[OAUTH-WG] assertion, client_assertion_type and client_assertion

Marius Scurtescu <mscurtescu@google.com> Sun, 30 January 2011 22:27 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 910113A6881 for <oauth@core3.amsl.com>; Sun, 30 Jan 2011 14:27:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.003
X-Spam-Status: No, score=-104.003 tagged_above=-999 required=5 tests=[AWL=-1.026, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id tk1tXXGfp0II for <oauth@core3.amsl.com>; Sun, 30 Jan 2011 14:27:24 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com []) by core3.amsl.com (Postfix) with ESMTP id 5C88A3A6849 for <oauth@ietf.org>; Sun, 30 Jan 2011 14:27:24 -0800 (PST)
Received: from hpaq7.eem.corp.google.com (hpaq7.eem.corp.google.com []) by smtp-out.google.com with ESMTP id p0UMUZ5S008609 for <oauth@ietf.org>; Sun, 30 Jan 2011 14:30:35 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1296426635; bh=QW05pTqDzsKeXwAgFviMfVuMv28=; h=MIME-Version:From:Date:Message-ID:Subject:To:Content-Type; b=UtdF3Vl+W6mt02ygtdI4aNlfc+R/FEU+pQMKrJ8eJwF48/q9ADxCn0l9LZmX5ZeoU zjNr+zuN5Aci/Poyz6DoQ==
Received: from gwj23 (gwj23.prod.google.com []) by hpaq7.eem.corp.google.com with ESMTP id p0UMUIJL013499 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <oauth@ietf.org>; Sun, 30 Jan 2011 14:30:34 -0800
Received: by gwj23 with SMTP id 23so2821566gwj.15 for <oauth@ietf.org>; Sun, 30 Jan 2011 14:30:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:mime-version:from:date:message-id:subject:to :content-type; bh=tnP2QapAYwUVnRDavg1jtMdUCT2Pqe/8SjQ2h4EJyDQ=; b=jS1QOSg7qWHFPSaW7EgUnUFWkh4QJ3fsL54GOJDK+db3EfxtwOs4qXKX78Fvl+ob2q zQUY0g50ho+eolTDVQhg==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:from:date:message-id:subject:to:content-type; b=WILrQXapGnPe5pOcYBlTmeXxGwwYqtmV/xOBC/1vfUKa5QeE5ETrtJH0f/CEZLlhoV 3UxW76LiqOrnmLQCeT9w==
Received: by with SMTP id t13mr3454648anb.112.1296426634404; Sun, 30 Jan 2011 14:30:34 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Sun, 30 Jan 2011 14:30:14 -0800 (PST)
From: Marius Scurtescu <mscurtescu@google.com>
Date: Sun, 30 Jan 2011 14:30:14 -0800
Message-ID: <AANLkTimcMgFuvXan75UiE0tobMMtbN2UMfV1ehkoM_z4@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-System-Of-Record: true
Subject: [OAUTH-WG] assertion, client_assertion_type and client_assertion
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jan 2011 22:27:25 -0000

I would like to bring up one more argument to keep the assertion,
client_assertion_type and client_assertion parameters in core.

If I understood correctly, the main argument to remove them from core
was that they are underspecified and extensions are needed anyhow
before they are useful.

First of all, this is not true for client_assertion_type and
client_assertion. A client can acquire assertions from an IdP that
works intimately with the client. In this case the client knows how to
get a client assertion and then how to present it to the Authorization
Server, but it really does not need to know anything more. The IdP and
the Authorization Server do need to agree on format and keys, but not
the client.

I agree that this is a less used use case, and that currently there
are no implementations to point at (as far as I know), but there is
another reason to keep these parameters in core.

The assertion parameter was in core, but it was removed and now it is
defined by SAML 2.0 Bearer Assertion Grant Type Profile. What will the
next assertion extension do, let's say JWT? It can either re-define
the assertion parameter or it can reference SAML 2.0 Bearer. Does
re-defining imply registration as well? How would that work? Having
JWT depend on SAML does not make much sense.

While the above issue is minor, I think it would be useful if core
defined these parameters as extension points.