IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

John Bradley <ve7jtb@ve7jtb.com> Sun, 18 March 2012 05:08 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5D0111E8075 for <oauth@ietfa.amsl.com>; Sat, 17 Mar 2012 22:08:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-NrQijVIzwX for <oauth@ietfa.amsl.com>; Sat, 17 Mar 2012 22:08:02 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 282CD11E8072 for <oauth@ietf.org>; Sat, 17 Mar 2012 22:08:02 -0700 (PDT)
Received: by ggmi1 with SMTP id i1so5687394ggm.31 for <oauth@ietf.org>; Sat, 17 Mar 2012 22:08:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=IvrnfvZllW/jaM+j4iS0+QXQhjHTjHa+oYt7L6l8PA4=; b=fsVaFgDII9KHXkcY1qcNrQmcfGR7gr0GXzCld/+g4h2tnbOnhytzgbf2Qakm/HjUgM GOeCbOms3/CWUD15t3tf8iSoleiOwvjmB36ekOLUykiPdLm/zXYdxmJfwtwJfaKUsfQz RMkhignDnUXjST61ri7kerHlf05GSQ+vCyJHbZS3JnQWp/thcKKXA9kwPXmNwnxE9Nxv jXp/Qe+aG17mi2CqsAwF77R3acEwoz9j9ysod5zK/FMRAVOhZ6WBaDieIcXpnTBtPNr7 ZeBtCOMovvnbw5kHhjwreNbP7CSlflqOMQhjjjHXt5xCvTplOPZh5H1ERGeIusGD40rn m4Cg==
Received: by 10.236.153.70 with SMTP id e46mr8050018yhk.29.1332047281608; Sat, 17 Mar 2012 22:08:01 -0700 (PDT)
Received: from [192.168.1.202] (190-20-44-71.baf.movistar.cl. [190.20.44.71]) by mx.google.com with ESMTPS id n35sm27084039yhh.19.2012.03.17.22.07.51 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 17 Mar 2012 22:08:00 -0700 (PDT)
References: <CAAJ++qFYrWR5HeV41C-miJY60g_QZ7xp5qgZRTyVUHjcM5rUeQ@mail.gmail.com> <CB879ABB.1658B%eran@hueniverse.com> <CAAJ++qH7nW-W+saqSiONDi6j_GMz8q8_Q2yfoaOune2xpmXRbg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08AC2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qEjgzz0ELe3xDdYPTnujc6bgv6ZLseGJst0TPd+5FU4-A@mail.gmail.com> <CAGHdeD6zkxwD-1vA-aOdapd73-Mkeio+cG958ew_f_mzdhEQAw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08C1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGHdeD5ruZAD_SKr2V3vfPsViXeTVi=7GG98Noqx8_aN1vA+7A@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08C24@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF08C24@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
Message-Id: <F26EC7DA-1400-4603-B1C7-93AFFB4507AD@ve7jtb.com>
X-Mailer: iPad Mail (9B176)
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Sun, 18 Mar 2012 01:09:23 -0400
To: Eran Hammer <eran@hueniverse.com>
X-Gm-Message-State: ALoCoQkm1l6wKR+VARk83FxKGQgIQhdjkR2VzH9PAVY+Xkw28/yfpm7lezU4Ho0YUyD01d/EbBbn
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2012 05:08:03 -0000

OK with me. 

John B 

Sent from my iPad

On 2012-03-17, at 5:43 PM, Eran Hammer <eran@hueniverse.com> wrote:

> Mike, Nat,
> 
> Does the new text work for you?
> 
> EH
> 
>> -----Original Message-----
>> From: breno.demedeiros@gmail.com
>> [mailto:breno.demedeiros@gmail.com] On Behalf Of Breno
>> Sent: Saturday, March 17, 2012 12:10 PM
>> To: Eran Hammer
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>> 
>> That is much clearer. Thank you.
