<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:tahoma,new york,times,serif;font-size:10pt"><div>This discussion has brought into attention that the secret_type parameter that is defined in Section 3.1.5 of the superseded <a href="http://openid.net/specs/openid-connect-http-redirect-1_0.html">HTTP-Redirect Binding</a> spec has been inadvertently left out of the current <a href="http://openid.net/specs/openid-connect-messages-1_0.html">Messages</a> and <a href="http://openid.net/specs/openid-connect-standard-1_0.html">Standard </a>specs.<br><br>This parameter is defined for the Token endpoint as a way for clients to authenticate using asymmetric keys. OAuth 2.0 only defines symmetric client secrets for the Token endpoint.<br><br>The text for the section is as follows :<br><br><p style="font-family: Courier New,courier,monaco,monospace,sans-serif;">Upon receipt of the "code", the
Client requests an Assertion that includes the "access_token"
and other variables. To obtain the assertion, the client send the
following parameters via HTTPS POST to the token endpoint using
application/x-www-form-urlencoded format
in the HTTP request entity-body:
</p><span style="font-family: Courier New,courier,monaco,monospace,sans-serif;">
</span>
<blockquote style="font-family: Courier New,courier,monaco,monospace,sans-serif;" class="text"><dl><dt>grant_type</dt><dd>REQUIRED. A string
"authorization_code".
</dd><dt>code</dt><dd>REQUIRED. The authorization code received
from the authorization server.
</dd><dt>client_id</dt><dd>REQUIRED. The client_id of the RP.
</dd><dt>secret_type</dt><dd>OPTIONAL. Specifies the client
authentication type which determines how the client_secret parameter is interpreted. It
can be one of "basic" or "JWT". Defaults to "basic".
</dd><dt>client_secret</dt><dd>OPTIONAL. Client Secret. If the
secret_type is "basic", send the
pre-shared secret. If the secret_type is "JWT",
send the compact serialization of the <a class="info">JWT</a> [JWT] Signature over the 'code'.
</dd></dl></blockquote><br><br>Andreas says that this is not enough information for implementation.<br><br>It was decided that the text should be put back into Messages and Standard.<br>We can expand the Token endpoint section to talk a little bit more about client authentication and the differing types (symmetric vs asymmetric).<br>The secret_type parameter will explain the need for the JWT as a method to indicate asymmetric client authentication.<br>The client _secret parameter will be expanded to include where pre-shared secrets come from and the JSON inputs for the JWT asymmetric signature.<br><br>The JSON input should be something like the following :<br><br>{<br> "code" : "some code value",<br> "aud" : "blah blah", // audience<br> "iss" : "blah blah", // issuer<br> "exp" : "blah blah", // expiration<br> "typ" : "blah blah", //
type<br>
"nbf" : "blah blah", // valid not before<br>
"iat" : "blah blah" // issued at<br>}<br><br>The last 6 claims are OPTIONAL JWT parameters, but maybe we should REQUIRE it to make it more secure.<br>Since this is for the Token endpoint which could accept refresh access tokens also, we should probably make "refresh_token" a member also.<br><br><br>We should probably also change the Client Registration spec to allow clients to register asymmetric client secrets.<br>It will contain the jku (JSON Key URL) and x5u (x509 public key URL) parameters as defined in JWS or their actual values.<br><br>Any thoughts or feedback? Thanks.<br><br>-- Edmund<br><br><br><br><br></div><div style="font-family:tahoma, new york, times, serif;font-size:10pt"><br><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> John Bradley <ve7jtb@ve7jtb.com><br><b><span
style="font-weight: bold;">To:</span></b> Andreas Åkre Solberg <andreas.solberg@uninett.no><br><b><span style="font-weight: bold;">Cc:</span></b> openid-specs-ab@lists.openid.net<br><b><span style="font-weight: bold;">Sent:</span></b> Thu, August 25, 2011 9:21:35 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [Openid-specs-ab] Question about secret_type: JWT<br></font><br>Yes if we keep tis we need to have:<div>aud</div><div>iss</div><div>exp </div><div>and perhaps a specific typ </div><div><br></div><div>It should probably be part of a profile for using openID Connect with asymmetric signatures as an extension.</div><div><br></div><div>John B.</div><div><div><div>On 2011-08-25, at 3:53 AM, Andreas Åkre Solberg wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap:break-word;"><br><div><div>On 25. aug. 2011, at 06:39, John Bradley wrote:</div><br
class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;orphans:2;text-indent:0px;text-transform:none;white-space:normal;widows:2;word-spacing:0px;font-size:medium;">Yes the idea is to use JWS to avoid directly disclosing the secret as is done with basic in the symmetric key case.<div><br></div><div>OAuth dosent define a asymetric authentication to the token endpoint.</div><div><br></div><div>The plan was to define a JWT with a single claim of code that would be signed by the RP.</div></span></blockquote><div><br></div><div>OK.</div><div><br></div><div>My main point is that, I think there are security issues with that, unless you also require or reccomends that the JWT iss and aud headers are present (I don't think they are in the JWT
spec).</div></div><div><br></div><div>Andreas</div></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a rel="nofollow" ymailto="mailto:Openid-specs-ab@lists.openid.net" target="_blank" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br><span><a target="_blank" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></blockquote></div><br></div></div></div>
</div></body></html>