Request

The clients sends the HTTP GET request to e client_url .

Following is a non-normative example request (with line wraps for display purposes only):

GET /clients/s6BhdRkqt3 HTTP/1.1 Host: server.example.com Authorization: Bearer this.is.an.access.token.value.ffx83

4.2. Client Read Response

Upon successful request, the server returns the currently registered metadata about this client, except the Client Secret or Request Access Token.

Following is a non-normative example response:

HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store

{
    "_links": {
        "self": {
            "href": "https://server.example.com/clients/s6BhdRkqt3"
        }
    },
    "client_id": "s6BhdRkqt3",
    "client_secret": "cf136dc3c1fd9153029bb9c6cc9ecead918bad9887fce6c93f31185e5885805d",
    "registration_access_token": "this.is.an.access.token.value.ffx83",
    "token_endpoint_auth_method": "client_secret_basic",
    "expires_at": 2893276800,
    "application_type": "web",
    "redirect_uris": "https://client.example.org/callback https://client.example.org/callback2",
    "client_name": "My Example",
    "client_name#ja-Jpan-JP": "クライアント名",
    "logo_url": "https://client.example.org/logo.png",
    "subject_type": "pairwise",
    "sector_identifier_url": "https://othercompany.com/file_of_redirect_uris.json",
    "jwk_url": "https://client.example.org/my_rsa_public_key.jwk",
    "userinfo_encrypted_response_alg": "RSA1_5",
    "userinfo_encrypted_response_enc": "A128CBC+HS256"
}

Comments (7)

  4. Michael Jones

    I don't believe that this is necessary operation. There other two other ways already for clients to provide update parameters - remembering the initial ones or remembering the results of the initial registration.

    Also, this is only there to support Update, which per #755, we may decide to delete.

  5. Former user Account Deleted

    Without rotate_secret, Read, or Update, how will a client be told of a new client secret? Since they can still expire, we need some way to communicate that to the client without requiring a re-registration.

    I'm actually thinking that the Read operation will do so cleanly.

  7. Michael Jones

    Fixed #755 - Removed client update operation. Fixed #751 - Added client read operation. Fixed #749 - Added "registration_access_url". Fixed #756 - State that an updated "client_secret" value can be returned by a read operation.

    → <<cset 62fea9ed07e0>>

  8. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
resolved
Component
Registration
Milestone
Implementer's Draft
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!