[Openid-specs-ab] Authz methods

John Bradley ve7jtb at ve7jtb.com
Tue Feb 7 21:58:05 UTC 2012


We could have separate tests for Token endpoint authentication using HTTP Basic, and POST body.   If a client sends the client secret in a query parameter that should get a warning.

John
On 2012-02-07, at 6:23 PM, Mike Jones wrote:

> Is there a test or tests we should add for these protocol usages?
> From: John Bradley
> Sent: 2/5/2012 2:59 PM
> To: Mike Jones
> Cc: Roland Hedberg; openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Authz methods
> 
> Endpoints should support both GET and POST unless the spec specifically restricts itself to one or the other.
> 
> If using GET it is STRONGLY recommended that tokens not be passes in query parameters.
> 
> So GET effectively requires Authentication header support.
> 
> Some simple clients may not have access to modify headers, requiring POST.
> 
> John B.
> On 2012-02-05, at 7:14 PM, Mike Jones wrote:
> 
> > You're right that the Bearer spec doesn't say what method to use because HTTPbis doesn't either.  I expect that people will normally use GET however.  Is there a reason you believe that clients may want to use POST?
> > 
> > Unless there's an advantage to using POST over GET, given we're trying to test "normal cases" for this round of interop, I don't see a strong motivation to test using POST.  But I'm adding the working group to my reply in case anyone else would like to weigh in.
> > 
> > Thanks again,
> > -- Mike
> > 
> > -----Original Message-----
> > From: Roland Hedberg [mailto:roland at catalogix.se] 
> > Sent: Saturday, February 04, 2012 1:41 PM
> > To: Mike Jones
> > Subject: Authz methods
> > 
> > Hi Mike,
> > 
> > Just to check my understanding.
> > 
> > draft-ietf-oauth-v2-bearer-15 isn't explicit on this.
> > 
> > When you're using the "Authorization" header field it doesn't specify whether GET or POST is used.
> > The example is GET but nowhere in the text is says it has to be GET.
> > Form-encoded body part on the other hand is always POST.
> > 
> > So in you test matrix shouldn't we have:
> > 
> > UserInfo Endpoint Access with Header Method (GET) UserInfo Endpoint Access with Header Method (POST) UserInfo Endpoint Access with Form-Encoded Body Method
> > 
> > and likewise for Check ID ?
> > 
> > -- Roland
> > 
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120207/5dd98ead/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120207/5dd98ead/attachment.p7s>


More information about the Openid-specs-ab mailing list