[OAUTH-WG] treatment of client_id for authentication and identification

Brian Campbell <bcampbell@pingidentity.com> Mon, 25 July 2011 15:18 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5846C21F8E0E for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 08:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.946
X-Spam-Status: No, score=-5.946 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bpVXBJuHRBW1 for <oauth@ietfa.amsl.com>; Mon, 25 Jul 2011 08:18:58 -0700 (PDT)
Received: from na3sys009aog110.obsmtp.com (na3sys009aog110.obsmtp.com []) by ietfa.amsl.com (Postfix) with ESMTP id 4731C21F8B7D for <oauth@ietf.org>; Mon, 25 Jul 2011 07:02:32 -0700 (PDT)
Received: from mail-qy0-f179.google.com ([]) (using TLSv1) by na3sys009aob110.postini.com ([]) with SMTP ID DSNKTi13d5xITdTB/mezOzeEDHo0Rq6JwCGR@postini.com; Mon, 25 Jul 2011 07:02:33 PDT
Received: by mail-qy0-f179.google.com with SMTP id 29so2956664qyk.10 for <oauth@ietf.org>; Mon, 25 Jul 2011 07:02:31 -0700 (PDT)
Received: by with SMTP id fz1mr3779150qab.43.1311602551161; Mon, 25 Jul 2011 07:02:31 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 25 Jul 2011 07:02:01 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 25 Jul 2011 08:02:01 -0600
Message-ID: <CA+k3eCT6u2Zq676b6s12A=gOFEyBSZLEqK3Erq48mUeyUW+9AQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [OAUTH-WG] treatment of client_id for authentication and identification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2011 15:18:59 -0000

I need to revisit a question that came up about two months ago.  I
thought I had a clear understanding of when client_id was and wasn't
included in access token requests but drafts 18/19 seemed to have
changed things (or my understanding of 16 was wrong).

The question is, when is client_id a required parameter on requests to
the token endpoint and when can/should it be omitted?

In -16 I was under the impression that client_id was always to be
included even when using HTTP Basic or other means of authentication.
See http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-3.1 and
http://www.ietf.org/mail-archive/web/oauth/current/msg06328.html for

But the text and examples in -18/-19 would suggest that client_id is
to be omitted when using HTTP Basic.  Text in
http://tools.ietf.org/html/draft-ietf-oauth-v2-19#section-2.4.1 and
example in http://tools.ietf.org/html/draft-ietf-oauth-v2-19#section-4.1.3

I don't have a strong preference for either direction but do feel it
needs to be more explicitly spelled out.  Scenarios that should be
accounted for are, for both clients in possession of a client password
and clients without, using client_id/client_secret, using  HTTP Basic
and using other means of authentication/identification.