- marked as major
Messages - 2.2.1 client password or client_secret?
Issue #505
resolved
In http://openid.net/specs/openid-connect-messages-1_0-07.html section 2.2.1 Client Authentication the text for the client_secret_jwt option probably contains a 'copy-paste' error.
In the beginning of the paragraph it says:
Clients in possession of a client password create a JWT …. ^^^^^^^^^^^^^^^
From Roland Hedberg
I guess it should be 'client secret' given the rest of the description.
Comments (4)
-
reporter
-
-
assigned issue to
John Bradley
- changed status to open
Possibly use the language "the value of client_secret exchange during registration". Or possibly reference the OAuth spec for the OAuth language.
John will propose new language for the next call.
-
assigned issue to
-
- changed title to Messages - 2.2.1 client password or client_secret?
-
reporter
- changed status to resolved
Fixes
#505Fixed Sec 2.2.1 to refer to client_secret value rather than Client Password. - Log in to comment
In Oauth 2.0 the parameter is client_secret but it contains the client password.
We inherit the awkward language. I was consistent with OAuth, the thing the client has is a password, (not a key, as pointed out in another ticket.)
If anything we should change client_secret in that paragraph to Client Password though that may actually be more confusing.