Re: [OAUTH-WG] treatment of client_id for authentication and identification

Eran Hammer-Lahav <> Wed, 27 July 2011 22:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B95EA21F8677 for <>; Wed, 27 Jul 2011 15:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.559
X-Spam-Status: No, score=-2.559 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F52NLPbT3u6r for <>; Wed, 27 Jul 2011 15:45:28 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 155D221F863E for <>; Wed, 27 Jul 2011 15:45:27 -0700 (PDT)
Received: (qmail 8162 invoked from network); 27 Jul 2011 22:45:27 -0000
Received: from unknown (HELO ( by with SMTP; 27 Jul 2011 22:45:27 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([]) with mapi; Wed, 27 Jul 2011 15:45:24 -0700
From: Eran Hammer-Lahav <>
To: Torsten Lodderstedt <>, Brian Campbell <>
Date: Wed, 27 Jul 2011 15:45:18 -0700
Thread-Topic: [OAUTH-WG] treatment of client_id for authentication and identification
Thread-Index: AcxMrt8bIIBw2zknS1ycqSKWZSaIbw==
Message-ID: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CA55E10E17514eranhueniversecom_"
MIME-Version: 1.0
Cc: oauth <>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2011 22:45:28 -0000

There is not clean way of adding it.

First where? In each flow of the token endpoint or just in 3.2? Then how is it defined? Optional? Required for public clients? How does it work alongside authentication? If you use client_password or Basic then it becomes authentication but otherwise identification? What about duplication between Basic and the parameter? It also means adding a new section discussing client authentication vs identification which is currently implicit.

I strongly believe that it is better to have a simple model as the one already defined in –20 and let other use case find their way around it instead of producing a confusing document that is trying to hard to solve every possible combination.

As I said before, we can tweak the definition of client_secret to make it more esthetically pleasing (the server doesn't mind having an empty parameter included, just people), but that's as far am I'm (as wg member) willing to support, especially at this point.


From: Torsten Lodderstedt <<>>
Date: Wed, 27 Jul 2011 15:21:16 -0700
To: Brian Campbell <<>>
Cc: Eran Hammer-lahav <<>>, oauth <<>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification

I personally think that would be more confusing than just adding the
client_id parameter to the token endpoint request (independent of client
authentication credentials).

Am 27.07.2011 18:17, schrieb Brian Campbell:
I think that would be helpful, thanks.

On Wed, Jul 27, 2011 at 12:43 PM, Eran Hammer-Lahav<<>>  wrote:
If you want, we can tweak section 2.4.1 to make client_secret optional if
the secret is the empty string. That will give you exactly what you want
without making the document any more confusing.