IETF Logo Mail Archive

Re: [OAUTH-WG] Client Authentication Method at Device Authorization Endpoint

Takahiko Kawasaki <taka@authlete.com> Tue, 04 June 2019 06:11 UTC

Return-Path: <taka@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B767A1200F1 for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2019 23:11:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8X_-u1bd_YYf for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2019 23:11:22 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0179A1200A4 for <oauth@ietf.org>; Mon, 3 Jun 2019 23:11:21 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id p1so7905960plo.2 for <oauth@ietf.org>; Mon, 03 Jun 2019 23:11:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aV2TSLlaXz+efC4yn8hLpWhAuwMD6vPp/Wg4zJso6cc=; b=SVR0zfHCAqNhpXAeGYlLuyGNkRVNLMhqMrWLcmAYWGdttjBFsLpeZLGBmIRLfXv6a1 M5bEG4/nGVEv6JLx1FLc7wjRPMa4sugqiwPFDU28kAgid9txZAS7qasJzQBifkL5upn7 I/bEbJVu40BqMTmz/L+wtY8UhuAXn58CtvEy+CQT1ZMmiu6q/9P8Ec/l6oKnCYKvhfY3 RsQ5TlFyOL2ZflLoDHEwXHGt6JtgDL4vX8vgu0cpKzuxuwBEIkOy0pKFiWlBVcoIngmE /pdBq7A1CCYR8F6qDuibDkICa1oTttB94Wgv1B63bdMAnN+Mjg8pmgF6oXafptEOkhgv J4Vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aV2TSLlaXz+efC4yn8hLpWhAuwMD6vPp/Wg4zJso6cc=; b=osccX4rrE0ZY44gQq66gw4LDsxSfZro45iA/Dsf1gzojcwbJBVfafMvoEcrNcYgW78 hLd+sB4s8sC13h4MHT9yDIO+Zu/6EKB2nesmEIpKCQcCnrF5aejEPFuSrp5W9T6eTW98 t+PVpnR5a4+QTVZYMxDj/64297fP9md/eXN6fMrpGgnVRAlTnjoqMDlEQ+YZglufwoiL 1X56lsBzef3VycmFSPJX3b3DVeFHm+zcvHLL2gxlVk833xRp6xgzoeb/A2qtmdNvb3JF h3/p1xWQfB6SK6rNaBLCvCbi9oJxPMavbCR7/r9HArTDq5rwiwFfSN0shGbT8F59SsIF hNyw==
X-Gm-Message-State: APjAAAWzl+VG5vw2N8A2sjuTjTFadrZp2VjoIPWXsKW1XtQ+mvkWT+NG F+OFOEmrj7/rfGwjOyBC9mQMKHrjCTcB92rToNn7/w==
X-Google-Smtp-Source: APXvYqxPXyakdw2hugEp9nocOvPK97lC6KgASwH6ezweIukNXgw+1gnUQP+swQ4imQea/3pThgc/8ZRxGMooBkCTtT0=
X-Received: by 2002:a17:902:968b:: with SMTP id n11mr707342plp.120.1559628681398; Mon, 03 Jun 2019 23:11:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAHdPCmP7_zf70aWkzOu=JwNQojHewJ7TSAHnQgZhVf8CabZjMQ@mail.gmail.com> <17783579-0738-4F20-985E-6A6EDF847FC8@gmail.com>
In-Reply-To: <17783579-0738-4F20-985E-6A6EDF847FC8@gmail.com>
From: Takahiko Kawasaki <taka@authlete.com>
Date: Tue, 04 Jun 2019 15:11:10 +0900
Message-ID: <CAHdPCmP1baDJ+z=c4fCC0gzTqb66rio8nFM7odnKHRZAD=u=Jg@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000089610a058a79599a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3stnvfSwx7jQB73KvbZexdMsCJI>
Subject: Re: [OAUTH-WG] Client Authentication Method at Device Authorization Endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2019 06:11:25 -0000

Dear Filip,

Thank you for your comment. Historically, metadata related to client
authentication methods have been defined for each endpoint such as token
endpoint, introspection endpoint and revocation endpoint. When defining the
CIBA specification, we discussed whether to define a new metadata for
client authentication methods for the backchannel authentication endpoint.
The final decision is "not define but reuse metadata defined for token
endpoint". See Issue 102 "CIBA: Metadata for client auth at backchannel
endpoint" <https://bitbucket.org/openid/mobile/issues/102> of MODRNA WG for
details. This is the reason the CIBA specification explicitly says as
follows:


*The token_endpoint_auth_method indicates the registered authentication
method for the client to use when making direct requests to the OP,
including requests to both the token endpoint and the backchannel
authentication endpoint.*

What I'm asking is whether to (1) allow authorization server
implementations to auto-detect the client authentication method used by a
device authorization request at runtime based on request parameters such as
(a) client_id & client_secret (client_secret_post), (b) client_assertion &
client_assertion_type (client_secret_jwt or private_key_jwt), (c)
Authorization header (client_secret_basic) or (d) a client certificate
(tls_client_auth or self_signed_tls_client_auth), or (2) use the
pre-configured client authentication method only and reject/ignore other
client authentication methods. For the latter case, one more point is
whether to (1) define a new metadata that represents the client
authentication method at the device authorization endpoint or (2) reuse the
existing metadata defined for the token endpoint.

Best Regards,
Takahiko Kawasaki

2019年6月4日(火) 14:33 Filip Skokan <panva.ip@gmail.com>:

> Hello Takahiko,
>
> Such language already exists in second to last paragraph of section 3.1.
> Like with CIBA the client’s regular token endpoint auth method is used at
> the device authorization endpoint.
>
> > The client authentication requirements of Section 3.2.1 of [RFC6749] <https://tools.ietf.org/html/rfc6749#section-3.2.1>
>    apply to requests on this endpoint, which means that confidential
>    clients (those that have established client credentials) authenticate
>    in the same manner as when making requests to the token endpoint, and
>    public clients provide the "client_id" parameter to identify
>    themselves.
>
>
> Odesláno z iPhonu
>
> 4. 6. 2019 v 4:10, Takahiko Kawasaki <taka@authlete.com>:
>
> Hello,
>
> Do you have any plan to define a rule as to which client authentication
> method should be used at the device authorization endpoint (which is
> defined in OAuth 2.0 Device Authorization Grant
> <https://datatracker..ietf.org/doc/draft-ietf-oauth-device-flow/?include_text=1>
> )?
>
> Section 4 of CIBA
> <https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html>,
> which has incorporated some ideas/rules/parameters from Device Flow, says
> as follows.
>
>
> *The token_endpoint_auth_method indicates the registered authentication
> method for the client to use when making direct requests to the OP,
> including requests to both the token endpoint and the backchannel
> authentication endpoint.*
>
> This means that a backchannel authentication endpoint in CIBA (which
> corresponds to a device authorization endpoint in Device Flow) performs
> client authentication using the client authentication method specified by
> the token_endpoint_auth_method metadata of the client.
>
> I'd like to know if you have any plan to explicitly add a description like
> above into the specification of OAuth 2.0 Device Authorization Grant.
>
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email