Re: [OAUTH-WG] rfc6749 question about the optional use of the client_id in the request body

Nat Sakimura <> Fri, 26 January 2018 00:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 60A7C12D810 for <>; Thu, 25 Jan 2018 16:16:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Efd4rD-emP0a for <>; Thu, 25 Jan 2018 16:16:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4CD3412D7F0 for <>; Thu, 25 Jan 2018 16:16:33 -0800 (PST)
Received: by with SMTP id p139so120961itb.1 for <>; Thu, 25 Jan 2018 16:16:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=COWXwshrMrc38BOUJAAWcGXY1NwAu/kIMVbogoOkXhM=; b=nB16cWT95wUyInp+7LeEY3isU4siRD2HDcYTGUffJuQ8DMrV7ogfDwxCA58thI5iNa kJx6HdkF7ZYb4vg9OsSvyE1f1GlurTR5F3o2Gt6VpSub2hD6m2yXHCLInnYT4ykPIoGs Rq+XLVf4FBtP0/KnCua2A9CoVExkCC2Cfse2XLDpPb0czepsBoKEfNTYnZnIzY9wh4Gr JQe+EhleFF2SP88Yf2E9s9xV39ZTjD39fX85zKDavK5nVS/RfMXeCrcfZvtQUJiF5QkR Fke3WRxew6bIPxOCOBCWUs8d6T8oqFlSLFRKQWDUqhHfuXYwqoZpgHkMlLpQuIINyq1i qakw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=COWXwshrMrc38BOUJAAWcGXY1NwAu/kIMVbogoOkXhM=; b=t68SwTJ+jh4QgNKspvSerwa4euYOtR20L9i+XaQdFA8b4sASK/fydJtGY/2a7DJMHV 530aJxPtKDXB4wSlIOtHpAsCGvik0Yhr/7VvUNNuOpSi4rvE34n9Qwz2ERHJrU2wc6IA Fycvy215dqbdINxbbaPjVPoAbngPoQwLKw9RnzoAvei1GOMd5NoZn0eRL013S7pnYLg3 O3BMF6JXQfDk53sNGTpOuyek7qyhLP/cKZhJUXH/oGe60gezT9LB8bV830OIont+Av5z nqnt6aRXpFc1hyxjLar3woCuVB3mEtZa+Tfdaom2MuQBqzGpTcL5MYrlkA7B0rvnQRZW ee7Q==
X-Gm-Message-State: AKwxytcBrPEspqj6qFqocQBARrmF2b7ufgMcxaanDlTeWgREh+1XF6Tm UhJiBnLoPRqdgEJAit4MJfgoNm4SM/F7XbpBX9U=
X-Google-Smtp-Source: AH8x224f7rMOfBZTS3etkRN+ndxjTbwpU74awfmPxDyxEGqi0U3vuQ+L0ZJmwaNDcIWicMJPFc8z2612a2SKt1oH37I=
X-Received: by with SMTP id i199mr14522845ite.81.1516925791991; Thu, 25 Jan 2018 16:16:31 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Nat Sakimura <>
Date: Fri, 26 Jan 2018 00:16:20 +0000
Message-ID: <>
To: Brian Campbell <>
Cc: Tom Van Oppens <>, oauth <>
Content-Type: multipart/alternative; boundary="94eb2c07d5f4fb7dab0563a2ce9a"
Archived-At: <>
Subject: Re: [OAUTH-WG] rfc6749 question about the optional use of the client_id in the request body
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Jan 2018 00:16:36 -0000

+1 to Brian.

I would like to point out that listing the participant in the protocol
message and the authentication of the message sender is an entirely
different thing. I see no problems in duplicating client_id in body and
header. Of course, they have to match and must fail the authentication if
they do not, but this should not be a problem. In fact, it may even be
desirable for the message body to have self-contained references to the
participants in the authentication protocol as shown in [1]. In such a
case, it will necessarily duplicate in case of the basic authentication.

