Re: [OAUTH-WG] Does an assertion belong to a client?
Brian Campbell <bcampbell@pingidentity.com> Tue, 14 September 2010 22:29 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C9383A6B45 for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 15:29:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.831
X-Spam-Level:
X-Spam-Status: No, score=-5.831 tagged_above=-999 required=5 tests=[AWL=0.146, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVwdq0CqCjJh for <oauth@core3.amsl.com>; Tue, 14 Sep 2010 15:29:33 -0700 (PDT)
Received: from na3sys009aog107.obsmtp.com (na3sys009aog107.obsmtp.com [74.125.149.197]) by core3.amsl.com (Postfix) with SMTP id 4AC313A6B40 for <oauth@ietf.org>; Tue, 14 Sep 2010 15:28:18 -0700 (PDT)
Received: from source ([209.85.214.53]) by na3sys009aob107.postini.com ([74.125.148.12]) with SMTP ID DSNKTI/3GhMdfxzVoh4elcl10bhnMxo4yszJ@postini.com; Tue, 14 Sep 2010 15:28:44 PDT
Received: by mail-bw0-f53.google.com with SMTP id 1so8671532bwz.40 for <oauth@ietf.org>; Tue, 14 Sep 2010 15:28:42 -0700 (PDT)
Received: by 10.223.111.68 with SMTP id r4mr227533fap.56.1284503315133; Tue, 14 Sep 2010 15:28:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.113.3 with HTTP; Tue, 14 Sep 2010 15:28:05 -0700 (PDT)
In-Reply-To: <AANLkTi=pp_MWc5LkiZkK0xfardMx-5WPs0MCJXTc3iYg@mail.gmail.com>
References: <AANLkTi=pp_MWc5LkiZkK0xfardMx-5WPs0MCJXTc3iYg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 14 Sep 2010 16:28:05 -0600
Message-ID: <AANLkTinGkb5WG+GQujinq8KHApkVPr4Gt3giaZicPvrL@mail.gmail.com>
To: Laurens Van Houtven <lvh@laurensvh.be>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Does an assertion belong to a client?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2010 22:29:34 -0000
It really depends on the requirements or policy of the authorization server. For the I-D I've been working on, https://datatracker.ietf.org/doc/draft-campbell-oauth-saml/, there's nothing that binds of the assertion to the client. So there's not a requirement for that enforcement nor is there really any information in the assertion that would make it possible. Other profiles might be different in that regard and I'd think that any "client assertions" used for client authentication might directly identity the client and expect validation of such at the authz server. On Mon, Sep 13, 2010 at 1:10 PM, Laurens Van Houtven <lvh@laurensvh.be> wrote: > Should implementors of OAuth libraries enforce that an assertion belongs to > a particular client? > E.g.: if there are two clients cA and cB, and cA gets issued an assertion > foo, can cB then use foo to obtain an access token at the token endpoint? > thanks > lvh > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Does an assertion belong to a client? Laurens Van Houtven
- Re: [OAUTH-WG] Does an assertion belong to a clie… Brian Campbell