IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Mike Jones <Michael.Jones@microsoft.com> Sat, 17 March 2012 23:28 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79B0F21F8609 for <oauth@ietfa.amsl.com>; Sat, 17 Mar 2012 16:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.844
X-Spam-Level:
X-Spam-Status: No, score=-3.844 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmwY+zt+3PVc for <oauth@ietfa.amsl.com>; Sat, 17 Mar 2012 16:28:24 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe010.messaging.microsoft.com [216.32.180.30]) by ietfa.amsl.com (Postfix) with ESMTP id A1A5C21F85FF for <oauth@ietf.org>; Sat, 17 Mar 2012 16:28:23 -0700 (PDT)
Received: from mail28-va3-R.bigfish.com (10.7.14.243) by VA3EHSOBE010.bigfish.com (10.7.40.12) with Microsoft SMTP Server id 14.1.225.22; Sat, 17 Mar 2012 23:28:20 +0000
Received: from mail28-va3 (localhost [127.0.0.1]) by mail28-va3-R.bigfish.com (Postfix) with ESMTP id 89C414807BC; Sat, 17 Mar 2012 23:28:20 +0000 (UTC)
X-SpamScore: -46
X-BigFish: VS-46(zzbb2dI9371I542M1432N98dK1419M148cMzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail28-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC104.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail28-va3 (localhost.localdomain [127.0.0.1]) by mail28-va3 (MessageSwitch) id 1332026897985595_25893; Sat, 17 Mar 2012 23:28:17 +0000 (UTC)
Received: from VA3EHSMHS013.bigfish.com (unknown [10.7.14.251]) by mail28-va3.bigfish.com (Postfix) with ESMTP id E63C42200F0; Sat, 17 Mar 2012 23:28:17 +0000 (UTC)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS013.bigfish.com (10.7.99.23) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sat, 17 Mar 2012 23:28:14 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.237]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0283.004; Sat, 17 Mar 2012 23:28:14 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer <eran@hueniverse.com>, "'Nat Sakimura (sakimura@gmail.com)'" <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Thread-Index: AQHNAgMKtRI52qb7tE6+kmeeW24qnZZqBiQAgAACNICAAA7JAIAABA0AgAADMYCAAACtcIAABZMAgAAVJQCAAAHFAIAAAp4AgAAE2YCAAAAhgIAAzdQAgABfgQCAACSSgIAAGvAAgAAF/oCAAAVjgIAABKqAgAAMGYCAABBtAIAAGYqAgAADHgCAAq4fAIAAB7GAgAAwLgCAACq3gIAAHR5A
Date: Sat, 17 Mar 2012 23:28:13 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366422F55@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAAJ++qFYrWR5HeV41C-miJY60g_QZ7xp5qgZRTyVUHjcM5rUeQ@mail.gmail.com> <CB879ABB.1658B%eran@hueniverse.com> <CAAJ++qH7nW-W+saqSiONDi6j_GMz8q8_Q2yfoaOune2xpmXRbg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08AC2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qEjgzz0ELe3xDdYPTnujc6bgv6ZLseGJst0TPd+5FU4-A@mail.gmail.com> <CAGHdeD6zkxwD-1vA-aOdapd73-Mkeio+cG958ew_f_mzdhEQAw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08C1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGHdeD5ruZAD_SKr2V3vfPsViXeTVi=7GG98Noqx8_aN1vA+7A@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08C24@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF08C24@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Mar 2012 23:28:25 -0000

Much better.  Thanks for working with Breno on the new wording.

				-- Mike

-----Original Message-----
From: Eran Hammer [mailto:eran@hueniverse.com] 
Sent: Saturday, March 17, 2012 2:43 PM
To: Mike Jones; 'Nat Sakimura (sakimura@gmail.com)'
Cc: OAuth WG
Subject: RE: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Mike, Nat,

Does the new text work for you?

EH

> -----Original Message-----
> From: breno.demedeiros@gmail.com
> [mailto:breno.demedeiros@gmail.com] On Behalf Of Breno
> Sent: Saturday, March 17, 2012 12:10 PM
> To: Eran Hammer
> Cc: OAuth WG
> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> That is much clearer. Thank you.
