Registration - Clarify what is allowed for Update
Both in d14 and d15, any parameter seems to be able to be updated. For example, if the tos_url and policy_url was updated, do not we have to ask the user for consent again? If the tos_url, policy_url and contacts were updated, can we still regard it as the same client? (I suspect, in this case, they should register as a new client.)
Since we are talking about consent, just the fact that client_id is the same probably would not be good enough to consider it as the same client.
These behavior are not defined right now, and I can conceive of an attack by a malicious client.
Comments (6)
-
Account Deleted -
Account Deleted To clarify: while the example is a red herring, the semantics of update are currently unclear in both the OIDC and OAuth drafts.
-
- changed status to on hold
Placed on hold since this issue is about the Registration Client Update operation and we have removed that operation, per issue
#755. -
- changed status to open
This ambiguity was removed by removing the operation.
-
- changed milestone to Final
-
assigned issue to
-
- changed status to resolved
- Log in to comment
I think this may be a red herring, since the contents of what's at the tos_url or policy_url can change at any time (as far as the IdP is concerned).