[OAUTH-WG] OAuth Parameter Registration Template

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 24 June 2012 13:17 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0A3E821F8617 for <oauth@ietfa.amsl.com>; Sun, 24 Jun 2012 06:17:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.567
X-Spam-Status: No, score=-102.567 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ttL2twGwuz9v for <oauth@ietfa.amsl.com>; Sun, 24 Jun 2012 06:17:51 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net []) by ietfa.amsl.com (Postfix) with SMTP id EC5DE21F85D2 for <oauth@ietf.org>; Sun, 24 Jun 2012 06:17:50 -0700 (PDT)
Received: (qmail invoked by alias); 24 Jun 2012 13:17:49 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO []) [] by mail.gmx.net (mp002) with SMTP; 24 Jun 2012 15:17:49 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+92xlQQLu929OSiaPrgxSGkU9IWf6OvMr86ay0PB z5yVU3dOa05jFV
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 24 Jun 2012 16:17:48 +0300
Message-Id: <4F1F7754-CF91-4C07-A4B6-20AB94C2E2B2@gmx.net>
To: OAuth WG <oauth@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Subject: [OAUTH-WG] OAuth Parameter Registration Template
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jun 2012 13:17:52 -0000

Hi all, 

working on the proposed text for the OAuth assertions draft I noticed an interesting aspect in the core specification regarding Section 11.2.1, which defines the registration template for OAuth parameters. 

The template lists all possible usage locations of parameters, namely authorization request, authorization response, token request, or token response.

Here is the first issue: these locations are not defined anywhere in the document and so one can only guess to what part of the protocol exchange they belong. 

I agree that it may not be very difficult to guess but obviously it is not completely obvious. It would have been nice if there is actually a match with Figure 1, for example. 

http://tools.ietf.org/html/draft-ietf-oauth-assertions-03, for example, uses a location that is not in the above list, namely 'client authentication'. 

Client authentication can also happen in the interaction between the client and the resource server but the exchanges are not part of the allowed list of usage locations.