[Openid-specs-ab] Direct Request Authentication

Nat Sakimura sakimura at gmail.com
Fri May 28 03:29:23 UTC 2010


On Fri, May 28, 2010 at 12:08 PM, John Bradley <jbradley at mac.com> wrote:
> Oauth 2.0 requires the client secret.
> It is down to what the IdP requires.
> The RP won't know if the IdP will reject the request without the secret.
> If the IdP takes request without the secret then ever sending the secret is pointless.

OK. This actually one of the thing that I think OAuth community is
still debating on.
Also, it seems to depend on what flow the app is using.
IMHO, this is where OAuth is over-doing for their target LoA1 use cases.

> For LoA 2 the secret is required.

Certainly, yes.

> I think it is simpler to make it always required unless the RP knows that the IdP supports asymetric signatures.
> The follow on question is how is the RP determining that?

Well, we can require the OP to support asym. sig.
That is by far the simplest way from the point of view of the RP.

> John B.
> On 2010-05-27, at 9:40 PM, Nat Sakimura wrote:
>> Hi.
>> In Draft07, I might have overdone a little about the direct assertion
>> request authentication.
>> I wrote it as:
>> 8.1.5.  RP requests Assertion directly to the OP
>> To obtain the assertion through direct request, the RP MUST
>> authenticate against the OP. There are two ways of doing it, namely:
>> Through the use of client_secret
>> Through the use of asymmetric signature
>> It propbably shoud be SHOULD instead of MUST.
>> Like Yahoo!'s use case, provided the "code" has sufficient entropy and
>> short lived,
>> there are cases that you just want to submit the bearer token only to
>> get the result.
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (=nat)

More information about the Openid-specs-ab mailing list