>
> On Sat, Mar 17, 2012 at 9:17 AM, Eran Hammer <eran@hueniverse.com>
> wrote:
> > How about we phrase it the other way:
> >
> > A clients may be implemented as a distributed set of components, 
> > each with a different client type and security context (e.g. a 
> > distributed client with both a confidential server-based component 
> > and a public browser-based component). If the authorization  server 
> > does not provide support for such clients, or does not provide 
> > guidance with regard to their registration, the client SHOULD 
> > register each
> component as a separate client.
> >
> > This does two thing: put the server's policy first instead of as the 
> > exception,
> and uses SHOULD instead of MUST which seems to be too strong for many 
> people.
> >
> > Better?
> >
> > EH
> >
> >
> >> -----Original Message-----
> >> From: breno.demedeiros@gmail.com
> >> [mailto:breno.demedeiros@gmail.com] On Behalf Of Breno
> >> Sent: Saturday, March 17, 2012 8:50 AM
> >> To: Eran Hammer
> >> Cc: OAuth WG
> >> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
> >>
> >> To summarize, I am weary of registration normative language that 
> >> appears to disallow common practice implemented by servers to 
> >> securely support multi- component applications. If these common 
> >> practices will be non-compliant (or at least it appears to be so on 
> >> first reading by many different people with detailed knowledge of 
> >> the spec), isn't it incumbent on this spec to provide guidance on 
> >> _how_ different components of an application will interoperate 
> >> under different registration? At least for the very common case of 
> >> a webserver + browser component, the importance of which is already
> enshrined in the spec by the definition of two response_types and flows?
> >>
> >> On Thu, Mar 15, 2012 at 3:54 PM, Breno de Medeiros
> <breno@google.com>
> >> wrote:
> >> > On Thu, Mar 15, 2012 at 15:43, Eran Hammer <eran@hueniverse.com>
> >> wrote:
> >> >> I don't know how to better explain myself. Forget about the text 
> >> >> you
> >> have issue with. Just answer this:
> >> >>
> >> >> Reading the specification (with that text removed), what happens 
> >> >> when a
> >> hybrid client wants to register? What client type does it provide?
> >> How should the server handle this case?
> >> >
> >> > In the example case of the webserver + browser-based client 
> >> > components, I think the server should just allow it. The browser 
> >> > does not need to expose the client_secret since it requires no 
> >> > authentication credentials. The webserver should use the client 
> >> > credentials acquired during registration to authenticate itself 
> >> > when using the code flow.
> >> >
> >> > It's more interesting when mobile applications and webserver want 
> >> > to share credentials. The mitigation strategy of limiting 
> >> > lifetime of tokens may not work in this case. In general the 
> >> > registration server should not allow the use of a single 
> >> > registration in this case. This case is different from the above 
> >> > in the sense that installed applications are typically _also_ 
> >> > using the 'code' flow, but from a different security context. A 
> >> > server could allow both clients to share the same registration 
> >> > information, but segregate the set of redirect URLs and tie the 
> >> > code to each security context and apply different client 
> >> > authentication requirements to each. Or the server could require 
> >> > separate client registration for each
> component.
> >> >
> >> >>
> >> >> EH
> >> >>
> >> >>> -----Original Message-----
> >> >>> From: Breno de Medeiros [mailto:breno@google.com]
> >> >>> Sent: Thursday, March 15, 2012 2:12 PM
> >> >>> To: Eran Hammer
> >> >>> Cc: Nat Sakimura; OAuth WG
> >> >>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 
> >> >>> 23
> >> >>>
> >> >>> On Thu, Mar 15, 2012 at 13:13, Eran Hammer
> <eran@hueniverse.com>
> >> >>> wrote:
> >> >>> > Ok. That's much better than my guess that you wanted to drop 
> >> >>> > all the registration text from the specification.
> >> >>> >
> >> >>> > What I'm looking for is a simple text that answers the question:
> >> >>> >
> >> >>> > "What to do if my client isn't simply public or confidential?"
> >> >>> >
> >> >>> > If we just drop the current text, the answer is implicitly 
> >> >>> > "you can't have such a client" because there is no way to 
> >> >>> > register a client of any other type.
> >> >>> >
> >> >>> > So let's try this again, and focus exclusively on answering 
> >> >>> > this
> question.
> >> >>> > My text takes a position which is, "you can't - unless". Your 
> >> >>> > suggestion is more of a vague discussion of the topic. I'd 
> >> >>> > like to see clear, normative answer to this question.
