[OAUTH-WG] Purpose of client authentication for "public" client types
STAS Thibault <Thibault.STAS@swift.com> Wed, 25 August 2021 13:59 UTC
Return-Path: <Thibault.STAS@swift.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D73E13A0CDC for <oauth@ietfa.amsl.com>; Wed, 25 Aug 2021 06:59:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=swift.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tqL-FpkfjpI7 for <oauth@ietfa.amsl.com>; Wed, 25 Aug 2021 06:59:51 -0700 (PDT)
Received: from bemtal10.swift.com (mail.swift.com [194.78.35.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A5373A0CD9 for <oauth@ietf.org>; Wed, 25 Aug 2021 06:59:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swift.com; i=@swift.com; l=14541; s=231116; h=from:to:subject:date:message-id:mime-version; z=From:=20STAS=20Thibault=20<Thibault.STAS@swift.com>|To: =20"oauth@ietf.org"=20<oauth@ietf.org>|Subject:=20Purpose =20of=20client=20authentication=20for=20"public"=20client =20types|Date:=20Wed,=2025=20Aug=202021=2013:59:44=20+000 0|Message-ID:=20<c78e2dd97bc74f22aa0b58282647b76b@swift.c om>|MIME-Version:=201.0; bh=NCnjYWc7jgTgbXRuZEaxEhgpPfw2iW3X8TRXZ394xQo=; b=MdSSwmLmmxfkVSHLJ1P7IGbV32YpHm3HqqwDpM6jHiZ2OuUYeUtIAdda lqdokilzXH9DToOetY+Sc8U5aLqxqxhFXQd0bN17Pfqo52q+b+UwC4rlF j1IYxycxk1G83DuUMzvu2Sd16wg8AtTL381QOvPdmBySMasi+ch6jc6ir UKJGa3s+pVS43OvyrWGyczbnUvUJ1hWXc7MDEdoOx3fnsQ5Jq2LeuduFw 9Bzrjn3fQk7V7xchahhQhbPP5huk56lCJC5yQTOHnfD1nWQdF5spcbKyY 7n+1qwXXrC98i1lHtpgWti+r8xRYeBsMiaDdHKQP3iHNpEIgnArQtGsE7 w==;
IronPort-SDR: n0eIyMZoQ72qv2T8A3EYsm5CPHUjCKU7bfySXFV+DAMqBQTGz1vIZHvYDz54Fs2SL+eNiI6IFG EhenbqIpeL+Q==
IronPort-HdrOrdr: A9a23:UulKrK07SdplvaCGyAQzjQqjBK8kLtp133Aq2lEZdPUzSL38qynOpoV46faaslkssR0b9+xoW5PwIk80l6QU3WB5B97LN2PbUQ2TTb2KhrGP/9SPIUDDytI=
Received: from unknown (HELO BEEXCL32.swift.corp) ([10.64.75.43]) by bemtal10_int.swift.com with ESMTP; 25 Aug 2021 13:59:44 +0000
Received: from BEEXCL41.swift.corp (10.64.75.36) by BEEXCL32.swift.corp (10.64.75.43) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 25 Aug 2021 15:59:44 +0200
Received: from beexcl44.swift.corp (10.64.75.58) by BEEXCL41.swift.corp (10.64.75.36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Wed, 25 Aug 2021 15:59:44 +0200
Received: from beexcl44.swift.corp ([10.64.75.59]) by beexcl44.swift.corp ([10.64.75.59]) with mapi id 15.01.2176.012; Wed, 25 Aug 2021 15:59:44 +0200
From: STAS Thibault <Thibault.STAS@swift.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Purpose of client authentication for "public" client types
Thread-Index: AdeZuPDJ68xk9kTVS/iyre09l9vVPQ==
Date: Wed, 25 Aug 2021 13:59:44 +0000
Message-ID: <c78e2dd97bc74f22aa0b58282647b76b@swift.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_4868b825-edee-44ac-b7a2-e857f0213f31_Enabled=true; MSIP_Label_4868b825-edee-44ac-b7a2-e857f0213f31_SetDate=2021-08-25T13:46:59Z; MSIP_Label_4868b825-edee-44ac-b7a2-e857f0213f31_Method=Standard; MSIP_Label_4868b825-edee-44ac-b7a2-e857f0213f31_Name=Restricted - External; MSIP_Label_4868b825-edee-44ac-b7a2-e857f0213f31_SiteId=45b55e44-3503-4284-bbe1-0e6bf9fa1d0a; MSIP_Label_4868b825-edee-44ac-b7a2-e857f0213f31_ActionId=05f25ecc-12eb-40c2-92b0-619c30cc2542; MSIP_Label_4868b825-edee-44ac-b7a2-e857f0213f31_ContentBits=0
x-originating-ip: [10.64.73.244]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.3"; boundary="----=_NextPart_000_01A1_01D799CA.37F55EF0"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ks9fMTbwIVi5vlOmdcv0EN7uAP0>
Subject: [OAUTH-WG] Purpose of client authentication for "public" client types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2021 13:59:57 -0000
Dear, I notice that many API Gateway providers are requiring the authentication of the client, even for public client types. e.g. https://docs.apigee.com/api-platform/security/oauth/implementing-password-gr ant-type https://auth0.com/docs/flows/call-your-api-using-resource-owner-password-flo w https://tyk.io/docs/basic-config-and-security/security/authentication-author ization/oauth2-0/username-password-grant/ Not many providers are make the use of the client authentication optional, as the client_secret is always present in either the Authorization Basic header or within the payload. What is the added value to perform client application authentication in the context of "public" client type, like a vendor application sold to many customers.? The client_secret would be shipped along with the application, putting at risk the secrecy of the client_secret. The oAuth standard does not seem to provide a lot of guidance with regards to the use and need of the client authentication in such context. Would it not be preferable to recommend client identification rather than client authentication in combination with resource-owner authentication ? The client_id could be provided as part of the selected grant type parameters. Kind regards, Thibault STAS SWIFT | Enterprise Architect - Information Technology Tel: + 32 2 655 4975 <http://www.swift.com> www.swift.com This e-mail and any attachments thereto may contain information which is confidential and/or proprietary and intended for the sole use of the recipient(s) named above. If you have received this e-mail in error, please immediately notify the sender and delete the mail. Thank you for your co-operation. SWIFT reserves the right to retain e-mail messages on its systems and, under circumstances permitted by applicable law, to monitor and intercept e-mail messages to and from its systems.
- [OAUTH-WG] Purpose of client authentication for "… STAS Thibault
- Re: [OAUTH-WG] Purpose of client authentication f… George Fletcher