[Technical_wg] Expiration of Client-Accounts at DENIC-Authority
sanz at denic.de
Fri May 17 12:31:34 UTC 2019
Today it looks like a good day to discuss:
In our DENIC-ID deployment, Login-Partner (aka RPs or Clients)
registrations are open to everyone and not limited in its lifetime. We're
over 1.4K+ registrations since launch. Unfortunately, it looks like many
of these are test accounts and some of the registrations are even
duplicated hundreds of times. This is not necessarily malice, it may be
carelessness or even misinterpretation of the documentation, which
suggests RPs should register at an Authority during the login workflow
*only if* they haven't dealt with that Authority before.
Whatever the cause might be, we are considering to let client accounts
expire. Since we were anyway planning to enforce client secret expiration,
we are considering to proceed as follows:
a) Activate client secret expiration for new clients and set it to
something like 6 months. The client registration interface will return the
expiration time of the secret in the field client_secret_expires_at
(seconds since Epoch). At the moment, we return the value 0 (no expire).
b) Delete clients that do not renew their secrets before their expiration.
c) Activate automatic refreshing of client secret with each client
d) We still should decide what to do those legacy clients with
I'd love to hear your thoughs/experiences about this.
More information about the Technical_wg