[OAUTH-WG] Assertions: Client authentication for non-token endpoints?

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 23 April 2014 12:12 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B10F91A0348 for <oauth@ietfa.amsl.com>; Wed, 23 Apr 2014 05:12:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pJwZgGz7vRy for <oauth@ietfa.amsl.com>; Wed, 23 Apr 2014 05:12:13 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 3FCF41A0346 for <oauth@ietf.org>; Wed, 23 Apr 2014 05:12:13 -0700 (PDT)
Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M7DVi-1WoQXA23Bm-00wzs2 for <oauth@ietf.org>; Wed, 23 Apr 2014 14:12:06 +0200
Message-ID: <5357AD3F.6050803@gmx.net>
Date: Wed, 23 Apr 2014 14:08:31 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="471Pwcle2WKEditFXFVN3Maeu77TIgdpq"
X-Provags-ID: V03:K0:87teUDtMCZHY+NEp3qJJ7TaYgDgwEkdp8OPHKMEi3huFwxEAklR VKwdCY8GCjl87xKk3qAhVXALX+JeL3J//RxY2lw8OIYOpIj25vd11WeJMGM+Ibetc1i11f7 1fat1YxzwleWuWMVpX0bx33Ev1+FLurwfMBHFCpfKTwVrv4/zxj3LJUNoPuA3pGkydHxeRV w6WEhFBUxvHyBnMfR7ttw==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/o7SAJ-FJ0wY7qi4ZMXXSLGs-LeY
Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Apr 2014 12:12:14 -0000

Hi all,

in a discussion about re-using the client authentication part of the
assertion framework for other specifications currently in progress I ran
into the following question:

Section 6.1 of
http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about
the client using the assertion with the **token endpoint**.

Now, it appears that one cannot use the client authentication with other
endpoints, such as the introspection endpoint defined in
http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2

Am I reading too much into Section 6.1 of the assertion draft?

Ciao
Hannes