Re: [OAUTH-WG] Client Authentication Method at Device Authorization Endpoint
Filip Skokan <panva.ip@gmail.com> Tue, 04 June 2019 05:33 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA031200B4 for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2019 22:33:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l011zp0NxANm for <oauth@ietfa.amsl.com>; Mon, 3 Jun 2019 22:33:09 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD81120059 for <oauth@ietf.org>; Mon, 3 Jun 2019 22:33:09 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id d17so5658497wmb.3 for <oauth@ietf.org>; Mon, 03 Jun 2019 22:33:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/UXO5GANSY+FYsiZMiuZ1+U2VG7tsC5cx4de77hc7Gw=; b=YRcq0xxPJubjvmB7wg+3wmHpJIyVFw7VIohbczHO/glJ8zsq3WcxEF1sj+CBBp1KpD HEGwXXqjVPwzuncLQf4QgNAlqRcZ5Kn3hOMLtt57XfgOrPkjZo0lOPy7OFUPfOhDk60M Nq1NEURZxKW7ukeTVRmYmswmS8bVDpuECNzb3A9P0/0Xgs32aCQWp2Qc59QNht8VREx5 RCTWyUSdTVBP0LD5uU1kxcd40zIdqlJgRQsGgiuimEV30hjzvLnCzI/oafjhzMIeAjcU 8xJbDboMGHNBUa1Roo8LoJYKOI8rK+mhtTGP/wWunEVBmBl4vvd2fkkBTwPo2WMrEYvC eaiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=/UXO5GANSY+FYsiZMiuZ1+U2VG7tsC5cx4de77hc7Gw=; b=hGo/FxjTX+ZVV0fjFCT2Yen1xIP2ceH82hBplVzFXFhhotmXHckqqZMAnCKwgho+7+ 7ps5sJCFT6iXCAmxN1bGD4H6GgF0MvxdSrqGWucgZmdO0nHI5CMS7Fn9Ar44s5x4CKxh s0S/giClOiU0yaOoXSWibFWZ9U8VU5lgpHTk+aMBedbHVOO/UYAHCFdWH4V1YhUnERyB FVejFWlMKCpoJB9P2ybdl9LDEl1gYfcIkRsh29yiw5XwspwqaeoCojEaZxFg7ZF7ppyH JvLBAgEV+1x8gEn7pDHG2ITj04CxH6NhI3h1QkT1Fi7PiUBnUD+0TzqtFqJYCK5I9bYO deIg==
X-Gm-Message-State: APjAAAU+dzxOOfRWynt1CQ1qAHAV44dMz4Mb93bZOaOScbWsXl0tJlEH jdOcFDorx4ULR7hpSw2HLyI2zjFsBQ==
X-Google-Smtp-Source: APXvYqxhZb2GmLKuRcwA0Yt520E9swP3u3b3IV1yMloQ/4/3qJZ7CGaZuT33fJ01bEpkQKNrwPfUJA==
X-Received: by 2002:a1c:e90c:: with SMTP id q12mr16718420wmc.128.1559626387246; Mon, 03 Jun 2019 22:33:07 -0700 (PDT)
Received: from [192.168.0.178] (ip-78-45-222-80.net.upcbroadband.cz. [78.45.222.80]) by smtp.gmail.com with ESMTPSA id s8sm30455145wra.55.2019.06.03.22.33.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Jun 2019 22:33:06 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-C445AC63-4C5E-4C1A-BB71-29A5695CFD9A"
Mime-Version: 1.0 (1.0)
From: Filip Skokan <panva.ip@gmail.com>
X-Mailer: iPhone Mail (16E227)
In-Reply-To: <CAHdPCmP7_zf70aWkzOu=JwNQojHewJ7TSAHnQgZhVf8CabZjMQ@mail.gmail.com>
Date: Tue, 04 Jun 2019 07:33:03 +0200
Cc: oauth <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <17783579-0738-4F20-985E-6A6EDF847FC8@gmail.com>
References: <CAHdPCmP7_zf70aWkzOu=JwNQojHewJ7TSAHnQgZhVf8CabZjMQ@mail.gmail.com>
To: Takahiko Kawasaki <taka@authlete.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YHCYn1Y2tKU75ukSnKKvYdHdSss>
Subject: Re: [OAUTH-WG] Client Authentication Method at Device Authorization Endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2019 05:33:12 -0000
Hello Takahiko, Such language already exists in second to last paragraph of section 3.1. Like with CIBA the client’s regular token endpoint auth method is used at the device authorization endpoint. > The client authentication requirements of Section 3.2.1 of [RFC6749] apply to requests on this endpoint, which means that confidential clients (those that have established client credentials) authenticate in the same manner as when making requests to the token endpoint, and public clients provide the "client_id" parameter to identify themselves. Odesláno z iPhonu 4. 6. 2019 v 4:10, Takahiko Kawasaki <taka@authlete.com>: > Hello, > > Do you have any plan to define a rule as to which client authentication method should be used at the device authorization endpoint (which is defined in OAuth 2.0 Device Authorization Grant)? > > Section 4 of CIBA, which has incorporated some ideas/rules/parameters from Device Flow, says as follows. > > The token_endpoint_auth_method indicates the registered authentication method for the client to use when making direct requests to the OP, including requests to both the token endpoint and the backchannel authentication endpoint. > > This means that a backchannel authentication endpoint in CIBA (which corresponds to a device authorization endpoint in Device Flow) performs client authentication using the client authentication method specified by the token_endpoint_auth_method metadata of the client. > > I'd like to know if you have any plan to explicitly add a description like above into the specification of OAuth 2.0 Device Authorization Grant. > > Best Regards, > Takahiko Kawasaki > Authlete, Inc. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Client Authentication Method at Device… Takahiko Kawasaki
- Re: [OAUTH-WG] Client Authentication Method at De… Filip Skokan
- Re: [OAUTH-WG] Client Authentication Method at De… Takahiko Kawasaki