Federation: How should an OP signal to the RP that its registration has expired?
In https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.9.2.3.2 we have:
If the signature on the registration request has expired it MUST mark the registration as invalid and demand that the RP MUST re-register
The spec currently has a gap about how the OP is to signal to the RP the fact that its registration has expired (assuming that was the intent of “demand”).
If we assume std RFC 6749 behaviour this would mean the client_id
is no longer valid. But with a invalid client_id the OP / AS is not allowed to redirect back to the RP.
https://tools.ietf.org/html/rfc6749#section-4.1.2.1
One possible solution is to define a special error code and let the redirection proceed. The significant downside of that is the OP will need to store expired registrations, potentially indefinitely.
Perhaps the simple solution is to not have any explicit signalling from OP to RP at all, but let the RP figure out the time when its registration is going to expire. This will simplify the implementation of the OP.
Comments (6)
-
Account Deleted -
reporter Pardon, there was some confusion here, ignore my previous comment.
The
client_secret_expires_at
is tied to a issued client secret, which a fed client may choose not to use (because it needs to support private keys anyhow) and the client secret lifetime can be independent from the registration lifetime.
-
-
assigned issue to
-
assigned issue to
-
- changed status to open
-
The only way an OP can signal to an RP that a registration is invalid it by not accepting the client as a valid client anymore.
The OP can not demand the client to re-register if it doesn’t want to.
-
- changed status to closed
- Log in to comment
I think the signalling would be through
client_secret_expires_at
field of Dynamic Client Registration response.9.2.4 seems to confirm that
An OP MUST NOT assign an expiration time to an RP's registration that is later than the trust chain's expiration time.
I find 9.2.2.2.1. more problematic, where the statement
if there already exists a client registration under the same entity identifier then that registration MUST be regarded as invalid.
means in fact that RP has to wait until the credential fails to register anew. The implementations I saw re-register the client with some buffer beforeclient_secret_expires_at
so there is no risk of clock skew etc. Also handling of native clients is more complex under this requirement.