IETF Logo Mail Archive

Re: [OAUTH-WG] treatment of client_id for authentication and identification

Eran Hammer-Lahav <eran@hueniverse.com> Tue, 26 July 2011 18:18 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2F021F8AC3 for <oauth@ietfa.amsl.com>; Tue, 26 Jul 2011 11:18:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.557
X-Spam-Level:
X-Spam-Status: No, score=-2.557 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MioyVOVfcie for <oauth@ietfa.amsl.com>; Tue, 26 Jul 2011 11:18:18 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 61A4521F8A67 for <oauth@ietf.org>; Tue, 26 Jul 2011 11:18:18 -0700 (PDT)
Received: (qmail 9093 invoked from network); 26 Jul 2011 18:18:17 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 26 Jul 2011 18:18:17 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Tue, 26 Jul 2011 11:18:07 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 26 Jul 2011 11:17:59 -0700
Thread-Topic: [OAUTH-WG] treatment of client_id for authentication and identification
Thread-Index: AcxLwF4wxtm9BbFwST2UTVuJOnKIrw==
Message-ID: <CA545154.173D2%eran@hueniverse.com>
In-Reply-To: <CA+k3eCToGfx-O-72gg_OHqdJMTc-gdEkTZRv6vtXGZM4B=575g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CA545154173D2eranhueniversecom_"
MIME-Version: 1.0
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2011 18:18:19 -0000

Not exactly.

The current setup was pretty stable up to –15. In –16 I tried to clean it up by moving the parameter into each token endpoint type definition. That didn't work and was more confusing so in –17 I reverted back to the –15 approach.

What makes this stand out in –20 is that all the examples now use HTTP Basic instead of the parameters (since we decided to make them NOT RECOMMENDED). So it feels sudden that client_id is gone, but none of this is actually much different from –15 on. Client authentication is still performed the same way, and the role of client_id is just as an alternative to using HTTP Basic on the token endpoint.

I think the current text is sufficient, but if you want to provide specific additions I'm open to it.

EHL

From: Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>
Date: Tue, 26 Jul 2011 10:16:21 -0700
To: Eran Hammer-lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>>
Cc: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification

I'm probably somewhat biased by having read previous version of the
spec, previous WG list discussions, and my current AS implementation
(which expects client_id) but this seems like a fairly big departure
from what was in -16.  I'm okay with the change but feel it's wroth
mentioning that it's likely an incompatible one.

That aside, I feel like it could use some more explanation in
draft-ietf-oauth-v2 because, at least to me and hence my question, it
wasn't entirely clear how client_id should be used for those cases.

On Mon, Jul 25, 2011 at 4:18 PM, Eran Hammer-Lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote:

The client_id is currently only defined for password authentication on the token endpoint. If you are using Basic or any other form of authentication (or no authentication at all), you are not going to use the client_id parameter.

v2.14.0 | Report a Bug | By Email