Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?

Justin Richer <jricher@mitre.org> Wed, 23 April 2014 16:50 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71FAF1A0348 for <oauth@ietfa.amsl.com>; Wed, 23 Apr 2014 09:50:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.472
X-Spam-Level:
X-Spam-Status: No, score=-4.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSHwWgnmsKNS for <oauth@ietfa.amsl.com>; Wed, 23 Apr 2014 09:50:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id BFE851A037F for <oauth@ietf.org>; Wed, 23 Apr 2014 09:50:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 005481F07FF; Wed, 23 Apr 2014 12:50:29 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D74BF1F030B; Wed, 23 Apr 2014 12:50:28 -0400 (EDT)
Received: from [10.146.15.6] (129.83.31.51) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.3.174.1; Wed, 23 Apr 2014 12:50:28 -0400
Message-ID: <5357EF2E.1020503@mitre.org>
Date: Wed, 23 Apr 2014 12:49:50 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
References: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A191DC0@TK5EX14MBXC288.redmond.corp.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.51]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/T8rQ1dPbytk4UOfxerbdKcG9VvA
Subject: Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 16:50:40 -0000

For introspection, we really just wanted to say "you can authenticate 
the caller (client or RP) just like you would to the token endpoint". So 
if you've got the means to do that with the assertion draft or with 
client secrets or TLS certs or anything else, go for it. I would not 
read the text of the assertions draft as restricting this other use case.

  -- Justin

On 04/23/2014 12:42 PM, Mike Jones wrote:
> The assertions draft is only trying to describe how to perform assertion-based authentication at the Token Endpoint.  Other drafts, such as the introspection draft, could explicitly say that this can also be done in the same manner there, but that's an extension, and should be specified by the extension draft, if appropriate - not in the assertions draft.
>
> Justin may have more to say about the applicability or lack of it to the introspection draft, but I'm personally not familiar with it.
>
> 				-- Mike
>
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Wednesday, April 23, 2014 5:09 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?
>
> Hi all,
>
> in a discussion about re-using the client authentication part of the assertion framework for other specifications currently in progress I ran into the following question:
>
> Section 6.1 of
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about the client using the assertion with the **token endpoint**.
>
> Now, it appears that one cannot use the client authentication with other endpoints, such as the introspection endpoint defined in
> http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2
>
> Am I reading too much into Section 6.1 of the assertion draft?
>
> Ciao
> Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth