IETF Logo Mail Archive

Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?

Mike Jones <Michael.Jones@microsoft.com> Wed, 23 April 2014 16:42 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D314D1A03B1 for <oauth@ietfa.amsl.com>; Wed, 23 Apr 2014 09:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n_SV5XgAajpr for <oauth@ietfa.amsl.com>; Wed, 23 Apr 2014 09:42:47 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0142.outbound.protection.outlook.com [207.46.163.142]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2581A039B for <oauth@ietf.org>; Wed, 23 Apr 2014 09:42:47 -0700 (PDT)
Received: from CH1PR03CA005.namprd03.prod.outlook.com (10.255.156.150) by BLUPR03MB018.namprd03.prod.outlook.com (10.255.208.40) with Microsoft SMTP Server (TLS) id 15.0.934.12; Wed, 23 Apr 2014 16:42:39 +0000
Received: from BY2FFO11FD033.protection.gbl (10.255.156.132) by CH1PR03CA005.outlook.office365.com (10.255.156.150) with Microsoft SMTP Server (TLS) id 15.0.921.12 via Frontend Transport; Wed, 23 Apr 2014 16:42:39 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD033.mail.protection.outlook.com (10.1.14.218) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Wed, 23 Apr 2014 16:42:39 +0000
Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC104.redmond.corp.microsoft.com ([157.54.80.25]) with mapi id 14.03.0181.007; Wed, 23 Apr 2014 16:42:01 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?
Thread-Index: Ac9fEvMDrKXTirhYSF+Oue2iYb0ZfA==
Date: Wed, 23 Apr 2014 16:42:00 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(377454003)(53754006)(199002)(189002)(13464003)(80976001)(23726002)(54356999)(46102001)(19580405001)(19580395003)(83322001)(44976005)(6806004)(4396001)(76482001)(50986999)(87936001)(55846006)(84676001)(15975445006)(79102001)(86362001)(2656002)(66066001)(33656001)(80022001)(46406003)(81342001)(20776003)(92566001)(47776003)(92726001)(85852003)(83072002)(50466002)(99396002)(2009001)(77982001)(15202345003)(74662001)(74502001)(97736001)(97756001)(31966008)(81542001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB018; H:mail.microsoft.com; FPR:; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 01901B3451
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/8IdY5jWEgSVy19ZQ2zKy-R3pvxM
Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 16:42:49 -0000

The assertions draft is only trying to describe how to perform assertion-based authentication at the Token Endpoint.  Other drafts, such as the introspection draft, could explicitly say that this can also be done in the same manner there, but that's an extension, and should be specified by the extension draft, if appropriate - not in the assertions draft.

Justin may have more to say about the applicability or lack of it to the introspection draft, but I'm personally not familiar with it.

				-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, April 23, 2014 5:09 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?

Hi all,

in a discussion about re-using the client authentication part of the assertion framework for other specifications currently in progress I ran into the following question:

Section 6.1 of
http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about the client using the assertion with the **token endpoint**.

Now, it appears that one cannot use the client authentication with other endpoints, such as the introspection endpoint defined in
http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2

Am I reading too much into Section 6.1 of the assertion draft?

Ciao
Hannes

v2.23.0 | Report a Bug | By Email