On Mon, Jun 6, 2016 at 1:33 AM, Prabath Siriwardana
wrote:
> Yes.. We need to have it...
Created a public JIRA to track this
https://wso2.org/jira/browse/IDENTITY-4666β
β
> Since we are now talking about client id and client secret - can we also
> make the app authentication
Aren't we discussing about two requirements.
1. Allow to register applications with user given client id/secret
2. Allow the client id/secret to be changed.
While changing client id has complications highlighted above, (1) also has
some challenges. Currently we assume the client id is unique
Hi All,
On Fri, Jun 3, 2016 at 5:46 PM, Prabath Siriwardana
wrote:
>
>
> On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake <
> indu...@wso2.com> wrote:
>
>> Hi,
>> I am working on implementing regeneration of client secret/key of an
>> oauth app and revocation of an
On Thu, Jun 2, 2016 at 10:30 PM, Indunil Upeksha Rathnayake <
indu...@wso2.com> wrote:
> Hi,
> I am working on implementing regeneration of client secret/key of an oauth
> app and revocation of an oauth app for the next milestone release of
> Identity Server. Appreciate your feedbacks on the
Hi Indunill,
Here are we talking about three things ?
*i. Regenerate Client Secret*
*ii. Regenerate Consumer Key*
*iii. Revoking an oauth app*
Specification [1] talk about revoking client secret more like revoking
oauth app. In order to use same consumer key again regenerating client
secret is
On Fri, Jun 3, 2016 at 11:51 AM, Farasath Ahamed wrote:
> compromised
βYes, It is like when the user wants to change the user name also with or
without changing the password.β So in that case we have to create new
account instead of letting to change user name.
*Harsha
Hi,
Since client_id is simply an identifier for the OAuth application, is it
really required to regenerate the client_id when the client_secret is
compromised?
Isn't it be similar to a situation where we are changing our username and
password because our password was compromised?
Farasath
Hi Farasath,
In that case, we have to create a new application if some one wants to
reset the consumer key. That will not be a good experience to the user and
specification also not specifically saying that only we should revoke
consumer key or both.
An authorization server may revoke a client's
Hi Indunil,
What are the guidelines given by the OAuth 2.0 specification regarding the
$subject?. As stated by @Farzath, i think even Twitter does the same thing.
Thanks,
Kasun.
On Fri, Jun 3, 2016 at 11:11 AM, Farasath Ahamed wrote:
> Hi Indunil,
>
> In a case of
Hi Indunil,
In a case of client_secret being revealed wouldn't it be sufficient only to
regenerate the client_key without regenerating the consumer key? In Google
API console I have noticed that you only have the option to reset the
client secret of an OAuth application. If you want to regenerate
Hi,
I am working on [1] for implementing regeneration of client secret/key of
an oauth app and revocation of an oauth app for the next milestone release
of Identity Server. Appreciate your feedbacks on the following approaches I
have taken.
A trusted client would need to update the client
Hi,
I am working on implementing regeneration of client secret/key of an oauth
app and revocation of an oauth app for the next milestone release of
Identity Server. Appreciate your feedbacks on the following approaches I
have taken.
A trusted client would need to update the client secret/key, in
12 matches
Mail list logo