>> 
>> On Sat, Mar 17, 2012 at 9:17 AM, Eran Hammer <eran@hueniverse.com>
>> wrote:
>>> How about we phrase it the other way:
>>> 
>>> A clients may be implemented as a distributed set of components, each
>>> with a different client type and security context (e.g. a distributed
>>> client with both a confidential server-based component and a public
>>> browser-based component). If the authorization
>>> server does not provide support for such clients, or does not provide
>>> guidance with regard to their registration, the client SHOULD register each
>> component as a separate client.
>>> 
>>> This does two thing: put the server's policy first instead of as the exception,
>> and uses SHOULD instead of MUST which seems to be too strong for many
>> people.
>>> 
>>> Better?
>>> 
>>> EH
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: breno.demedeiros@gmail.com
>>>> [mailto:breno.demedeiros@gmail.com] On Behalf Of Breno
>>>> Sent: Saturday, March 17, 2012 8:50 AM
>>>> To: Eran Hammer
>>>> Cc: OAuth WG
>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>> 
>>>> To summarize, I am weary of registration normative language that
>>>> appears to disallow common practice implemented by servers to
>>>> securely support multi- component applications. If these common
>>>> practices will be non-compliant (or at least it appears to be so on
>>>> first reading by many different people with detailed knowledge of the
>>>> spec), isn't it incumbent on this spec to provide guidance on _how_
>>>> different components of an application will interoperate under
>>>> different registration? At least for the very common case of a
>>>> webserver + browser component, the importance of which is already
>> enshrined in the spec by the definition of two response_types and flows?
>>>> 
>>>> On Thu, Mar 15, 2012 at 3:54 PM, Breno de Medeiros
>> <breno@google.com>
>>>> wrote:
>>>>> On Thu, Mar 15, 2012 at 15:43, Eran Hammer <eran@hueniverse.com>
>>>> wrote:
>>>>>> I don't know how to better explain myself. Forget about the text
>>>>>> you
>>>> have issue with. Just answer this:
>>>>>> 
>>>>>> Reading the specification (with that text removed), what happens
>>>>>> when a
>>>> hybrid client wants to register? What client type does it provide?
>>>> How should the server handle this case?
>>>>> 
>>>>> In the example case of the webserver + browser-based client
>>>>> components, I think the server should just allow it. The browser
>>>>> does not need to expose the client_secret since it requires no
>>>>> authentication credentials. The webserver should use the client
>>>>> credentials acquired during registration to authenticate itself
>>>>> when using the code flow.
>>>>> 
>>>>> It's more interesting when mobile applications and webserver want
>>>>> to share credentials. The mitigation strategy of limiting lifetime
>>>>> of tokens may not work in this case. In general the registration
>>>>> server should not allow the use of a single registration in this
>>>>> case. This case is different from the above in the sense that
>>>>> installed applications are typically _also_ using the 'code' flow,
>>>>> but from a different security context. A server could allow both
>>>>> clients to share the same registration information, but segregate
>>>>> the set of redirect URLs and tie the code to each security context
>>>>> and apply different client authentication requirements to each. Or
>>>>> the server could require separate client registration for each
>> component.
>>>>> 
>>>>>> 
>>>>>> EH
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: Breno de Medeiros [mailto:breno@google.com]
>>>>>>> Sent: Thursday, March 15, 2012 2:12 PM
>>>>>>> To: Eran Hammer
>>>>>>> Cc: Nat Sakimura; OAuth WG
>>>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>>>>> 
>>>>>>> On Thu, Mar 15, 2012 at 13:13, Eran Hammer
>> <eran@hueniverse.com>
>>>>>>> wrote:
>>>>>>>> Ok. That's much better than my guess that you wanted to drop
>>>>>>>> all the registration text from the specification.
>>>>>>>> 
>>>>>>>> What I'm looking for is a simple text that answers the question:
>>>>>>>> 
>>>>>>>> "What to do if my client isn't simply public or confidential?"
>>>>>>>> 
>>>>>>>> If we just drop the current text, the answer is implicitly "you
>>>>>>>> can't have such a client" because there is no way to register a
>>>>>>>> client of any other type.
>>>>>>>> 
>>>>>>>> So let's try this again, and focus exclusively on answering this
>> question.
>>>>>>>> My text takes a position which is, "you can't - unless". Your
>>>>>>>> suggestion is more of a vague discussion of the topic. I'd like
>>>>>>>> to see clear, normative answer to this question.