> >> >>>
> >> >>> The current version is normative but far from clear. In fact, 
> >> >>> the most natural interpretation is that it bans normal practice 
> >> >>> and throws away the work that was done in defining different 
> >> >>> flow types to
> >> support normal practice.
> >> >>>
> >> >>> 1. I don't see the need or desirability to put normative 
> >> >>> language on registration practices.
> >> >>> 2. The contents of said normative language are harmful.
> >> >>>
> >> >>> I suggest two alternatives:
> >> >>>
> >> >>> 1. Remove the language.
> >> >>> 2. Substitute the language by non-normative informative discussion.
> >> >>>
> >> >>> You can also do other things, like introduce normative language 
> >> >>> that makes sense. But I have not yet seen proposed language 
> >> >>> that would be
> >> acceptable.
> >> >>>
> >> >>> >
> >> >>> > EH
> >> >>> >
> >> >>> >
> >> >>> > On 3/15/12 12:30 PM, "Breno de Medeiros" <breno@google.com>
> >> wrote:
> >> >>> >
> >> >>> >>I am proposing the entire removal of:
> >> >>> >>
> >> >>> >>"A client application consisting of multiple components, each 
> >> >>> >>with its own client type (e.g. a distributed client with both 
> >> >>> >>a confidential server-based component and a public 
> >> >>> >>browser-based component), MUST register each component 
> >> >>> >>separately as a different client to ensure proper handling by 
> >> >>> >>the authorization
> server."
> >> >>> >>
> >> >>> >>In particular the example of a server-side component versus 
> >> >>> >>browser-based components is particularly unhelpful since it 
> >> >>> >>violates the entire principle of why two response_type 'code'
> >> >>> >>and 'token' were defined, and how OAuth2 is typically
> implemented.
> >> >>> >>That's when I claim this normative language is redefining the
> protocol.
> >> >>> >>
> >> >>> >>
> >> >>> >>On Thu, Mar 15, 2012 at 12:13, Eran Hammer 
> >> >>> >><eran@hueniverse.com>
> >> >>> wrote:
> >> >>> >>> Which text in -25 are you proposing we remove exactly? I 
> >> >>> >>>can't judge the  text below without the full context of 
> >> >>> >>>where and how it is proposed in the  current document.
> >> >>> >>>
> >> >>> >>> Also, you are ignoring my detailed analysis of the current 
> >> >>> >>>facts. We have  two client types and the issue here is what 
> >> >>> >>>to do with other, undefined  types.
> >> >>> >>>
> >> >>> >>> EH
> >> >>> >>>
> >> >>> >>>
> >> >>> >>> On 3/15/12 11:54 AM, "Breno de Medeiros"
> <breno@google.com>
> >> >>> wrote:
> >> >>> >>>
> >> >>> >>>>My proposal is to remove any reference to registration 
> >> >>> >>>>(which is a red herring and has raised all the problems we 
> >> >>> >>>>refer
> >> >>> >>>>here) and refer to client authentication instead.
> >> >>> >>>>
> >> >>> >>>>Proposal:
> >> >>> >>>>
> >> >>> >>>>"Clients may be implemented as a distributed set of 
> >> >>> >>>>components that run in different security contexts. For 
> >> >>> >>>>instance, a single client may include a webserver component 
> >> >>> >>>>and a script component in a browser. It is not appropriate 
> >> >>> >>>>for the different components to utilize the same client 
> >> >>> >>>>authentication mechanisms, since client authentication 
> >> >>> >>>>credentials that are held securely in one context cannot be
> deployed securely in another.
> >> >>> >>>>
> >> >>> >>>>Servers MUST mitigate security threats from client 
> >> >>> >>>>components that cannot hold client credentials as securely 
> >> >>> >>>>by distinguishing them from client components that can. 
> >> >>> >>>>Example of
> >> suitable measures are:
> >> >>> >>>>
> >> >>> >>>>- Requiring separate registration of components such as web 
> >> >>> >>>>server and a mobile application.
> >> >>> >>>>- Restricting the time validity of tokens issued to clients 
> >> >>> >>>>that hold no authentication credentials, such as browser 
> >> >>> >>>>script-based components."
> >> >>> >>>>
> >> >>> >>>>Please don't truncate explanations in the interest of space 
> >> >>> >>>>if the resulting text is confusing and possibly misleading.
> >> >>> >>>>Better to say nothing instead.
