tlodderstedt
commented
2 years ago Text proposal
Every client is identified in the context of an authorization server by a client identifier -- a unique string representing the registration information provided by the client. The Authorization Server may itself issue the client identifier, it may also server clients whose client identifier was issued by a trusted third party. The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication. The client identifier is unique in the context of an authorization server.
aaronpk
the spec text is too strict - client ids must be unique within the context of an AS. However, there is no need to require client ids always to be issued by the authorization server. In a federation, the client id might be issued by a trusted third party (see https://openid.net/specs/openid-connect-federation-1_0.html). I could also imagine to allow clients to determine their client ids (need to check with client impersonating resource owner attack).