Registration - Clarify whether server is allowed to change the registered values

Issue #753 resolved
Nat Sakimura
created an issue

It is not clear from the current text whether the server is allowed to change the registration value for one reason or another.

If there is some kind of security incident, it is likely that the server need to change the value. If this is to be accommodated, the text should say that it MAY do so.

Comments (5)

  1. Justin Richer

    My read (and how I've tried to word the OAuth DynReg text) is that the server is allowed to change the registered values from what the client requested, since a client could potentially ask for a "bad" value that the server can correct programmatically. A server could also inject a "default" value for something that the client doesn't otherwise specify, and we already have some normative language for this around token_endpoint_auth_method.

    The other question is whether a server could change the value for a client in between it reading/updating things. I think that this is a classic cache consistency problem, and that the server should be considered the gold source of the data at all times. This is one reason that I believe #751 is important.

  2. Log in to comment