>>>>>>> 
>>>>>>> The current version is normative but far from clear. In fact, the
>>>>>>> most natural interpretation is that it bans normal practice and
>>>>>>> throws away the work that was done in defining different flow
>>>>>>> types to
>>>> support normal practice.
>>>>>>> 
>>>>>>> 1. I don't see the need or desirability to put normative language
>>>>>>> on registration practices.
>>>>>>> 2. The contents of said normative language are harmful.
>>>>>>> 
>>>>>>> I suggest two alternatives:
>>>>>>> 
>>>>>>> 1. Remove the language.
>>>>>>> 2. Substitute the language by non-normative informative discussion.
>>>>>>> 
>>>>>>> You can also do other things, like introduce normative language
>>>>>>> that makes sense. But I have not yet seen proposed language that
>>>>>>> would be
>>>> acceptable.
>>>>>>> 
>>>>>>>> 
>>>>>>>> EH
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 3/15/12 12:30 PM, "Breno de Medeiros" <breno@google.com>
>>>> wrote:
>>>>>>>> 
>>>>>>>>> I am proposing the entire removal of:
>>>>>>>>> 
>>>>>>>>> "A client application consisting of multiple components, each
>>>>>>>>> with its own client type (e.g. a distributed client with both a
>>>>>>>>> confidential server-based component and a public browser-based
>>>>>>>>> component), MUST register each component separately as a
>>>>>>>>> different client to ensure proper handling by the authorization
>> server."
>>>>>>>>> 
>>>>>>>>> In particular the example of a server-side component versus
>>>>>>>>> browser-based components is particularly unhelpful since it
>>>>>>>>> violates the entire principle of why two response_type 'code'
>>>>>>>>> and 'token' were defined, and how OAuth2 is typically
>> implemented.
>>>>>>>>> That's when I claim this normative language is redefining the
>> protocol.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Thu, Mar 15, 2012 at 12:13, Eran Hammer
>>>>>>>>> <eran@hueniverse.com>
>>>>>>> wrote:
>>>>>>>>>> Which text in -25 are you proposing we remove exactly? I
>>>>>>>>>> can't judge the  text below without the full context of where
>>>>>>>>>> and how it is proposed in the  current document.
>>>>>>>>>> 
>>>>>>>>>> Also, you are ignoring my detailed analysis of the current
>>>>>>>>>> facts. We have  two client types and the issue here is what to
>>>>>>>>>> do with other, undefined  types.
>>>>>>>>>> 
>>>>>>>>>> EH
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> On 3/15/12 11:54 AM, "Breno de Medeiros"
>> <breno@google.com>
>>>>>>> wrote:
>>>>>>>>>> 
>>>>>>>>>>> My proposal is to remove any reference to registration (which
>>>>>>>>>>> is a red herring and has raised all the problems we refer
>>>>>>>>>>> here) and refer to client authentication instead.
>>>>>>>>>>> 
>>>>>>>>>>> Proposal:
>>>>>>>>>>> 
>>>>>>>>>>> "Clients may be implemented as a distributed set of
>>>>>>>>>>> components that run in different security contexts. For
>>>>>>>>>>> instance, a single client may include a webserver component
>>>>>>>>>>> and a script component in a browser. It is not appropriate
>>>>>>>>>>> for the different components to utilize the same client
>>>>>>>>>>> authentication mechanisms, since client authentication
>>>>>>>>>>> credentials that are held securely in one context cannot be
>> deployed securely in another.
>>>>>>>>>>> 
>>>>>>>>>>> Servers MUST mitigate security threats from client components
>>>>>>>>>>> that cannot hold client credentials as securely by
>>>>>>>>>>> distinguishing them from client components that can. Example
>>>>>>>>>>> of
>>>> suitable measures are:
>>>>>>>>>>> 
>>>>>>>>>>> - Requiring separate registration of components such as web
>>>>>>>>>>> server and a mobile application.
>>>>>>>>>>> - Restricting the time validity of tokens issued to clients
>>>>>>>>>>> that hold no authentication credentials, such as browser
>>>>>>>>>>> script-based components."
