-
assigned issue to
- changed status to open
Registration - 2.2.1 client_secret should not be REQUIRED
In the Response, currently it says:
{{{ client_secret REQUIRED. The Client secret. This MUST be unique for each client_id. }}}
Since the client may be a public client, client_secret should not be REQUIRED. It is only REQUIRED if the client type is confidential.
Note: If the client only uses implicit flow (such as self-issued), the client is a public client.
Comments (6)
-
-
We could eliminate the symmetric client secret for the registration endpoint by using an access token. The client_secret would then be optional, depending upon the client type.
-
The new logigic is:
Access token is optional for client_associate. Clients get a access token in client_associate and rotate_secret. They use that access token to perform rotate_secret and client_update
client_secret is now optional
I eliminated client_id from the request as it is now implicit in the access token.
-
- changed status to resolved
Fixes
#632Added registration_access_token for updating and made client secret optional -
Re
#632add registration_access_token to example response -
RE
#632removed client_id from the request as it is now implicit in the access token for updates. - Log in to comment
We should add some rationale for why a client_secret is present even for public clients.
We should also state that this is a requirement for the server to send a client_secret - not a requirement that the client use it.