Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?

Brian Campbell <bcampbell@pingidentity.com> Thu, 24 April 2014 12:45 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC241A01BA for <oauth@ietfa.amsl.com>; Thu, 24 Apr 2014 05:45:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XI7-Rm2_dMq3 for <oauth@ietfa.amsl.com>; Thu, 24 Apr 2014 05:45:09 -0700 (PDT)
Received: from na3sys009aog123.obsmtp.com (na3sys009aog123.obsmtp.com [74.125.149.149]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE5A1A01B3 for <oauth@ietf.org>; Thu, 24 Apr 2014 05:45:06 -0700 (PDT)
Received: from mail-ie0-f170.google.com ([209.85.223.170]) (using TLSv1) by na3sys009aob123.postini.com ([74.125.148.12]) with SMTP ID DSNKU1kHTJSnGCmaWDj7oXwqbh1ZlSXzPQT1@postini.com; Thu, 24 Apr 2014 05:45:00 PDT
Received: by mail-ie0-f170.google.com with SMTP id rd18so2311240iec.15 for <oauth@ietf.org>; Thu, 24 Apr 2014 05:45:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=rCpFk8YI9V6Jst7/CgW6gWtnyWXDR4xe5M2LXafyFxA=; b=OBnoKYgNISSvHHfExj7NDzF4vd59r0ERLwIshJtqHDvsmDMmN5mUuLCvEueuuFlX99 Qt7AvYYRkqAF8wTMgG/uHi4hmVyIO73CxIshe0bXgtuMdHGFtA8xB8Sl2scSSFr8XLpT 9hEoYgdePGwS41VyPXJWtcaS5XylZnivTNyLmL/SC44l7fi25HSNHM/73/siDm+6c4CG vKrYvzv/aPaQl+mz1+/qSkmv5z2A2lViCzu2ZhAKJqjjTepudpbSYKgKb7xaI3njD3AH vFDXucCqarRkAVZYsa0ygoLZscAUSpNTssKn6GwlO1XEOZHeQIWWPTIdLs/b+rRqJD43 tHvw==
X-Gm-Message-State: ALoCoQmXnb3nHK0hBi4by0NgT+vitjlpO/d+Et4zY9ySE0k4FKl+xIvDT8t8a1iKc1CO2g16Oqac8KknFnxmh/75MSSw7pXWziOSCxfZqxGXRufEnMVCTwqhl4QSIg+vQY9ZfN+G6WbV
X-Received: by 10.42.136.130 with SMTP id u2mr1528148ict.51.1398343500447; Thu, 24 Apr 2014 05:45:00 -0700 (PDT)
X-Received: by 10.42.136.130 with SMTP id u2mr1528139ict.51.1398343500360; Thu, 24 Apr 2014 05:45:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.240.201 with HTTP; Thu, 24 Apr 2014 05:44:30 -0700 (PDT)
In-Reply-To: <5358D4B2.1070500@gmx.net>
References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com> <5357EF2E.1020503@mitre.org> <CA+k3eCTSQmWihysbvUi+pqwuqmfPT5PuOs0mH5tTiRFAS=JVjA@mail.gmail.com> <5358D4B2.1070500@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 24 Apr 2014 06:44:30 -0600
Message-ID: <CA+k3eCTf5Tk8pRFGoo9+aZ2_T3sK2aqQLRgnz0A=E=y+gxzMyA@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=90e6ba6e8c069cfbdb04f7c937b6
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/CietKoY7WbK6rNLjz55AG8lVWfs
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 12:45:17 -0000

Perhaps it'd be more appropriate for this introspection endpoint to say
that it accepts the same client authentication mechanisms as the token
endpoint rather than describing specific methods itself in the document?


On Thu, Apr 24, 2014 at 3:09 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi Brian,
>
> does it sound reasonable for you to add text to the token introspection
> endpoint regarding the use of the JWT bearer assertion for the token
> introspection endpoint?
>
> Ciao
> Hannes
>
> On 04/24/2014 12:58 AM, Brian Campbell wrote:
> > Just to pile on here - the Assertions draft(s) do define client
> > assertion authentication only for the token endpoint (and register token
> > endpoint parameters). But it certainly doesn't preclude it from being
> > profiled for use elsewhere.
> >
> > FWIW we used the token endpoint in our implementation of token
> > introspection/validation partly because all supported forms of client
> > authentication come along for free by doing so. My esteemed colleague,
> > Dr. Paul Madsen, posted a rough draft of what we've implemented in
> > product a while back:
> > http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html
> >
> >
> > On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer <jricher@mitre.org
> > <mailto:jricher@mitre.org>> wrote:
> >
> >     For introspection, we really just wanted to say "you can
> >     authenticate the caller (client or RP) just like you would to the
> >     token endpoint". So if you've got the means to do that with the
> >     assertion draft or with client secrets or TLS certs or anything
> >     else, go for it. I would not read the text of the assertions draft
> >     as restricting this other use case.
> >
> >      -- Justin
> >
> >
> >     On 04/23/2014 12:42 PM, Mike Jones wrote:
> >
> >         The assertions draft is only trying to describe how to perform
> >         assertion-based authentication at the Token Endpoint.  Other
> >         drafts, such as the introspection draft, could explicitly say
> >         that this can also be done in the same manner there, but that's
> >         an extension, and should be specified by the extension draft, if
> >         appropriate - not in the assertions draft.
> >
> >         Justin may have more to say about the applicability or lack of
> >         it to the introspection draft, but I'm personally not familiar
> >         with it.
> >
> >                                         -- Mike
> >
> >         -----Original Message-----
> >         From: OAuth [mailto:oauth-bounces@ietf.org
> >         <mailto:oauth-bounces@ietf.org>__] On Behalf Of Hannes
> Tschofenig
> >         Sent: Wednesday, April 23, 2014 5:09 AM
> >         To: oauth@ietf.org <mailto:oauth@ietf.org>
> >         Subject: [OAUTH-WG] Assertions: Client authentication for
> >         non-token endpoints?
> >
> >         Hi all,
> >
> >         in a discussion about re-using the client authentication part of
> >         the assertion framework for other specifications currently in
> >         progress I ran into the following question:
> >
> >         Section 6.1 of
> >         http://tools.ietf.org/html/__draft-ietf-oauth-assertions-15
> >         <http://tools.ietf.org/html/draft-ietf-oauth-assertions-15>
> >         talks about the client using the assertion with the **token
> >         endpoint**.
> >
> >         Now, it appears that one cannot use the client authentication
> >         with other endpoints, such as the introspection endpoint defined
> in
> >
> http://tools.ietf.org/html/__draft-richer-oauth-__introspection-04#section-2
> >         <
> http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2>
> >
> >         Am I reading too much into Section 6.1 of the assertion draft?
> >
> >         Ciao
> >         Hannes
> >
> >         _________________________________________________
> >         OAuth mailing list
> >         OAuth@ietf.org <mailto:OAuth@ietf.org>
> >         https://www.ietf.org/mailman/__listinfo/oauth
> >         <https://www.ietf.org/mailman/listinfo/oauth>
> >
> >
> >     _________________________________________________
> >     OAuth mailing list
> >     OAuth@ietf.org <mailto:OAuth@ietf.org>
> >     https://www.ietf.org/mailman/__listinfo/oauth
> >     <https://www.ietf.org/mailman/listinfo/oauth>
> >
> >
>
>