[OAUTH-WG] treatment of client_id for authentication and identification
Brian Campbell <bcampbell@pingidentity.com> Mon, 25 July 2011 15:18 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5846C21F8E0E for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 08:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.946
X-Spam-Level:
X-Spam-Status: No, score=-5.946 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bpVXBJuHRBW1 for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 08:18:58 -0700 (PDT)
Received: from na3sys009aog110.obsmtp.com (na3sys009aog110.obsmtp.com [74.125.149.203]) by ietfa.amsl.com (Postfix) with ESMTP id 4731C21F8B7D for <oauth@ietf.org>; Mon, 25 Jul 2011 07:02:32 -0700 (PDT)
Received: from mail-qy0-f179.google.com ([209.85.216.179]) (using TLSv1) by na3sys009aob110.postini.com ([74.125.148.12]) with SMTP ID DSNKTi13d5xITdTB/mezOzeEDHo0Rq6JwCGR@postini.com; Mon, 25 Jul 2011 07:02:33 PDT
Received: by mail-qy0-f179.google.com with SMTP id 29so2956664qyk.10 for <oauth@ietf.org>; Mon, 25 Jul 2011 07:02:31 -0700 (PDT)
Received: by 10.224.207.193 with SMTP id fz1mr3779150qab.43.1311602551161; Mon, 25 Jul 2011 07:02:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.11.68 with HTTP; Mon, 25 Jul 2011 07:02:01 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 25 Jul 2011 08:02:01 -0600
Message-ID: <CA+k3eCT6u2Zq676b6s12A=gOFEyBSZLEqK3Erq48mUeyUW+9AQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] treatment of client_id for authentication and identification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 15:18:59 -0000
I need to revisit a question that came up about two months ago. I thought I had a clear understanding of when client_id was and wasn't included in access token requests but drafts 18/19 seemed to have changed things (or my understanding of 16 was wrong). The question is, when is client_id a required parameter on requests to the token endpoint and when can/should it be omitted? In -16 I was under the impression that client_id was always to be included even when using HTTP Basic or other means of authentication. See http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-3.1 and http://www.ietf.org/mail-archive/web/oauth/current/msg06328.html for example. But the text and examples in -18/-19 would suggest that client_id is to be omitted when using HTTP Basic. Text in http://tools.ietf.org/html/draft-ietf-oauth-v2-19#section-2.4.1 and example in http://tools.ietf.org/html/draft-ietf-oauth-v2-19#section-4.1.3 I don't have a strong preference for either direction but do feel it needs to be more explicitly spelled out. Scenarios that should be accounted for are, for both clients in possession of a client password and clients without, using client_id/client_secret, using HTTP Basic and using other means of authentication/identification.
- [OAUTH-WG] treatment of client_id for authenticat… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Torsten Lodderstedt
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Lu, Hui-Lan (Huilan)
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav
- Re: [OAUTH-WG] treatment of client_id for authent… Brian Campbell
- Re: [OAUTH-WG] treatment of client_id for authent… Lu, Hui-Lan (Huilan)
- Re: [OAUTH-WG] treatment of client_id for authent… Lu, Hui-Lan (Huilan)
- Re: [OAUTH-WG] treatment of client_id for authent… Richer, Justin P.
- Re: [OAUTH-WG] treatment of client_id for authent… Eran Hammer-Lahav