Re: [OAUTH-WG] Client authentication requirement
Brian Campbell <bcampbell@pingidentity.com> Wed, 15 June 2011 18:47 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A33BF11E8166 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 11:47:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.676
X-Spam-Level:
X-Spam-Status: No, score=-5.676 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, SARE_WEOFFER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SyyNRwh4QAqB for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 11:47:53 -0700 (PDT)
Received: from na3sys009aog113.obsmtp.com (na3sys009aog113.obsmtp.com [74.125.149.209]) by ietfa.amsl.com (Postfix) with ESMTP id AC04B11E8165 for <oauth@ietf.org>; Wed, 15 Jun 2011 11:47:51 -0700 (PDT)
Received: from mail-qy0-f178.google.com ([209.85.216.178]) (using TLSv1) by na3sys009aob113.postini.com ([74.125.148.12]) with SMTP ID DSNKTfj+VtxSMnUE+X7/CTTqi24k402lr20m@postini.com; Wed, 15 Jun 2011 11:47:52 PDT
Received: by qyk2 with SMTP id 2so417263qyk.9 for <oauth@ietf.org>; Wed, 15 Jun 2011 11:47:50 -0700 (PDT)
Received: by 10.224.27.10 with SMTP id g10mr65390qac.204.1308163670165; Wed, 15 Jun 2011 11:47:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.224.54.133 with HTTP; Wed, 15 Jun 2011 11:47:20 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234475E986AF7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E7234475E986AF7@P3PW5EX1MB01.EX1.SECURESERVER.NET>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 15 Jun 2011 12:47:20 -0600
Message-ID: <BANLkTi=EAr2oH9JAX4gaEgRqbS-jeU4N-g@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Content-Type: multipart/alternative; boundary="bcaec51ba3d5de48d904a5c49651"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client authentication requirement
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 18:47:53 -0000
Also seems this is related to the topic of native/mobile clients. As I understand it, native apps using the authorization code grant/flow have been the primary motivator for keeping client authentication optional. Anonymous client have come up too. On Wed, Jun 15, 2011 at 11:26 AM, Eran Hammer-Lahav <eran@hueniverse.com>wrote: > Client authentication has been one of the main problem areas in OAuth 1.0 > and 2.0 does nothing to resolve it (arguably, it makes it more confusing). > > > > Because of the desire to allow any client type in any deployment > environment, we ended up with a barely defined client authentication model. > We offer password-based client authentication using HTTP Basic (and an > alternative parameter), but leave it optional. > > > > It has been suggested that by doing so, we have made the protocol security > hard to define and harder to implement properly. The document was written > largely with the requirement to use client authentication with any request > to the access token endpoint. However, it does allow unauthenticated > requests in section 3. > > > > Are there any other client properties than the client’s ability to > authenticate with regards to security? > > > > We have one grant type without client authentication (implicit), two with > optional authentication (authorization code and username/password), and one > with required authentication (client credentials). > > > > I would like to go back to requiring client authentication for the access > token endpoint, using HTTP Basic or other schemes. To leave the door open > for clients incapable of authenticating to use the endpoint, we will add a > security consideration section discussing the ramifications of using the > access token endpoint without client authentication. > > > > This suggestions is linked to the topic of refresh tokens which I’ll post > separately. > > > > EHL > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- Re: [OAUTH-WG] Client authentication requirement Brian Campbell
- [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Shane B Weeden
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Shane B Weeden
- Re: [OAUTH-WG] Client authentication requirement Thomas Hardjono
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Thomas Hardjono
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication requirement Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Justin Richer
- Re: [OAUTH-WG] Client authentication requirement Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication requirement Justin Richer
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Igor Faynberg
- Re: [OAUTH-WG] Client authentication requirement Igor Faynberg
- Re: [OAUTH-WG] Client authentication requirement Brian Eaton
- Re: [OAUTH-WG] Client authentication requirement Dave Nelson
- Re: [OAUTH-WG] Client authentication requirement Shane B Weeden
- Re: [OAUTH-WG] Client authentication requirement Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication requirement Thomas Hardjono
- Re: [OAUTH-WG] Client authentication requirement Shane B Weeden
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav
- Re: [OAUTH-WG] Client authentication requirement Eran Hammer-Lahav