Registration - 3 - rotate/renew secret

Comments (4)

1. 

   Pawel Kowalik

   I also see that missing in the OIDC Dynamic Client Registration, that only GET verb is described and no way to prolog client_secret if expired/expiring.

   OAuth2 Dynamic Client Registration describes PUT verb, with a vague description that it may be used to get new client secret. https://tools.ietf.org/html/rfc7592#section-2.2

   • 2019-05-29T09:36:45+00:00
2. 

   Michael Jones

   • changed status to resolved

   Yes, if your Connect implementation also supports RFC 7592, then you can use it to change client_secret values.

   • 2019-06-06T17:29:27+00:00
3. 

   Pawel Kowalik

   Hi Mike, thanks for the confirmation. Should a reference to RFC 7592 and some wording be added to OIDC Dynamic Client Registration and/or OpenID Connect Discovery then? RFC 7592 also leaves it open in A.1 whether it’s Read or Update request needed, or whether it’s supported at all. Shouldn’t it be then discoverable via OpenID Provider Configuration document? Otherwise client implementation has to rely on trial and error to figure it out.

   • 2019-06-07T07:29:15+00:00
4. 

   alexandre faria reporter

   Dear,

   By reading the RFC 7592 (2.2 Client Update Request), if the client_secret is included it the request metadata, it must match the current value. (We can not push our own credentials).

   As Pawel said above, we can not guess how we can renew/rotate.

   We may configure the Authorization Server to always perform a client_secret rotation on each registration update request, I do not see other options in the RFC right?

   Regards,

   Alexandre.

   • 2019-06-11T13:17:02+00:00
5. Log in to comment