- edited description
Registration - Add Configuration Read
There is a question about whether the server is allowed to change the currently registered values It is not clear from the current text. It needs to be clarified. ( #753 )
Now, if it is (and I suspect yes, for some security reasons etc.), the client needs to have a way to read the current setting. This is the Client Read.
Proposal:
Add the following: (copied from my Discussion Draft)
4.Client Read
The client may request the client URL at the server to obtain the current registered values about the client. To do so, the client sends the HTTP GET request to the client URL.
4.1. Client Read Request
The clients sends the HTTP GET request to e client_url .
Following is a non-normative example request (with line wraps for display purposes only):
GET /clients/s6BhdRkqt3 HTTP/1.1 Host: server.example.com Authorization: Bearer this.is.an.access.token.value.ffx83
4.2. Client Read Response
Upon successful request, the server returns the currently registered metadata about this client, except the Client Secret or Request Access Token.
Following is a non-normative example response:
HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store
{
"_links": {
"self": {
"href": "https://server.example.com/clients/s6BhdRkqt3"
}
},
"client_id": "s6BhdRkqt3",
"client_secret": "cf136dc3c1fd9153029bb9c6cc9ecead918bad9887fce6c93f31185e5885805d",
"registration_access_token": "this.is.an.access.token.value.ffx83",
"token_endpoint_auth_method": "client_secret_basic",
"expires_at": 2893276800,
"application_type": "web",
"redirect_uris": "https://client.example.org/callback https://client.example.org/callback2",
"client_name": "My Example",
"client_name#ja-Jpan-JP": "クライアント名",
"logo_url": "https://client.example.org/logo.png",
"subject_type": "pairwise",
"sector_identifier_url": "https://othercompany.com/file_of_redirect_uris.json",
"jwk_url": "https://client.example.org/my_rsa_public_key.jwk",
"userinfo_encrypted_response_alg": "RSA1_5",
"userinfo_encrypted_response_enc": "A128CBC+HS256"
}
Comments (7)
-
reporter -
reporter - changed title to Registration - Add Configuration Read
- edited description
-
reporter - edited description
-
I don't believe that this is necessary operation. There other two other ways already for clients to provide update parameters - remembering the initial ones or remembering the results of the initial registration.
Also, this is only there to support Update, which per
#755, we may decide to delete. -
Account Deleted Without rotate_secret, Read, or Update, how will a client be told of a new client secret? Since they can still expire, we need some way to communicate that to the client without requiring a re-registration.
I'm actually thinking that the Read operation will do so cleanly.
-
- changed milestone to Implementer's Draft
-
assigned issue to
We will add this so that new client secrets can be retrieved when old ones expire.
-
- changed status to resolved
Fixed
#755- Removed client update operation. Fixed#751- Added client read operation. Fixed#749- Added "registration_access_url". Fixed#756- State that an updated "client_secret" value can be returned by a read operation.→ <<cset 62fea9ed07e0>>
- Log in to comment