[Openid-specs-ab] token_endpoint_auth_method Registration example error?

Mike Jones Michael.Jones at microsoft.com
Wed Jan 23 15:03:24 UTC 2013 

That's what I thought.  Thanks for confirming.

                                                            -- Mike

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Wednesday, January 23, 2013 7:02 AM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] token_endpoint_auth_method Registration example error?

The server may support multiple methods, but the client MUST only register one, so it shouldn't be multi value for simplicity.

If you need two auth methods they should be different client_id.

This is intended mostly to enhance security and prevent a server from taking client_secret_basic from an attacker when the real client is using private_key_jwt.

John B.

On 2013-01-23, at 9:07 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:


Registration contains the following definition:

token_endpoint_auth_method
OPTIONAL. Requested authentication method for the Token Endpoint. The options areclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 2.2.1 of [OpenID.Messages]. Other Authentication methods may be defined by extension. If unspecified or omitted, the default is client_secret_basic HTTP Basic Authentication Scheme as specified in Section 2.3.1 of [RFC6749].

It later uses "token_endpoint_auth_method" in two example result values in this manner:

"token_endpoint_auth_method":
   "client_secret_basic client_secret_post",

This looks like a bug to me, since the string appears to be trying to contain multiple values.

Thus, I'm changing the string used to just "client_secret_basic" to make the example correct.  But I thought I'd point this out in case the example may have been intentional in some manner.

                                                            -- Mike

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130123/5fb1d606/attachment.html>

More information about the Openid-specs-ab mailing list