[Openid-specs-ab] To sign or to authenticate

John Bradley jbradley at mac.com
Wed May 26 16:42:32 UTC 2010

I think Eran is wanting to add option 2 to OAuth 2.0, though probably not with magic signature.

The other problem with 1 is that the OP must also maintain a list of all clients.

Using dynamic client registration is one potential way around that.  That would essentially be reintroducing the openID association.
There is a possibility of denial of service attacks against the auto registration that needs to be considered.

If we can stick closer to oAuth 2.0 that is probably better,  but automatic registration seems to not be particularly well developed yet.

One other observation is that the oAuth practice of sending the shared secret in the request introduces the possibility of a 3rd party intercepting it.
It is a small risk if the SSL endpoint is properly verified, but a possibility.

John B.

On 2010-05-26, at 11:15 AM, Nat Sakimura wrote:

> Hi ,
> To make sure that the direct assertion request comes from
> the correct client, we have two ways of doing it.
> 1) Authenticate the client using client_id and client_secret
> 2) Sign the request.
> Option 1) is the course OAuth 2.0 is taking.
> If we just use it, we do not need signed request format.
> Down side of this option is that the client must
> obtain and maintain the list of secret for each and every
> OP.
> Which would you think is better?
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100526/2b74b012/attachment.bin>

More information about the Openid-specs-ab mailing list