[Openid-specs-ab] [openid/connect] Basic 2.2.6.1 - Client authentication clarifications (issue #726)

Michael Jones issues-reply at bitbucket.org
Mon Jan 28 20:18:21 UTC 2013


--- you can reply above this line ---

New issue 726: Basic 2.2.6.1 - Client authentication clarifications
https://bitbucket.org/openid/connect/issue/726/basic-2261-client-authentication

Michael Jones:

>From 24-Jan-13 spec call notes:

Pam's Comments on Basic:
	Basic 2.2.1.  Client Prepares Authorization Request says
		Clients MAY construct the request using the HTTP GET or the HTTP POST method as defined in RFC 2616 [RFC2616].
	Standard 2.3 says
		Authorization Servers MUST support the use of the HTTP "GET" and "POST" methods defined in RFC 2616 [RFC2616] at the Authorization Endpoint.

	We don't need to express a preference between the methods in Basic
	We may say that they can use either because OPs must support both

	Basic 2.2.6.  Client Obtains ID Token and Access Token
	Basic 2.2.6.1 says no preference between POST or GET
		References 4.1.3.  Access Token Request of OAuth 2.0 [RFC6749]
		References 3.2.1.  Client Authentication
		References 2.3.1.  Client Password
			Recommends using Basic in authorization header

	We should recommend putting the client credentials in the Authorization header in Basic
		As recommended in OAuth 2.3.1
	We may also want to mention that this is the client_secret_basic method from Registration
	
	OAuth 3.2.  Token Endpoint says
		The client MUST use the HTTP "POST" method when making access token requests.

	The phrase "Access Token Request" should appear in 2.2.6
	We might also want the term "Client Authentication" to appear in 2.2.6.1

	We may need to clarify what we mean by "Token Endpoint" - "OAuth Access Token Endpoint"

From: Mike Jones 
Sent: Thursday, January 24, 2013 10:47 AM
To: 'Pamela Dingle'; openid-specs-ab at lists.openid.net
Subject: RE: [Openid-specs-ab] Basic profile section 2.2.6.1

It’s not in bitbucket – but it’s in the about-to-be-released call notes.

I disagree that we should reference Messages.  The whole point of Basic and Implicit is for them to be self-contained.  If we were willing to tell people to just use Messages and Standard, we’d delete these (intentionally duplicative) specs.

I’ll send my proposed change to the list shortly.

                                                                -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Pamela Dingle
Sent: Thursday, January 24, 2013 10:42 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Basic profile section 2.2.6.1

Hi all,

We talked about basic profile section 2.2.6.1 on the call this morning,  and Mike agreed to add a bit more helpful text in there that echoes the existing recommendation in RFC 6749 section 3.2 on using the authorization header to authenticate the client vs. including client credentials in the post body of the request sent to the endpoint.

On reading further, I think we could instead state that the possible ways that the client can authenticate to the Access Token Endpoint are listed in the Messages spec section 2.2.1, and that if a client is unsure which client authentication methods are supported, they can refer to a given openid provider's openid-configuration document, under the token_endpoint_auth_methods_supported element (described in Discovery section 3.2).    The nice thing about referring to the messages and discovery specs rather than directly to the OAuth spec is that it introduces our simple vocabulary for the different types of client authentication, gives us a place to insert more guidance in the future, and also ties in the relationship with the discovery doc, so that if a developer wants to be more sophisticated they know where to look.

Mike, if you've got something in bitbucket for this change let me know and I'll put this into the ticket rather than into email, I just wanted to get this on the record before I forgot.

Cheers,

Pamela



--

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.


More information about the Openid-specs-ab mailing list