> >> >>> >>>>
> >> >>> >>>>On Thu, Mar 15, 2012 at 11:32, Eran Hammer
> >> <eran@hueniverse.com>
> >> >>> wrote:
> >> >>> >>>>> Here are the facts:
> >> >>> >>>>>
> >> >>> >>>>> The authorization server must know the client type in 
> >> >>> >>>>>order to enforce many  of the requirements in the specification.
> >> >>> >>>>> The requirement to provide a client type is not decorated 
> >> >>> >>>>>with a MUST or  SHALL but that is implied.
> >> >>> >>>>> The specification only defines two client types: public 
> >> >>> >>>>>and confidential.
> >> >>> >>>>> There is no client type defined for a hybrid client.
> >> >>> >>>>> The specification needs to address the very common use 
> >> >>> >>>>>case of clients with  both public and private components.
> >> >>> >>>>>
> >> >>> >>>>> I don't want to discuss in the specification how client 
> >> >>> >>>>>identifiers are  provisioned, nor do I want to discuss the 
> >> >>> >>>>>potential binding of response  types to client types. But 
> >> >>> >>>>>we do need to provide some guidance to clients  and 
> >> >>> >>>>>authorization servers what to do with clients that do not 
> >> >>> >>>>>fit the  current type definitions.
> >> >>> >>>>>
> >> >>> >>>>> It is far too late for us to define a new client type, 
> >> >>> >>>>>along with all the  security considerations that such type 
> >> >>> >>>>>imply. Our entire security  consideration section and 
> >> >>> >>>>>protocol design are based on have a well defined  client type.
> >> >>> >>>>>
> >> >>> >>>>> Requiring separate registration for each component is the 
> >> >>> >>>>> most straight-forward solution. Allowing the 
> >> >>> >>>>> authorization server to offer alternatives is the 
> >> >>> >>>>> backdoor to enable
> extensibility.
> >> >>> >>>>>
> >> >>> >>>>> Within these constraints, I am open to other prose or 
> >> >>> >>>>>creative solutions.
> >> >>> >>>>> But the add-ons proposed are all ugly hacks. They clarify 
> >> >>> >>>>>specific questions  raised which I do not believe 
> >> >>> >>>>>represent the core confusion here which is  what is the 
> >> >>> >>>>>right way to handle hybrid clients.
> >> >>> >>>>>
> >> >>> >>>>> The best way to move forward is to take a minute and ask 
> >> >>> >>>>>the group to share  how they handle such cases or how they 
> >> >>> >>>>>think they should be handled.
> >> >>> >>>>>Based
> >> >>> >>>>> on that we can come up with a clear solution.
> >> >>> >>>>>
> >> >>> >>>>> EH
> >> >>> >>>>>
> >> >>> >>>>> From: Breno de Medeiros <breno@google.com>
> >> >>> >>>>> Date: Thu, 15 Mar 2012 09:56:13 -0700
> >> >>> >>>>> To: Eran Hammer-Lahav <eran@hueniverse.com>
> >> >>> >>>>> Cc: Nat Sakimura <sakimura@gmail.com>, OAuth WG
> >> >>> <oauth@ietf.org>
> >> >>> >>>>>
> >> >>> >>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0
> rev.
> >> >>> >>>>> 23
> >> >>> >>>>>
> >> >>> >>>>>
> >> >>> >>>>>
> >> >>> >>>>> On Thu, Mar 15, 2012 at 07:45, Eran Hammer 
> >> >>> >>>>><eran@hueniverse.com>
> >> >>> >>>>>wrote:
> >> >>> >>>>>>
> >> >>> >>>>>> This add-on is unnecessary. It already says the 
> >> >>> >>>>>>authorization server can  handle it any way it wants. The 
> >> >>> >>>>>>fact that other registration options are  possible 
> >> >>> >>>>>>clearly covers the client identifier reuse case. As for 
> >> >>> >>>>>>the response type, that¹s not an issue but more of an
> optimization for an edge  case raised.
> >> >>> >>>>>
> >> >>> >>>>>
> >> >>> >>>>> It still feels like a horse by committee to me. "unless 
> >> >>> >>>>>the authorization server provides other registration 
> >> >>> >>>>>options to specify such  complex clients." seems a very 
> >> >>> >>>>>round about way to say that the core spec  already 
> >> >>> >>>>>provides for such arrangements in the most common 
> >> >>> >>>>>scenario. It is a  bit of a stretch to say that the server 
> >> >>> >>>>>provides "other registration options" by simply following 
> >> >>> >>>>>strategy already laid out in the
> spec.
