IETF Logo Mail Archive

Re: [OAUTH-WG] treatment of client_id for authentication and identification

Eran Hammer-Lahav <eran@hueniverse.com> Sun, 04 September 2011 22:28 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2644021F8A64 for <oauth@ietfa.amsl.com>; Sun, 4 Sep 2011 15:28:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level:
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fMGXKKNNpJLC for <oauth@ietfa.amsl.com>; Sun, 4 Sep 2011 15:28:37 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id 904C021F8512 for <oauth@ietf.org>; Sun, 4 Sep 2011 15:28:37 -0700 (PDT)
Received: (qmail 26013 invoked from network); 4 Sep 2011 22:30:20 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 4 Sep 2011 22:30:20 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sun, 4 Sep 2011 15:30:20 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Richer, Justin P." <jricher@mitre.org>, "Lu, Hui-Lan (Huilan)" <huilan.lu@alcatel-lucent.com>, Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 04 Sep 2011 15:28:29 -0700
Thread-Topic: [OAUTH-WG] treatment of client_id for authentication and identification
Thread-Index: AcxNWiAmwaoXWhpRRLSIm3Z69CEQXANudKkQALSSvmAAAWgcIAAexYj7Azq/y7A=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234518A4F23D3@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <4E317125.7080006@lodderstedt.net> <CA56CA21.1758B%eran@hueniverse.com> <CA+k3eCTguAGGC1xGuuA0Z2sRu7MNCdtsUnb-3V9vmz4CFwxBYw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E7234502498CDD9@P3PW5EX1MB01.EX1.SECURESERVER.NET> <0E96A74B7DFCF844A9BE2A0BBE2C425F058F244272@USNAVSXCHMBSB3.ndc.alcatel-lucent.com>, <90C41DD21FB7C64BB94121FBBC2E72345029DFAB5D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <D24C564ACEAD16459EF2526E1D7D605D106C9CD317@IMCMBX3.MITRE.ORG>
In-Reply-To: <D24C564ACEAD16459EF2526E1D7D605D106C9CD317@IMCMBX3.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and identification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Sep 2011 22:28:38 -0000

New tweak:

            The security ramifications of allowing unauthenticated access by public clients to the
            token endpoint, as well as the issuance of refresh tokens to public clients MUST be
            taken into consideration.

EHL

> -----Original Message-----
> From: Richer, Justin P. [mailto:jricher@mitre.org]
> Sent: Friday, August 19, 2011 4:56 AM
> To: Eran Hammer-Lahav; Lu, Hui-Lan (Huilan); Brian Campbell
> Cc: oauth
> Subject: RE: [OAUTH-WG] treatment of client_id for authentication and
> identification
> 
> I find the original text clearer, myself.
> 
>  -- Justin
> ________________________________________
> From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of Eran
> Hammer-Lahav [eran@hueniverse.com]
> Sent: Thursday, August 18, 2011 5:16 PM
> To: Lu, Hui-Lan (Huilan); Brian Campbell
> Cc: oauth
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
> identification
> 
> > -----Original Message-----
> > From: Lu, Hui-Lan (Huilan) [mailto:huilan.lu@alcatel-lucent.com]
> > Sent: Thursday, August 18, 2011 1:45 PM
> > To: Eran Hammer-Lahav; Brian Campbell
> > Cc: oauth
> > Subject: RE: [OAUTH-WG] treatment of client_id for authentication and
> > identification
> >
> > Eran Hammer-Lahav wrote:
> > > Added to 2.4.1:
> > >
> > > client_secret
> > >                 REQUIRED. The client secret. The client MAY omit the
> > > parameter if the client secret
> > >                 is an empty string.
> >
> > I would suggest rewording the above as follows:
> > client_secret
> >       REQUIRED unless it is an empty string. The client secret.
> 
> "unless its value is an empty string". Do people read this new text to mean
> OPTIONAL if not empty?
> 
> > > Added to 3.2.1:
> > >
> > >             A public client that was not issued a client password MAY use the
> > >             'client_id' request parameter to identify itself when sending
> > >             requests to the token endpoint.
> >
> > It is difficult to parse the last sentence of 3.2.1: "The security
> > ramifications of allowing unauthenticated access by public clients to
> > the token endpoint MUST be considered, as well as the issuance of
> > refresh tokens to public clients, their scope, and lifetime."
> >
> > I think it should be rewritten and reference relevant parts of
> > security considerations.
> 
> Text?
> 
> EHL
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.14.0 | Report a Bug | By Email