<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
But now that the server responds with the current configuration,
it's no longer just about client preference but also about the
server expressing to the client what it should do. So if a client
gets a client_secret, and the server is OK with it using basic,
post, or jwt with that secret, how can the server tell the client
this?<br>
<br>
The simplest thing is to keep it a single value as it is now, but
that's (as always) a tradeoff between flexibility and complexity. <br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 11:28 AM, John Bradley
wrote:<br>
</div>
<blockquote
cite="mid:1FF8035D-862C-4436-B1AE-F25B5140C0A0@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
If you want a client to authenticate multiple ways just don't
register a prefrence.
<div><br>
</div>
<div>This was intended to prevent IdP from accepting weaker
methods of authentication from attackers. If you are not doing
that then the client should be able to use anything the server
supports.</div>
<div><br>
</div>
<div>Now if the client doesn't register a public key then some
methods will fail, but that is a client decision.</div>
<div><br>
</div>
<div>I think trying to say I only want to use 2 of the 5 available
methods is overkill.</div>
<div><br>
</div>
<div>The client should just pick the one it is going to use.</div>
<div><br>
</div>
<div>If it really needs two methods maybe it is really two clients
and somebody is fudging things a bit.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
<div>
<div>On 2013-01-23, at 4:18 PM, Justin Richer <<a
moz-do-not-send="true" href="mailto:jricher@mitre.org">jricher@mitre.org</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000"> Actually come to
think of it, why wouldn't a client be able to do both
client_secret_basic and client_secret_post to a server
that supports them? It's the same info presented in
*almost* the same way. <br>
<br>
This combination may be the exceptional case, though, as
the other types (client_secret_jwt,private_key_jwt, or
even "none" that OIDC hasn't adopted yet) aren't
particularly mutually compatible. <br>
<br>
-- Justin<br>
<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 10:53 AM,
Justin Richer wrote:<br>
</div>
<blockquote
cite="mid:MLQM-20130123111640496-8525@mlite.mitre.org"
type="cite"> OK, thanks for catching that. I'll file a
bug against Oauth2 Dynreg as well (which has the same
examples). John is right that it is defined as a single
value and the examples are off.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 10:03 AM,
Mike Jones wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394366A742BE@TK5EX14MBXC283.redmond.corp.microsoft.com"
type="cite">
<meta name="Generator" content="Microsoft Word 14
(filtered medium)">
<base href="x-msg://1194/">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
what I thought. Thanks for confirming.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013
7:02 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration
example error?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The server may support multiple
methods, but the client MUST only register one, so
it shouldn't be multi value for simplicity.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you need two auth methods
they should be different client_id.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is intended mostly to
enhance security and prevent a server from
taking client_secret_basic from an attacker when
the real client is using private_key_jwt.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On 2013-01-23, at 9:07
AM, Mike Jones <<a moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Registration
contains the following definition:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">token_endpoint_auth_method</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">OPTIONAL. Requested
authentication method for the Token
Endpoint. The options are</span><tt><span
style="color:#003366" lang="EN">client_secret_post</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">client_secret_basic</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">client_secret_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, and<span
class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">private_key_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, as described in Section
2.2.1 of [OpenID.Messages]. Other
Authentication methods may be defined by
extension. If unspecified or omitted,
the default is<span
class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">client_secret_basic</span></tt><span
class="apple-converted-space"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN"> </span></span><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">HTTP Basic Authentication
Scheme as specified in Section 2.3.1 of
[RFC6749].</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It
later uses “token_endpoint_auth_method”
in two example result values in this
manner:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
style="font-family:"Courier
New"" lang="EN">"token_endpoint_auth_method":</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
style="font-family:"Courier
New"" lang="EN">
"client_secret_basic
client_secret_post",</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This
looks like a bug to me, since the string
appears to be trying to contain multiple
values.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thus,
I’m changing the string used to just<span
class="apple-converted-space"> </span></span><span
style="font-family:"Courier
New"" lang="EN">"client_secret_basic"</span><span
class="apple-converted-space"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">to
make the example correct. But I thought
I’d point this out in case the example
may have been intentional in some
manner.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
-- Mike<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"><span
style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span
style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>