Re: [OAUTH-WG] treatment of client_id for authentication and identification
Eran Hammer-Lahav <eran@hueniverse.com> Wed, 27 July 2011 22:45 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B95EA21F8677 for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2011 15:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Level:
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F52NLPbT3u6r for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2011 15:45:28 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 155D221F863E for <oauth@ietf.org>; Wed, 27 Jul 2011 15:45:27 -0700 (PDT)
Received: (qmail 8162 invoked from network); 27 Jul 2011 22:45:27 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 27 Jul 2011 22:45:27 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Wed, 27 Jul 2011 15:45:24 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Jul 2011 15:45:18 -0700
Thread-Topic: [OAUTH-WG] treatment of client_id for authentication and identification
Thread-Index: AcxMrt8bIIBw2zknS1ycqSKWZSaIbw==
Message-ID: <CA55E10E.17514%eran@hueniverse.com>
In-Reply-To: <4E308F5C.9060408@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.12.0.110505
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CA55E10E17514eranhueniversecom_"
MIME-Version: 1.0
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2011 22:45:28 -0000
There is not clean way of adding it. First where? In each flow of the token endpoint or just in 3.2? Then how is it defined? Optional? Required for public clients? How does it work alongside authentication? If you use client_password or Basic then it becomes authentication but otherwise identification? What about duplication between Basic and the parameter? It also means adding a new section discussing client authentication vs identification which is currently implicit. I strongly believe that it is better to have a simple model as the one already defined in –20 and let other use case find their way around it instead of producing a confusing document that is trying to hard to solve every possible combination. As I said before, we can tweak the definition of client_secret to make it more esthetically pleasing (the server doesn't mind having an empty parameter included, just people), but that's as far am I'm (as wg member) willing to support, especially at this point. EHL From: Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>> Date: Wed, 27 Jul 2011 15:21:16 -0700 To: Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> Cc: Eran Hammer-lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>>, oauth <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification I personally think that would be more confusing than just adding the client_id parameter to the token endpoint request (independent of client authentication credentials). Am 27.07.2011 18:17, schrieb Brian Campbell: I think that would be helpful, thanks. On Wed, Jul 27, 2011 at 12:43 PM, Eran Hammer-Lahav<eran@hueniverse.com<mailto:eran@hueniverse.com>> wrote: If you want, we can tweak section 2.4.1 to make client_secret optional if the secret is the empty string. That will give you exactly what you want without making the document any more confusing. EHL
- [OAUTH-WG] treatment of client_id for authenticat… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Lu, Hui-Lan (Huilan)
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Lu, Hui-Lan (Huilan)
- Re: [OAUTH-WG] treatment of client_id for authent… Lu, Hui-Lan (Huilan)
- Re: [OAUTH-WG] treatment of client_id for authent… Richer, Justin P.
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav