[Openid-specs-ab] About "token_endpoint_auth_type" handling

Roland Hedberg roland.hedberg at adm.umu.se
Thu Mar 22 14:47:54 UTC 2012

Hi Ryo,

22 mar 2012 kl. 11:16 skrev Ryo Ito:

> I tried to test my OP using your facility, and attached exported configuration.

It's still my script who is doing the protocol part.
Andreas has done the very nice front-end but he is not responsible for this type of errors.
> My OP handles "token_endpoint_auth_type", and it seems to produce some Failed.
> http://openid.net/specs/openid-connect-registration-1_0.html#anchor3
> ===
> token_endpoint_auth_type
> OPTIONAL. The requested authentication type for the Token Endpoint.
> The options are client_secret_post, client_secret_basic,
> client_secret_jwt, and private_key_jwt, as described in Section 2.2.1
> of OpenID Connect Messages 1.0 [OpenID.Messages]. Other Authentication
> methods may be defined by extension. If unspecified or omitted, the
> default is client_secret_basic HTTP Basic Authentication Scheme as
> specified in section 2.3.1 of OAuth 2.0 [OAuth2.0].
> ===
> About "oic-code+idtoken+token-token" test, because
> token_endpoint_auth_type parameter does not include it in a dynamic
> registration request, the value is registered as client_secret_basic.
> And because a test client sends the access token request using the
> client_secret_post format, my OP returns an error.
> Will you use authorization Header?

I don't have time to look into this right now (today), will do it as soon as possible.

-- Roland

More information about the Openid-specs-ab mailing list