>>>>>>>>>>> 
>>>>>>>>>>> Please don't truncate explanations in the interest of space
>>>>>>>>>>> if the resulting text is confusing and possibly misleading.
>>>>>>>>>>> Better to say nothing instead.
>>>>>>>>>>> 
>>>>>>>>>>> On Thu, Mar 15, 2012 at 11:32, Eran Hammer
>>>> <eran@hueniverse.com>
>>>>>>> wrote:
>>>>>>>>>>>> Here are the facts:
>>>>>>>>>>>> 
>>>>>>>>>>>> The authorization server must know the client type in order
>>>>>>>>>>>> to enforce many  of the requirements in the specification.
>>>>>>>>>>>> The requirement to provide a client type is not decorated
>>>>>>>>>>>> with a MUST or  SHALL but that is implied.
>>>>>>>>>>>> The specification only defines two client types: public and
>>>>>>>>>>>> confidential.
>>>>>>>>>>>> There is no client type defined for a hybrid client.
>>>>>>>>>>>> The specification needs to address the very common use case
>>>>>>>>>>>> of clients with  both public and private components.
>>>>>>>>>>>> 
>>>>>>>>>>>> I don't want to discuss in the specification how client
>>>>>>>>>>>> identifiers are  provisioned, nor do I want to discuss the
>>>>>>>>>>>> potential binding of response  types to client types. But we
>>>>>>>>>>>> do need to provide some guidance to clients  and
>>>>>>>>>>>> authorization servers what to do with clients that do not
>>>>>>>>>>>> fit the  current type definitions.
>>>>>>>>>>>> 
>>>>>>>>>>>> It is far too late for us to define a new client type,
>>>>>>>>>>>> along with all the  security considerations that such type
>>>>>>>>>>>> imply. Our entire security  consideration section and
>>>>>>>>>>>> protocol design are based on have a well defined  client type.
>>>>>>>>>>>> 
>>>>>>>>>>>> Requiring separate registration for each component is the
>>>>>>>>>>>> most straight-forward solution. Allowing the authorization
>>>>>>>>>>>> server to offer alternatives is the backdoor to enable
>> extensibility.
>>>>>>>>>>>> 
>>>>>>>>>>>> Within these constraints, I am open to other prose or
>>>>>>>>>>>> creative solutions.
>>>>>>>>>>>> But the add-ons proposed are all ugly hacks. They clarify
>>>>>>>>>>>> specific questions  raised which I do not believe represent
>>>>>>>>>>>> the core confusion here which is  what is the right way to
>>>>>>>>>>>> handle hybrid clients.
>>>>>>>>>>>> 
>>>>>>>>>>>> The best way to move forward is to take a minute and ask
>>>>>>>>>>>> the group to share  how they handle such cases or how they
>>>>>>>>>>>> think they should be handled.
>>>>>>>>>>>> Based
>>>>>>>>>>>> on that we can come up with a clear solution.
>>>>>>>>>>>> 
>>>>>>>>>>>> EH
>>>>>>>>>>>> 
>>>>>>>>>>>> From: Breno de Medeiros <breno@google.com>
>>>>>>>>>>>> Date: Thu, 15 Mar 2012 09:56:13 -0700
>>>>>>>>>>>> To: Eran Hammer-Lahav <eran@hueniverse.com>
>>>>>>>>>>>> Cc: Nat Sakimura <sakimura@gmail.com>, OAuth WG
>>>>>>> <oauth@ietf.org>
>>>>>>>>>>>> 
>>>>>>>>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0
>> rev.
>>>>>>>>>>>> 23
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> On Thu, Mar 15, 2012 at 07:45, Eran Hammer
>>>>>>>>>>>> <eran@hueniverse.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> This add-on is unnecessary. It already says the
>>>>>>>>>>>>> authorization server can  handle it any way it wants. The
>>>>>>>>>>>>> fact that other registration options are  possible clearly
>>>>>>>>>>>>> covers the client identifier reuse case. As for the
>>>>>>>>>>>>> response type, that¹s not an issue but more of an
>> optimization for an edge  case raised.
