1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Registration - Clarify whether server is allowed to change the registered values

Issue #753 resolved
Nat Sakimura created an issue

It is not clear from the current text whether the server is allowed to change the registration value for one reason or another.

If there is some kind of security incident, it is likely that the server need to change the value. If this is to be accommodated, the text should say that it MAY do so.

Comments (5)

  1. Former user Account Deleted

    My read (and how I've tried to word the OAuth DynReg text) is that the server is allowed to change the registered values from what the client requested, since a client could potentially ask for a "bad" value that the server can correct programmatically. A server could also inject a "default" value for something that the client doesn't otherwise specify, and we already have some normative language for this around token_endpoint_auth_method.

    The other question is whether a server could change the value for a client in between it reading/updating things. I think that this is a classic cache consistency problem, and that the server should be considered the gold source of the data at all times. This is one reason that I believe #751 is important.

  2. Michael Jones

    Placed on hold since this issue is about the Registration Client Update operation and we have removed that operation, per issue #755.

  3. Michael Jones
    • changed status to open

    We now return the actual values used from registration responses, and are clear that servers may change values that clients requested.

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Registration
Milestone
Final
Version
Votes
0
Watchers
0
Jira Software: the preferred issue tracker for Bitbucket. Join the team!