> >> >>> >>>>>
> >> >>> >>>>> In particular, I feel that this wording will be harmful 
> >> >>> >>>>>to register extended  behavior, e.g., alternative 
> >> >>> >>>>>response_types by leading to fruitless  conversations 
> >> >>> >>>>>about spec compliance in the absence of real security risks.
> >> >>> >>>>>
> >> >>> >>>>> I do not believe the current text is the best 
> >> >>> >>>>>representation of the spirit  in which the spec was 
> >> >>> >>>>>written (in particular the effort to specify two flows  in 
> >> >>> >>>>>detail to deal with precisely this issue) and possibly 
> >> >>> >>>>>lead to
> harmful  future interpretation.
> >> >>> >>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> EH
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> From: oauth-bounces@ietf.org [mailto:oauth-
> >> bounces@ietf.org]
> >> >>> >>>>>>On Behalf Of  Nat Sakimura
> >> >>> >>>>>> Sent: Thursday, March 15, 2012 2:04 AM
> >> >>> >>>>>> To: Breno de Medeiros; OAuth WG
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0
> rev.
> >> >>> >>>>>> 23
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> So, Eran's first proposal:
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>   A client application consisting of multiple 
> >> >>> >>>>>>components, each with its
> >> >>> >>>>>>   own client type (e.g. a distributed client with both a 
> >> >>> >>>>>>confidential
> >> >>> >>>>>>   server-based component and a public browser-based 
> >> >>> >>>>>>component), MUST
> >> >>> >>>>>>   register each component separately as a different 
> >> >>> >>>>>>client to ensure
> >> >>> >>>>>>
> >> >>> >>>>>>   proper handling by the authorization server, unless 
> >> >>> >>>>>>the authorization
> >> >>> >>>>>>   server provides other registration options to specify 
> >> >>> >>>>>>such complex  clients.
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> kind of meets my concern. There seems to be another 
> >> >>> >>>>>>issue around the  usefulness of return_type in such case 
> >> >>> >>>>>>raised by Breno, and if I understand  it correctly, 
> >> >>> >>>>>>Eran's answer was that these separate components may have 
> >> >>> >>>>>>the  same client_id
> >> so
> >> >>> >>>>>>that return_type is a valid parameter to be sent at
> the  request.
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> So, to clarify these, perhaps changing the above text 
> >> >>> >>>>>> slightly to the following solves the problem?
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>   A client application consisting of multiple 
> >> >>> >>>>>>components, each with its
> >> >>> >>>>>>   own client type (e.g. a distributed client with both a 
> >> >>> >>>>>>confidential
> >> >>> >>>>>>   server-based component and a public browser-based 
> >> >>> >>>>>>component), MUST
> >> >>> >>>>>>   register each component separately as a different 
> >> >>> >>>>>>client to ensure
> >> >>> >>>>>>
> >> >>> >>>>>>   proper handling by the authorization server, unless 
> >> >>> >>>>>>the authorization
> >> >>> >>>>>>   server provides other registration options to specify 
> >> >>> >>>>>>such complex  clients.
> >> >>> >>>>>>
> >> >>> >>>>>>   Each component MAY have the same client_id, in which 
> >> >>> >>>>>>case the server
> >> >>> >>>>>>
> >> >>> >>>>>>   judges the client type and the associated security 
> >> >>> >>>>>>context based on
> >> >>> >>>>>>   the response_type parameter in the request.
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> Would it solve your problem, Breno?
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> Best,
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>> =nat
> >> >>> >>>>>>
> >> >>> >>>>>>
> >> >>> >>>>>
> >> >>> >>>>>
> >> >>> >>>>>
> >> >>> >>>>>
> >> >>> >>>>> --
> >> >>> >>>>> --Breno
> >> >>> >>>>
> >> >>> >>>>
> >> >>> >>>>
> >> >>> >>>>--
> >> >>> >>>>--Breno
> >> >>> >>>
> >> >>> >>
> >> >>> >>
> >> >>> >>
> >> >>> >>--
> >> >>> >>--Breno
> >> >>> >
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> --Breno
> >> >
> >> >
> >> >
> >> > --
> >> > --Breno
> >> > _______________________________________________
> >> > OAuth mailing list
> >> > OAuth@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >>
> >> --
> >> Breno de Medeiros
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> --
> Breno de Medeiros

v2.23.0 | Report a Bug | By Email