Registration 3.2 - Should Update be able to return an updated client_secret?
Registration currently says "The Authorization Server MUST NOT include the Client Secret or Request Access Token in this response."
John, Vladimir and I believe that an udpated client_secret should be able to be returend. Justin disagreed
If we keep Update (see #755) I think we should allow an updated client_secret.
Comments (4)
-
-
Account Deleted My argument was for keeping some kind of rotate_secret functionality. If there's some other way for the client to do that, then the client_secret, registration_access_token, and associated parameters probably MUST be returned along with everything else.
-
reporter - changed status to on hold
Placed on hold since this issue is about the Registration Client Update operation and we have removed that operation, per issue
#755. -
reporter - changed status to resolved
Fixed
#755- Removed client update operation. Fixed#751- Added client read operation. Fixed#749- Added "registration_access_url". Fixed#756- State that an updated "client_secret" value can be returned by a read operation.→ <<cset 62fea9ed07e0>>
- Log in to comment
Seems like an udpated client_secret should be able to be returned now that the rotate secret operation is gone.