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> It still feels like a horse by committee to me. "unless the
>>>>>>>>>>>> authorization server provides other registration options to
>>>>>>>>>>>> specify such  complex clients." seems a very round about way
>>>>>>>>>>>> to say that the core spec  already provides for such
>>>>>>>>>>>> arrangements in the most common scenario. It is a  bit of a
>>>>>>>>>>>> stretch to say that the server provides "other registration
>>>>>>>>>>>> options" by simply following strategy already laid out in the
>> spec.
>>>>>>>>>>>> 
>>>>>>>>>>>> In particular, I feel that this wording will be harmful to
>>>>>>>>>>>> register extended  behavior, e.g., alternative
>>>>>>>>>>>> response_types by leading to fruitless  conversations about
>>>>>>>>>>>> spec compliance in the absence of real security risks.
>>>>>>>>>>>> 
>>>>>>>>>>>> I do not believe the current text is the best
>>>>>>>>>>>> representation of the spirit  in which the spec was written
>>>>>>>>>>>> (in particular the effort to specify two flows  in detail to
>>>>>>>>>>>> deal with precisely this issue) and possibly lead to
>> harmful  future interpretation.
>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> EH
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-
>>>> bounces@ietf.org]
>>>>>>>>>>>>> On Behalf Of  Nat Sakimura
>>>>>>>>>>>>> Sent: Thursday, March 15, 2012 2:04 AM
>>>>>>>>>>>>> To: Breno de Medeiros; OAuth WG
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0
>> rev.
>>>>>>>>>>>>> 23
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> So, Eran's first proposal:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>>  A client application consisting of multiple components,
>>>>>>>>>>>>> each with its
>>>>>>>>>>>>>  own client type (e.g. a distributed client with both a
>>>>>>>>>>>>> confidential
>>>>>>>>>>>>>  server-based component and a public browser-based
>>>>>>>>>>>>> component), MUST
>>>>>>>>>>>>>  register each component separately as a different client
>>>>>>>>>>>>> to ensure
>>>>>>>>>>>>> 
>>>>>>>>>>>>>  proper handling by the authorization server, unless the
>>>>>>>>>>>>> authorization
>>>>>>>>>>>>>  server provides other registration options to specify
>>>>>>>>>>>>> such complex  clients.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> kind of meets my concern. There seems to be another issue
>>>>>>>>>>>>> around the  usefulness of return_type in such case raised
>>>>>>>>>>>>> by Breno, and if I understand  it correctly, Eran's answer
>>>>>>>>>>>>> was that these separate components may have the  same
>>>>>>>>>>>>> client_id
>>>> so
>>>>>>>>>>>>> that return_type is a valid parameter to be sent at
>> the  request.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> So, to clarify these, perhaps changing the above text
>>>>>>>>>>>>> slightly to the following solves the problem?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>>  A client application consisting of multiple components,
>>>>>>>>>>>>> each with its
>>>>>>>>>>>>>  own client type (e.g. a distributed client with both a
>>>>>>>>>>>>> confidential
>>>>>>>>>>>>>  server-based component and a public browser-based
>>>>>>>>>>>>> component), MUST
>>>>>>>>>>>>>  register each component separately as a different client
>>>>>>>>>>>>> to ensure
>>>>>>>>>>>>> 
>>>>>>>>>>>>>  proper handling by the authorization server, unless the
>>>>>>>>>>>>> authorization
>>>>>>>>>>>>>  server provides other registration options to specify
>>>>>>>>>>>>> such complex  clients.
>>>>>>>>>>>>> 
>>>>>>>>>>>>>  Each component MAY have the same client_id, in which
>>>>>>>>>>>>> case the server
>>>>>>>>>>>>> 
>>>>>>>>>>>>>  judges the client type and the associated security
>>>>>>>>>>>>> context based on
>>>>>>>>>>>>>  the response_type parameter in the request.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Would it solve your problem, Breno?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Best,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> =nat
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> --
>>>>>>>>>>>> --Breno
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> --
>>>>>>>>>>> --Breno
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> --Breno
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> --Breno
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> --Breno
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>> --
>>>> Breno de Medeiros
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> --
>> Breno de Medeiros
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email