[OAUTH-WG] CORS and public vs. confidential clients

Bill Burke <bburke@redhat.com> Thu, 27 March 2014 15:53 UTC

Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2EF581A0645 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 08:53:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id p-YbBgKr8UI6 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 08:53:04 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2A0D91A0326 for <oauth@ietf.org>; Thu, 27 Mar 2014 08:53:04 -0700 (PDT)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com []) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s2RFr2Gc001275 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Thu, 27 Mar 2014 11:53:02 -0400
Received: from [] (vpn-61-120.rdu2.redhat.com []) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s2RFUDcT020340 for <oauth@ietf.org>; Thu, 27 Mar 2014 11:30:13 -0400
Message-ID: <53344407.1050802@redhat.com>
Date: Thu, 27 Mar 2014 11:30:15 -0400
From: Bill Burke <bburke@redhat.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/14wlRfkjMBATfbdoOrQ0zeKNka8
Subject: [OAUTH-WG] CORS and public vs. confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 15:53:06 -0000

I'm still trying to wrap my head around the differences between public 
and confidential clients.  In our IDP impl, we check redirect uris and 
associate a lot of private metadata to the access code to ensure there 
is no client_id swapping.  My understanding was that confidential 
clients made sure that only an authenticated client could obtain an 
access token.

What if you throw CORS in the mix where your browser needs the access 
token (and the ability to refresh it) to make cross-domain requests? 
Doesn't this remove a large benefit of confidential clients?

Anybody know a good document that describes the difference and pros/cons 
of public vs. confidential clients beyond the actual OAUTH spec itself?


Bill Burke
JBoss, a division of Red Hat