[Openid-specs-ab] Direct Request Authentication

John Bradley jbradley at mac.com
Fri May 28 03:08:21 UTC 2010

Oauth 2.0 requires the client secret.

It is down to what the IdP requires.  

The RP won't know if the IdP will reject the request without the secret.

If the IdP takes request without the secret then ever sending the secret is pointless.

For LoA 2 the secret is required.  

I think it is simpler to make it always required unless the RP knows that the IdP supports asymetric signatures.

The follow on question is how is the RP determining that?

John B.

On 2010-05-27, at 9:40 PM, Nat Sakimura wrote:

> Hi.
> In Draft07, I might have overdone a little about the direct assertion
> request authentication.
> I wrote it as:
> 8.1.5.  RP requests Assertion directly to the OP
> To obtain the assertion through direct request, the RP MUST
> authenticate against the OP. There are two ways of doing it, namely:
> Through the use of client_secret
> Through the use of asymmetric signature
> It propbably shoud be SHOULD instead of MUST.
> Like Yahoo!'s use case, provided the "code" has sufficient entropy and
> short lived,
> there are cases that you just want to submit the bearer token only to
> get the result.
> -- 
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100527/5e9287ed/attachment-0001.bin>

More information about the Openid-specs-ab mailing list