Re: [OAUTH-WG] treatment of client_id for authentication and identification

Brian Campbell <> Wed, 27 July 2011 17:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A91421F8AD6 for <>; Wed, 27 Jul 2011 10:47:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.955
X-Spam-Status: No, score=-5.955 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a9N213TnHbEP for <>; Wed, 27 Jul 2011 10:47:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7CD0B21F873E for <>; Wed, 27 Jul 2011 10:47:09 -0700 (PDT)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID; Wed, 27 Jul 2011 10:47:10 PDT
Received: by with SMTP id 38so1149801qyk.20 for <>; Wed, 27 Jul 2011 10:47:09 -0700 (PDT)
Received: by with SMTP id gp5mr60136qab.293.1311788829172; Wed, 27 Jul 2011 10:47:09 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 27 Jul 2011 10:46:39 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Brian Campbell <>
Date: Wed, 27 Jul 2011 11:46:39 -0600
Message-ID: <>
To: Torsten Lodderstedt <>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: oauth <>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2011 17:47:14 -0000

That was more or less what I was trying to say as well.  There are
times when "client identification" is needed at the token endpoint and
it's not clear if or how, short of actual authentication, the current
spec allows for it.

On Wed, Jul 27, 2011 at 11:38 AM, Torsten Lodderstedt
<> wrote:
> Am 27.07.2011 12:08, schrieb Eran Hammer-Lahav:
> The way I've set it up in –18 is that the client_id parameter in the
> authorization endpoint is used to identify the client registration record.
> The identifier is described in section 2.3. Then in section 2.4.1 the
> parameter is "extended" for use with the token endpoint for client
> authentication when Basic is not available.
> So the idea is that the only place you should be using client_id is with the
> authorization endpoint to reference the client registration information
> (needed to lookup the redirection URI). I have argued in the past that a
> future extension to remove the need to register clients should make this
> parameter optional but that's outside our current scope.
> The token endpoint performs client authentication instead of "client
> identification" using the client identifier as username.
> It can do so for confidential clients only. What about public clients using
> e.g. the Resource Owners Password flow? I see the need to identify them as
> well. For example, if the authz server issues a refresh token to such a
> client there must be a way to relate this token to a certain client in order
> to give the user a chance to revoke this specific token.
> regards,
> Torsten.
> Hope this helps.
> From: Brian Campbell <>
> Date: Wed, 27 Jul 2011 04:32:42 -0700
> To: Eran Hammer-lahav <>
> Cc: oauth <>
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
> identification
> Okay, looking at some of those drafts again, I see that now. Except
> for -16 they are all pretty similar on client_id back to -10.
> Apparently it was my misunderstanding.  Maybe I'm the only one who
> doesn't get it but I do think it could be clearer.  I'd propose some
> text but I'm still not fully sure I understand what is intended.
> If a client doesn't have a secret, is client_id a SHOULD NOT, a MUST
> NOT or OPTIONAL to be included on token endpoint requests?
> Here's a specific question/example to illustrate my continued
> confusion - it would seem like the majority of clients that would use
> the Resource Owner Password Credentials grant (although 4.3.2 shows
> the use of HTTP Basic) would be "public" clients.  How is it expected
> that such clients Identify themselves to the AS?  The client identity,
> even if not something that can be strongly relied on, is useful for
> things like presenting a list of access grants to the user for
> revocation.
> On Tue, Jul 26, 2011 at 12:17 PM, Eran Hammer-Lahav <>
> wrote:
> Not exactly.
> The current setup was pretty stable up to –15. In –16 I tried to clean it up
> by moving the parameter into each token endpoint type definition. That
> didn't work and was more confusing so in –17 I reverted back to the –15
> approach.
> What makes this stand out in –20 is that all the examples now use HTTP Basic
> instead of the parameters (since we decided to make them NOT RECOMMENDED).
> So it feels sudden that client_id is gone, but none of this is actually much
> different from –15 on. Client authentication is still performed the same
> way, and the role of client_id is just as an alternative to using HTTP Basic
> on the token endpoint.
> I think the current text is sufficient, but if you want to provide specific
> additions I'm open to it.
> From: Brian Campbell <>
> Date: Tue, 26 Jul 2011 10:16:21 -0700
> To: Eran Hammer-lahav <>
> Cc: oauth <>
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
> identification
> I'm probably somewhat biased by having read previous version of the
> spec, previous WG list discussions, and my current AS implementation
> (which expects client_id) but this seems like a fairly big departure
> from what was in -16.  I'm okay with the change but feel it's wroth
> mentioning that it's likely an incompatible one.
> That aside, I feel like it could use some more explanation in
> draft-ietf-oauth-v2 because, at least to me and hence my question, it
> wasn't entirely clear how client_id should be used for those cases.
> On Mon, Jul 25, 2011 at 4:18 PM, Eran Hammer-Lahav <>
> wrote:
> The client_id is currently only defined for password authentication on the
> token endpoint. If you are using Basic or any other form of authentication
> (or no authentication at all), you are not going to use the client_id
> parameter.
> _______________________________________________
> OAuth mailing list