Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
John Bradley <ve7jtb@ve7jtb.com> Wed, 24 April 2013 22:41 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B567E21F8D61 for <oauth@ietfa.amsl.com>; Wed, 24 Apr 2013 15:41:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.253
X-Spam-Level:
X-Spam-Status: No, score=-2.253 tagged_above=-999 required=5 tests=[AWL=0.345, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsDGKY8YDZSh for <oauth@ietfa.amsl.com>; Wed, 24 Apr 2013 15:41:38 -0700 (PDT)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id B97FF21F8D29 for <oauth@ietf.org>; Wed, 24 Apr 2013 15:41:38 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id c12so2810036ieb.17 for <oauth@ietf.org>; Wed, 24 Apr 2013 15:41:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=uK+Uav1dSTdZy6H4a2eQQnddSgBq85y+vZEQvvlx2tA=; b=KXj+Fn4k9c5RUt36OWE72JvecnLKOq4s1G4wLa9H4jnT7QY3Qr4mCV6EDn4wuokQLN 2iyNfLfSL4OIwAFilxVUD7mmQtEKzH2Oi1P/Isx91ZzavaPxzuevcALBm9b8RGWYeN0+ qghm+ZaV7IPoiEDf2IEUk+I1Bwf0oa71VhOKcA6jUvBg6T99W47XfDTW3cJ2mZBeW1DW avVYJ88/Z+ar6ijloNaaZPUMCS2ezxc5lwutnBbZUrxd75Xwei8OxazSxJYKi0HtmBKi WGhXWzuJb9hCpHP+d5W6DWIUzGzCOvhHsb5j8sTuZ8dxJuda6xg25tzxjcOfKQ6ill4y Xvag==
X-Received: by 10.50.42.165 with SMTP id p5mr29858897igl.75.1366843298041; Wed, 24 Apr 2013 15:41:38 -0700 (PDT)
Received: from [192.168.1.39] (190-20-16-122.baf.movistar.cl. [190.20.16.122]) by mx.google.com with ESMTPSA id fl5sm8282096igb.9.2013.04.24.15.41.33 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 24 Apr 2013 15:41:36 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_4AC35BE1-10FE-4D47-8665-51D1B5E1B5E7"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <0E96125F-CFEC-4157-8A1E-3CFCA1C4D79F@oracle.com>
Date: Wed, 24 Apr 2013 19:41:26 -0300
Message-Id: <0C683171-29F6-47EA-A611-AB6394207353@ve7jtb.com>
References: <53250C00-9D1C-4E81-9AD6-E12241B875D9@oracle.com> <5178498B.3050406@mitre.org> <0E96125F-CFEC-4157-8A1E-3CFCA1C4D79F@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQnVSu5Ud4PpvRNPGHnio1tVQU3vLR97HEAHoUTyTKxsBZbv4W6lkwGn3ac5aXX/+98ZDGg9
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2013 22:41:39 -0000
In Connect the AS may support a number of token endpoint authentication methods. The reason to allow a client to register using a particular one is to prevent downgrade attacks. If the client wants to always use an asymmetric signature you don't want to allow attackers to use weaker methods like http basic. So a server may support any number of methods, but it is reasonable for a client to specify which one it is going to use. In a closed system that may not be that useful but in a open system where the AS has a looser relationship to the client it is important. John B. On 2013-04-24, at 7:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > Hmmm… what was the objective or use case for having the client being able to choose in the first place? > > It seems to me that the AS will make a decision based on many factors. As you say, there isn't any other place that enumerates the various [authn] methods a client can use to access the token endpoint. So, why do it? > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > On 2013-04-24, at 2:07 PM, Justin Richer wrote: > >> Seems reasonable to me, can you suggest language to add in the capability? Would it require an IANA registry? Right now there isn't any other place that enumerates the various methods that a client can use to access the token endpoint. >> >> -- Justin >> >> On 04/24/2013 04:17 PM, Phil Hunt wrote: >>> For parameters to token_endpoint_auth_method, the spec has defined "client_secret_jwt" and "private_key_jwt". Shouldn't there be similar options of SAML? >>> >>> Shouldn't there be an extension point for other methods? >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Mike Jones
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Sergey Beryozkin
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer