Federation: How should an OP signal to the RP that its registration has expired?

Issue #1168 closed
Vladimir Dzhuvinov created an issue

In https://openid.net/specs/openid-connect-federation-1_0.html#rfc.section.9.2.3.2 we have:

If the signature on the registration request has expired it MUST mark the registration as invalid and demand that the RP MUST re-register

The spec currently has a gap about how the OP is to signal to the RP the fact that its registration has expired (assuming that was the intent of “demand”).

If we assume std RFC 6749 behaviour this would mean the client_id is no longer valid. But with a invalid client_id the OP / AS is not allowed to redirect back to the RP.

https://tools.ietf.org/html/rfc6749#section-4.1.2.1

One possible solution is to define a special error code and let the redirection proceed. The significant downside of that is the OP will need to store expired registrations, potentially indefinitely.

Perhaps the simple solution is to not have any explicit signalling from OP to RP at all, but let the RP figure out the time when its registration is going to expire. This will simplify the implementation of the OP.

Comments (6)

  1. Pawel Kowalik

    I think the signalling would be through client_secret_expires_at field of Dynamic Client Registration response.

    9.2.4 seems to confirm that An OP MUST NOT assign an expiration time to an RP's registration that is later than the trust chain's expiration time.

    I find 9.2.2.2.1. more problematic, where the statement if there already exists a client registration under the same entity identifier then that registration MUST be regarded as invalid. means in fact that RP has to wait until the credential fails to register anew. The implementations I saw re-register the client with some buffer before client_secret_expires_at so there is no risk of clock skew etc. Also handling of native clients is more complex under this requirement.

  2. Vladimir Dzhuvinov reporter

    Pardon, there was some confusion here, ignore my previous comment.

    The client_secret_expires_at is tied to a issued client secret, which a fed client may choose not to use (because it needs to support private keys anyhow) and the client secret lifetime can be independent from the registration lifetime.

  3. Roland Hedberg

    The only way an OP can signal to an RP that a registration is invalid it by not accepting the client as a valid client anymore.

    The OP can not demand the client to re-register if it doesn’t want to.

  4. Log in to comment