[1] Basin, D., Cremers, C., Meier, S.: Provably Repairing the ISO/IEC 9798
Standard for Entity Authentication. Journal of Computer Security - Security
and Trust Principles archive Volume 21 Issue 6, 817-846 (2013)


Nat Sakimura

On Thu, Jan 25, 2018 at 11:28 PM Brian Campbell <>

> Hi Tom,
> Indeed RFC 6749 is not well written with respect to this situation and
> unfortunately leaves some room for varied interpretations. However, in my
> own not entirely uninformed view having worked on this stuff for awhile
> now, it is erroneous to interpret the presence of the client_id parameter
> in the request body as client_secret_post authentication when there is no
> corresponding client_secret parameter. As you alluded to, there are other
> types of client authentication that explicitly allow (JWT
> <>, SAML
> <>, and their base spec
> <>) or require (MTLS
> <>) the client_id
> parameter and the OIDC core spec even has an example of the client_id
> parameter in the body
> <>
> when doing JWT client auth. If client_id with no client_secret in the
> request body actually implies client_secret_post, then those RFCs (one soon
> to be RFC) and OIDF standards are all contradicting OAuth 2.0 /RFC 6749.
> Those supplementary standards as well as widespread
> implementations/deployments in practice should, I believe, be considered
> more authoritative than one particular implementation's problematic (in
> terms of interoperability) interpretation of a not particularly well
> written area of the OAuth spec.
> The problematic text from
> says that "the client
> MAY omit the [client_secret] parameter if the client secret is an empty
> string" so it would only really be reasonable for an AS to reject a request
> as having two client authentication methods in the case that it issued a
> client the empty string as a client secret (not a public client but a
> client with an empty string as its actual secret), which should never
> happen in practice, and that client sent both a basic authorization header
> without a password and a client_id without a client_secret in the body.
> That's one way to read it anyway. And regardless that text in Sec 2.3.1 is
> problematic and should probably be updated with an errata on RFC 6749 to
> get rid of the text about empty string password and just state that the
> client_secret parameter is required when doing client_secret_post
> authentication. Unfortunately the errata often get overlooked but it'd
> still be good to have that fixed somewhere and a published RFC can't be
> changed so errata is the only real option to document the actual intent of
> the original specification.
> The presence of the client_secret parameter should be the only thing that
> implies client_secret_post authentication.
> If a client_id parameter is present in conjunction with some client
> authentication mechanism, then both must refer to the same client.
> On Wed, Jan 24, 2018 at 3:19 AM, Tom Van Oppens <
> > wrote:
>> Dear Oauth Mailing List
>> After some discussion i had i wanted to ask you for some guidance.
>> For the following request
>> *request_uri*
>> * request_method*
>> * request_headers*
>> {"Accept":"application/json","Authorization":"Basic
>> bWFnaWNpZDpwb3RhdG9zZWNyZXQ=","Content-Type":"application/x-www-form-urlencoded","Content-Length":"91"}
>> * request_body*
>> grant_type=client_credentials&scope=accounts&client_id=magicid
>> We had some discussions whether or not this request is a valid request,
>> to be more exact wether the clientid can be in the body.
>> Section 2.3.1 states
>> *A client MAY use the "client_id" request parameter to identify itself
>> when sending requests to the token endpoint. *
>> But at the same time in the case of a client password (2.3.1)
>> The clientid and secret are carried in the basic auth header as a form of
>> authentication as a preferred method ,
>> But the standard states that if you choose to use the body as a form of
>> authentication that if you can ommit the clientsecret the clientsecret is
>> an empty string, therefore passing only the client_id is the same as
>> passing the client_id and an empty string clientsecret .
>> So the current request would be according to the spec interpreted as
>> follows
>> Authentication 1) basic auth cleintid:secret
>> Authentication 2) body auth  clientd and blank secret
>> You can choose to use the client_id in the body with public clients or in
>> the confidential client (the Lloyds situation) if you choose to add the
>> clientsecret there as well and are not using the basic auth header (this is
>> due to spec section 2.3 which states
>> *The client MUST NOT use more than one authentication method in each
>> request. *
>> In short there is no way in the spec that allows for the oauth provider
>> to distinguish between your intention of sending in the client_id again for
>> identification and a malformed request with double authentication.
>> So my stance is (for now) that you cannot send a clientid when you find
>> yourself in the clientid with a corresponding password situation.
>> Is that a correct statement ?
>> and if it is not how would that work ?
>> and if it is, when can you send the clientid in the body but use
>> something else for authentication  (something like mtls ?) ?
>> Kind Regards
>> Van Oppens Tom
>> Tenzij hierboven anders aangegeven: / Sauf indication contraire
>> ci-dessus: / Unless otherwise stated above:
>> International Business Machines of Belgium sprl / bvba
>> Siège social / Maatschappelijke zetel: Avenue du Bourget 42 Bourgetlaan,
>> B-1130 Bruxelles/Brussel
>> N° d'entreprise / Ondernemingsnr: TVA / BTW BE 0405 912 336
>> RPM Bruxelles / RPR Brussel
>> _______________________________________________
>> OAuth mailing list
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list

Nat Sakimura

Chairman of the Board, OpenID Foundation