IETF Logo Mail Archive

Re: [OAUTH-WG] Report an authentication issue

John Bradley <ve7jtb@ve7jtb.com> Fri, 29 June 2012 18:25 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B452121F882E for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 11:25:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.45
X-Spam-Level:
X-Spam-Status: No, score=-3.45 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IhfkhytsL+s8 for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 11:25:23 -0700 (PDT)
Received: from mail-gh0-f172.google.com (mail-gh0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 998CC21F8859 for <oauth@ietf.org>; Fri, 29 Jun 2012 11:25:23 -0700 (PDT)
Received: by ghbg16 with SMTP id g16so3387740ghb.31 for <oauth@ietf.org>; Fri, 29 Jun 2012 11:25:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=aaud+JE3XMTtFk0tcJqazUyHgRUpSQ0EDMyKHuuqSPE=; b=Qbqn3QR4B1bKnLramDzuAbm9gsG5ePqEE9Dj0186Mon/tiux7megVYgUXugbS5dZR4 6DjppW4QzPoakjYMeAu+BKScpsv0qGm4oWX84XoqJze1nte/gGrOX2gAbF/nVZtjHUjj 7A9i0IxjHcW4XzUVu05Yx+d18xjOO6Kz4dmaSe4aToYcdGY13aJz1jtc0w+gkrmLgGt3 kgM/EFca5wj3Cny2ioAUN3Qvaf08m4+2x7vw0pIdKC+NT8jfPNmbZQq/owqpQogdjIUC weaCOPuFVJ8/82cDQ7zipppRZ2s2pjG0/XIQqjPSpPKhr6552KQ4e5VYvAPMHu/kgnql kHcw==
Received: by 10.236.136.8 with SMTP id v8mr4353794yhi.101.1340994323054; Fri, 29 Jun 2012 11:25:23 -0700 (PDT)
Received: from [192.168.1.211] (190-20-59-251.baf.movistar.cl. [190.20.59.251]) by mx.google.com with ESMTPS id c28sm7380739yhk.2.2012.06.29.11.25.19 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 29 Jun 2012 11:25:21 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_CB862F05-5EFC-4A14-9FEE-6963AD225956"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <8C18C43D-AC63-465A-ADC2-966CE7F38685@gmail.com>
Date: Fri, 29 Jun 2012 14:25:12 -0400
Message-Id: <795DFC7B-9218-40E2-871D-E52B07C1B718@ve7jtb.com>
References: <CAEEmcpEcNqNHwfVozD-NtfkruiB-v0MTszwNL4cob2rL=QQTSA@mail.gmail.com> <4FE223E4.6060307@mitre.org> <4FE226BC.6010403@alcatel-lucent.com> <59E470B10C4630419ED717AC79FCF9A910889AB5@BL2PRD0410MB363.namprd04.prod.outlook.com> <CABzCy2CLe_DVcxiD1EasuhtG1_6+6tCtV5TckZ80fvqyjan_bA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A917052BC8@SN2PRD0410MB370.namprd04.prod.outlook.com> <4FE37D38.1030407@gmail.com> <CABzCy2A_zJ3vaauoo6VwsmLWsTesdTujuQ4dHdVpc5Nh==iEFg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2C8949@CH1PRD0410MB369.namprd04.prod.outlook.com> <CABzCy2DzmNgmMALNfc1qp95fwD2WULb-49Dk yLiZnjXngAmaPg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2D1309@CH1PRD0410MB369.namprd04.prod.outlook.com> <496AFB1D-A609-4188-B92D-2185E8880388@ve7jtb.com> <59E470B10C4630419ED717AC79FCF9A91A2D13C9@CH1PRD0410MB369.namprd04.prod.outlook.com> <67F8B633-E4C8-42F6-B84C-FDBC337B7EEA@ve7jtb.com> <04C05FAA-63BC-4441-8540-36280E40DB98@adobe.com> <4FEDE4AF.9030107@mitre.org> <4 DD23AA1-C319-477A-B0CB-34E558EB7FCC@ve7jtb.com> <8C18C43D-AC63-465A-ADC2-966CE7F38685@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQnmo0pCWsK8R1LWahEHS7a6h2KckuCvCP7vSRBfjnbCoDAYID7Wdh9Ek/C0/svanqQS5F2x
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Report an authentication issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 18:25:24 -0000

I agree, If there is no good reason for the token endpoint not to check the client_id with public clients then we should add that it SHOULD or MUST be checked for authorization_code and refresh_token grant_type.

Though I don't know if we want to get carried away with the whole agreeing thing.

John B.
On 2012-06-29, at 2:14 PM, Dick Hardt wrote:

> 
> On Jun 29, 2012, at 11:06 AM, John Bradley wrote:
> 
>> It is nice to know that I may occasionally be correct:)
> 
> You must be delighted when it happens! ;)
> 
>> While you may assume that it is reasonable for a client with a code to make a request to the token endpoint including it's client_id and the server to only give out the access token if the client_id in the token request matches the one in the original authorization request.   However the spec specifically doesn't require that.
> 
> I think that is an error in the spec and should be changed, or text adding saying that the client_id SHOULD be checked.
> 
> -- Dick

v2.23.0 | Report a Bug | By Email