[Openid-specs-ab] token_endpoint_auth_method Registration example error?

Justin Richer jricher at mitre.org
Wed Jan 23 15:53:21 UTC 2013 

OK, thanks for catching that. I'll file a bug against Oauth2 Dynreg as 
well (which has the same examples). John is right that it is defined as 
a single value and the examples are off.

  -- Justin

On 01/23/2013 10:03 AM, Mike Jones wrote:
>
> That's what I thought.  Thanks for confirming.
>
> -- Mike
>
> *From:*John Bradley [mailto:ve7jtb at ve7jtb.com]
> *Sent:* Wednesday, January 23, 2013 7:02 AM
> *To:* Mike Jones
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] token_endpoint_auth_method 
> Registration example error?
>
> The server may support multiple methods, but the client MUST only 
> register one, so it shouldn't be multi value for simplicity.
>
> If you need two auth methods they should be different client_id.
>
> This is intended mostly to enhance security and prevent a server from 
> taking client_secret_basic from an attacker when the real client is 
> using private_key_jwt.
>
> John B.
>
> On 2013-01-23, at 9:07 AM, Mike Jones <Michael.Jones at microsoft.com 
> <mailto:Michael.Jones at microsoft.com>> wrote:
>
>
>
> Registration contains the following definition:
>
> token_endpoint_auth_method
>
> OPTIONAL. Requested authentication method for the Token Endpoint. The 
> options areclient_secret_post,client_secret_basic,client_secret_jwt, 
> andprivate_key_jwt, as described in Section 2.2.1 of 
> [OpenID.Messages]. Other Authentication methods may be defined by 
> extension. If unspecified or omitted, the default 
> isclient_secret_basicHTTP Basic Authentication Scheme as specified in 
> Section 2.3.1 of [RFC6749].
>
> It later uses "token_endpoint_auth_method" in two example result 
> values in this manner:
>
> "token_endpoint_auth_method":
>
>    "client_secret_basic client_secret_post",
>
> This looks like a bug to me, since the string appears to be trying to 
> contain multiple values.
>
> Thus, I'm changing the string used to just"client_secret_basic"to make 
> the example correct.  But I thought I'd point this out in case the 
> example may have been intentional in some manner.
>
> -- Mike
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130123/cb0f1d5b/attachment.html>

More information about the Openid-specs-ab mailing list