Re: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?

[Justin Richer <jricher@mitre.org>]

This is the intent of my draft (and results of my implementation), and 
if the WG ever picks up token introspection as a work item then we can 
make sure it says that.

  -- Justin

On 04/24/2014 08:44 AM, Brian Campbell wrote:
> Perhaps it'd be more appropriate for this introspection endpoint to 
> say that it accepts the same client authentication mechanisms as the 
> token endpoint rather than describing specific methods itself in the 
> document?
>
>
> On Thu, Apr 24, 2014 at 3:09 AM, Hannes Tschofenig 
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
>
>     Hi Brian,
>
>     does it sound reasonable for you to add text to the token
>     introspection
>     endpoint regarding the use of the JWT bearer assertion for the token
>     introspection endpoint?
>
>     Ciao
>     Hannes
>
>     On 04/24/2014 12:58 AM, Brian Campbell wrote:
>     > Just to pile on here - the Assertions draft(s) do define client
>     > assertion authentication only for the token endpoint (and
>     register token
>     > endpoint parameters). But it certainly doesn't preclude it from
>     being
>     > profiled for use elsewhere.
>     >
>     > FWIW we used the token endpoint in our implementation of token
>     > introspection/validation partly because all supported forms of
>     client
>     > authentication come along for free by doing so. My esteemed
>     colleague,
>     > Dr. Paul Madsen, posted a rough draft of what we've implemented in
>     > product a while back:
>     > http://www.ietf.org/mail-archive/web/oauth/current/msg08607.html
>     >
>     >
>     > On Wed, Apr 23, 2014 at 10:49 AM, Justin Richer
>     <jricher@mitre.org <mailto:jricher@mitre.org>
>     > <mailto:jricher@mitre.org <mailto:jricher@mitre.org>>> wrote:
>     >
>     >     For introspection, we really just wanted to say "you can
>     >     authenticate the caller (client or RP) just like you would
>     to the
>     >     token endpoint". So if you've got the means to do that with the
>     >     assertion draft or with client secrets or TLS certs or anything
>     >     else, go for it. I would not read the text of the assertions
>     draft
>     >     as restricting this other use case.
>     >
>     >      -- Justin
>     >
>     >
>     >     On 04/23/2014 12:42 PM, Mike Jones wrote:
>     >
>     >         The assertions draft is only trying to describe how to
>     perform
>     >         assertion-based authentication at the Token Endpoint.  Other
>     >         drafts, such as the introspection draft, could
>     explicitly say
>     >         that this can also be done in the same manner there, but
>     that's
>     >         an extension, and should be specified by the extension
>     draft, if
>     >         appropriate - not in the assertions draft.
>     >
>     >         Justin may have more to say about the applicability or
>     lack of
>     >         it to the introspection draft, but I'm personally not
>     familiar
>     >         with it.
>     >
>     >                                         -- Mike
>     >
>     >         -----Original Message-----
>     >         From: OAuth [mailto:oauth-bounces@ietf.org
>     <mailto:oauth-bounces@ietf.org>
>     >         <mailto:oauth-bounces@ietf.org
>     <mailto:oauth-bounces@ietf.org>>__] On Behalf Of Hannes Tschofenig
>     >         Sent: Wednesday, April 23, 2014 5:09 AM
>     >         To: oauth@ietf.org <mailto:oauth@ietf.org>
>     <mailto:oauth@ietf.org <mailto:oauth@ietf.org>>
>     >         Subject: [OAUTH-WG] Assertions: Client authentication for
>     >         non-token endpoints?
>     >
>     >         Hi all,
>     >
>     >         in a discussion about re-using the client authentication
>     part of
>     >         the assertion framework for other specifications
>     currently in
>     >         progress I ran into the following question:
>     >
>     >         Section 6.1 of
>     > http://tools.ietf.org/html/__draft-ietf-oauth-assertions-15
>     >         <http://tools.ietf.org/html/draft-ietf-oauth-assertions-15>
>     >         talks about the client using the assertion with the **token
>     >         endpoint**.
>     >
>     >         Now, it appears that one cannot use the client
>     authentication
>     >         with other endpoints, such as the introspection endpoint
>     defined in
>     >
>     http://tools.ietf.org/html/__draft-richer-oauth-__introspection-04#section-2
>     >        
>     <http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2>
>     >
>     >         Am I reading too much into Section 6.1 of the assertion
>     draft?
>     >
>     >         Ciao
>     >         Hannes
>     >
>     > _________________________________________________
>     >         OAuth mailing list
>     > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>     <mailto:OAuth@ietf.org>>
>     > https://www.ietf.org/mailman/__listinfo/oauth
>     >         <https://www.ietf.org/mailman/listinfo/oauth>
>     >
>     >
>     >     _________________________________________________
>     >     OAuth mailing list
>     > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>     <mailto:OAuth@ietf.org>>
>     > https://www.ietf.org/mailman/__listinfo/oauth
>     >     <https://www.ietf.org/mailman/listinfo/oauth>
>     >
>     >
>
>