Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-00.txt
Brian Campbell <bcampbell@pingidentity.com> Mon, 30 September 2019 15:22 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25985120816 for <oauth@ietfa.amsl.com>; Mon, 30 Sep 2019 08:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLs0jmJr664q for <oauth@ietfa.amsl.com>; Mon, 30 Sep 2019 08:21:59 -0700 (PDT)
Received: from mail-io1-xd33.google.com (mail-io1-xd33.google.com [IPv6:2607:f8b0:4864:20::d33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9973F120110 for <oauth@ietf.org>; Mon, 30 Sep 2019 08:21:59 -0700 (PDT)
Received: by mail-io1-xd33.google.com with SMTP id q10so39419516iop.2 for <oauth@ietf.org>; Mon, 30 Sep 2019 08:21:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AmcCPuCOMlILISQtm6GagePq3NzmUX3Ey8Zm9g/jgzw=; b=HIoZaBKQENKyLgUdq0KADnhYSAqsn2lWrDV3XJsjsfvTfz5h2nuVh4eO5U1FJ9hwLg WvReAWpiW2e/bj43k8Rf32znhU/vYiHKw4MSj78rE5MKc3OXqy/OUCiC2EcSqzey63WN Ql/TbyHfWL5tWGeznAWbAhbkn00FBHsJ5v//U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AmcCPuCOMlILISQtm6GagePq3NzmUX3Ey8Zm9g/jgzw=; b=trdvW4mJYn9ciERwUsoC49a7cUASwVAUeu64P4hcHiLlQ7v87NYs+Nn65nzMHMs+PG kTKnIrra+Pq4j+YOj4wemrOI3bGTlidyLu5Jfw9vxEe1+n0XOD7BURPyFhaRO23/Eg9z Vmqrv6GC9/OMcs0q/sJsoSCC+AXxMNj+qXXq5wIK0OwKyBXotjHKGaJ4lVnMdOTwTs35 zNM5uc0zVYcagjFBh3dud5I6RkFH4lz1bdrNC7H4DGROJ0lkSnLPhT9GylGK4heqsEVb NCl9arPvsJxCONXHF9e09A/6Hq/Owz8kLzHDn1RF38rarhdhwDOtdn79m6ysMNUiuetO nYKA==
X-Gm-Message-State: APjAAAXQJ4idaYeyXJpiwhG9KFXE37PpWVpGcSLKR3e1mIvnT71iDbyR GLypHBpqTUwqMOsJLyyDP0oOw42vxunjl5LQR4nktQzINwCTTCcikmcl9lm4N3tBFR01b12RpYx cndGsrvwEPrXKHw==
X-Google-Smtp-Source: APXvYqzWNiQKTw7gJhF2yts2228AFgYJ90KkJbvCNqKbYVN10ZDqqzKRqZTgBvUOiFOZcSmwYiB2Hh2RtOWzGvMUekE=
X-Received: by 2002:a92:9912:: with SMTP id p18mr22059262ili.78.1569856918607; Mon, 30 Sep 2019 08:21:58 -0700 (PDT)
MIME-Version: 1.0
References: <156906284888.22977.8893219801768603786.idtracker@ietfa.amsl.com> <1842D9CD-1B5B-420A-AA43-7B30F3CE13B8@lodderstedt.net> <CAGBSGjqdrCOZAu_2VvtjHVD+rBEK+0B86wNjoyXiQKAwS2Q4hA@mail.gmail.com>
In-Reply-To: <CAGBSGjqdrCOZAu_2VvtjHVD+rBEK+0B86wNjoyXiQKAwS2Q4hA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 30 Sep 2019 09:21:32 -0600
Message-ID: <CA+k3eCRatdXp=iMidbRMVxJWVADweykiNnFixH7povuoQzWSVQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fb72e60593c6cbf4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nPz5Ul03kTLOJOT0-G0imP3ORpY>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 15:22:02 -0000
On Thu, Sep 26, 2019 at 9:30 AM Aaron Parecki <aaron@parecki.com> wrote: > > Depending on client type and authentication method, the request might > > also include the "client_id" parameter. > > I assume this is hinting at the difference between public clients > sending only the "client_id" parameter and confidential clients > sending only the HTTP Basic Authorization header which includes both > the client ID and secret? It would probably be helpful to call out > these two common examples if I am understanding this correctly, > otherwise it seems pretty vague. > What this is trying to convey is that because client authentication at this Pushed Authorization Request Endpoint happens the same way as at the token endpoint (and other endpoints called directly by the client) the client_id parameter will sometimes be present but not necessarily as some types of client auth use the client_id parameter (none, client_secret_post, tls_client_auth, self_signed_tls_client_auth) and some don't (client_secret_basic, client_secret_jwt, private_key_jwt). Although the draft does later say "The AS MUST validate the request the same way as at the authorization endpoint" which I think could reasonably be interpreted as requiring client_id. e.g., https://tools.ietf.org/html/rfc6749?#section-4.1.1 & https://tools.ietf.org/html/rfc6749?#section-4.2.1 So perhaps the sentence in question should be removed and have client_id be a required parameter at the PAR endpoint. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Fwd: New Version Notification for draf… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Janak Amarasena
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Janak Amarasena
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] Fwd: New Version Notification for … Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Aaron Parecki
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Dave Tonge
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Dick Hardt
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Takahiko Kawasaki
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Filip Skokan
- Re: [OAUTH-WG] New Version Notification for draft… Vladimir Dzhuvinov