Hi all, a recent query about expiring client credentials (secrets) got me thinking about client_secret_expires_at client metadata from RFC 7591 used also in 7592 as well as OpenID Connect Dynamic Client Registration 1.0
*What does expired client secret (in the sense of client_secret_expires_at with a non 0 value) mean beyond obviously not processing secret-based client authentication (basic, post and client_secret_jwt) after the given timestamp?* *Fingers Crossed* I'm hoping for your comments and experience from existing deployments on the topic to shed some light on this for me and maybe others too. Also that this doesn't get lost between the current BCP/implicit discussions. This is my best shot at an implementable policy when it comes to clients with expired client secrets: *"all operations requiring a secret will be rejected when an expired one is presented"* - it is not valid for client secret based endpoint auth (basic, post, client secret jwt), the AS will reject with 401 invalid_client in those cases - it will not be used for validating symmetrically signed request object (JAR), the AS will reject the authorization request with ...? - it will not be used by the AS to symmetrically sign id tokens, userinfo, introspection or authorization responses (JARM), the AS will reject the requests with ...? - anything else? I feel this is reasonable interpretation and if so, are there appropriate errors to return to clients (both front and back-channel) when an expired secret is encountered during one of the operations that need it? Thank you very much for your thoughts and comments. Best, Filip
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
