<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
That's not an unreasonable interpretation. I think we should
consider collapsing the client_secret_post and client_secret_basic
at a future point, then.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 12:45 PM, Mike Jones
wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394366A7687B@TK5EX14MBXC283.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{mso-style-name:msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.emailstyle19
{mso-style-name:emailstyle19;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.emailstyle20
{mso-style-name:emailstyle20;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.balloontextchar0
{mso-style-name:balloontextchar;
font-family:"Tahoma","sans-serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle25
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’d
say no. The client has already made its choice. Giving it
options it didn’t ask for after that would likely only
create interop problems in many cases.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Justin Richer [<a class="moz-txt-link-freetext" href="mailto:jricher@mitre.org">mailto:jricher@mitre.org</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013 9:43 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> John Bradley;
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration example error?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">All of that I
agree with. Question remains if the server, in its response to
the client, wants to tell the client it has several of the X
options found in discovery.<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 12:36 PM, Mike Jones wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I
agree they're complimentary.<br>
<br>
Discovery tells the client what the server can do. It
uses that information to pick the option to use that
will work for both of them, then registers with that
option.<br>
<br>
-- Mike<o:p></o:p></span></p>
</div>
</div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="3" width="100%">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:
</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Justin
Richer</span><br>
<b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Sent:
</span>
</b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">1/23/2013
9:28 AM</span><br>
<b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">To:
</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Mike
Jones</span><br>
<b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Cc:
</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">John
Bradley;
<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a></span><br>
<b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Subject:
</span>
</b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Re:
[Openid-specs-ab] token_endpoint_auth_method Registration
example error?</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Not all
clients can necessarily use all forms of auth that a
server supports, so I see the two values as complimentary.<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 12:14 PM, Mike Jones
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
server expresses what the client should do in the
discovery phase – not during registration. See the
“</span>token_endpoint_auth_methods_supported<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">”
discovery result parameter in <a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-discovery-1_0-12.html">
http://openid.net/specs/openid-connect-discovery-1_0-12.html</a>.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013 9:02 AM<br>
<b>To:</b> Justin Richer<br>
<b>Cc:</b> Mike Jones; <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration example
error?</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Like discovery the response could
be multi value. However the client souls only
register one value if it wants to restrict what the
server accepts for that client_id. <br>
<br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 2013-01-23, at 4:33 PM, Justin Richer <<a
moz-do-not-send="true"
href="mailto:jricher@mitre.org">jricher@mitre.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">But
now that the server responds with the current
configuration, it's no longer just about client
preference but also about the server expressing to
the client what it should do. So if a client gets
a client_secret, and the server is OK with it
using basic, post, or jwt with that secret, how
can the server tell the client this?<br>
<br>
The simplest thing is to keep it a single value as
it is now, but that's (as always) a tradeoff
between flexibility and complexity.
<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 11:28 AM, John
Bradley wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">If you want a client to
authenticate multiple ways just don't register a
prefrence.
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">This was intended to
prevent IdP from accepting weaker methods of
authentication from attackers. If you are
not doing that then the client should be able
to use anything the server supports.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Now if the client doesn't
register a public key then some methods will
fail, but that is a client decision.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I think trying to say I
only want to use 2 of the 5 available methods
is overkill.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The client should just pick
the one it is going to use.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">If it really needs two
methods maybe it is really two clients and
somebody is fudging things a bit.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On 2013-01-23, at 4:18
PM, Justin Richer <<a
moz-do-not-send="true"
href="mailto:jricher@mitre.org">jricher@mitre.org</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">Actually come
to think of it, why wouldn't a client be
able to do both client_secret_basic and
client_secret_post to a server that
supports them? It's the same info
presented in *almost* the same way.
<br>
<br>
This combination may be the exceptional
case, though, as the other types
(client_secret_jwt,private_key_jwt, or
even "none" that OIDC hasn't adopted yet)
aren't particularly mutually compatible.
<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 10:53
AM, Justin Richer wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"
style="margin-bottom:12.0pt">OK, thanks
for catching that. I'll file a bug
against Oauth2 Dynreg as well (which has
the same examples). John is right that
it is defined as a single value and the
examples are off.<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 10:03
AM, Mike Jones wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
what I thought. Thanks for
confirming.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid
#B5C4DF 1.0pt;padding:3.0pt 0in 0in
0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January
23, 2013 7:02 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
token_endpoint_auth_method
Registration example error?</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The server may
support multiple methods, but the
client MUST only register one, so it
shouldn't be multi value for
simplicity.<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">If you need two
auth methods they should be
different client_id.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">This is intended
mostly to enhance security and
prevent a server from taking
client_secret_basic from an attacker
when the real client is using
private_key_jwt.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On
2013-01-23, at 9:07 AM, Mike
Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Registration
contains the following
definition:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">token_endpoint_auth_method</span><o:p></o:p></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">OPTIONAL.
Requested authentication
method for the Token
Endpoint. The options are</span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_post</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_basic</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, and<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">private_key_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, as described in
Section 2.2.1 of
[OpenID.Messages]. Other
Authentication methods may
be defined by extension. If
unspecified or omitted, the
default is<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_basic</span></tt><span
class="apple-converted-space"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN"> </span></span><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">HTTP Basic
Authentication Scheme as
specified in Section 2.3.1
of [RFC6749].</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It
later uses
“token_endpoint_auth_method”
in two example result values
in this manner:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
lang="EN">"token_endpoint_auth_method":</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
lang="EN">
"client_secret_basic
client_secret_post",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This
looks like a bug to me,
since the string appears to
be trying to contain
multiple values.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thus,
I’m changing the string used
to just<span
class="apple-converted-space"> </span></span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>