<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
All of that I agree with. Question remains if the server, in its
response to the client, wants to tell the client it has several of
the X options found in discovery.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 12:36 PM, Mike Jones
wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394366A765B3@TK5EX14MBXC283.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div style="font-family:Calibri,sans-serif; font-size:11pt">I
agree they're complimentary.<br>
<br>
Discovery tells the client what the server can do. It uses
that information to pick the option to use that will work for
both of them, then registers with that option.<br>
<br>
-- Mike<br>
<br>
</div>
</div>
<hr>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">From:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">Justin
Richer</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">Sent:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">1/23/2013
9:28 AM</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">To:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">Mike
Jones</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">Cc:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">John
Bradley; <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a></span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt;
font-weight:bold">Subject:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">Re:
[Openid-specs-ab] token_endpoint_auth_method Registration
example error?</span><br>
<br>
<div>Not all clients can necessarily use all forms of auth that a
server supports, so I see the two values as complimentary.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 12:14 PM, Mike Jones
wrote:<br>
</div>
<blockquote type="cite"><base href="">
<style>
<!--
@font-face
{font-family:Calibri}
@font-face
{font-family:Tahoma}
@font-face
{font-family:Verdana}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
tt
{font-family:"Courier New","serif"}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif"}
span.apple-converted-space
{}
span.EmailStyle19
{font-family:"Calibri","sans-serif";
color:#1F497D}
span.EmailStyle20
{font-family:"Calibri","sans-serif";
color:#1F497D}
span.BalloonTextChar
{font-family:"Tahoma","sans-serif"}
.MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
{}
-->
</style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D">The server expresses what the client
should do in the discovery phase – not during
registration. See the “</span><span style="">token_endpoint_auth_methods_supported</span><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D">” discovery result parameter in <a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-discovery-1_0-12.html">
http://openid.net/specs/openid-connect-discovery-1_0-12.html</a>.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D">
-- Mike</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid #B5C4DF 1.0pt;
padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;
font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;
font-family:"Tahoma","sans-serif"">
John Bradley [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013 9:02 AM<br>
<b>To:</b> Justin Richer<br>
<b>Cc:</b> Mike Jones; <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:openid-specs-ab@lists.openid.net">
openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration example
error?</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Like discovery the response could be
multi value. However the client souls only register one
value if it wants to restrict what the server accepts
for that client_id. <br>
<br>
Sent from my iPhone</p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 2013-01-23, at 4:33 PM, Justin Richer <<a
moz-do-not-send="true" href="mailto:jricher@mitre.org">jricher@mitre.org</a>>
wrote:</p>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">But
now that the server responds with the current
configuration, it's no longer just about client
preference but also about the server expressing to the
client what it should do. So if a client gets a
client_secret, and the server is OK with it using
basic, post, or jwt with that secret, how can the
server tell the client this?<br>
<br>
The simplest thing is to keep it a single value as it
is now, but that's (as always) a tradeoff between
flexibility and complexity.
<br>
<br>
-- Justin</p>
<div>
<p class="MsoNormal">On 01/23/2013 11:28 AM, John
Bradley wrote:</p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p class="MsoNormal">If you want a client to
authenticate multiple ways just don't register a
prefrence.
</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This was intended to prevent
IdP from accepting weaker methods of
authentication from attackers. If you are not
doing that then the client should be able to use
anything the server supports.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Now if the client doesn't
register a public key then some methods will fail,
but that is a client decision.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I think trying to say I only
want to use 2 of the 5 available methods is
overkill.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">The client should just pick the
one it is going to use.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">If it really needs two methods
maybe it is really two clients and somebody is
fudging things a bit.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">John B.</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On 2013-01-23, at 4:18 PM,
Justin Richer <<a moz-do-not-send="true"
href="mailto:jricher@mitre.org">jricher@mitre.org</a>>
wrote:</p>
</div>
<p class="MsoNormal"><br>
<br>
</p>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">Actually come to
think of it, why wouldn't a client be able to
do both client_secret_basic and
client_secret_post to a server that supports
them? It's the same info presented in *almost*
the same way.
<br>
<br>
This combination may be the exceptional case,
though, as the other types
(client_secret_jwt,private_key_jwt, or even
"none" that OIDC hasn't adopted yet) aren't
particularly mutually compatible.
<br>
<br>
-- Justin<br>
<br>
</p>
<div>
<p class="MsoNormal">On 01/23/2013 10:53 AM,
Justin Richer wrote:</p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p class="MsoNormal"
style="margin-bottom:12.0pt">OK, thanks for
catching that. I'll file a bug against
Oauth2 Dynreg as well (which has the same
examples). John is right that it is defined
as a single value and the examples are off.<br>
<br>
-- Justin</p>
<div>
<p class="MsoNormal">On 01/23/2013 10:03 AM,
Mike Jones wrote:</p>
</div>
<blockquote style="margin-top:5.0pt;
margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D">That’s what I thought.
Thanks for confirming.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D">
-- Mike</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:#1F497D"> </span></p>
<div>
<div style="border:none; border-top:solid
#B5C4DF 1.0pt; padding:3.0pt 0in 0in
0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;
font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;
font-family:"Tahoma","sans-serif"">
John Bradley [<a
moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23,
2013 7:02 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re:
[Openid-specs-ab]
token_endpoint_auth_method
Registration example error?</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The server may support
multiple methods, but the client MUST only
register one, so it shouldn't be multi
value for simplicity.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">If you need two auth
methods they should be different
client_id.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This is intended
mostly to enhance security and prevent a
server from taking client_secret_basic
from an attacker when the real client is
using private_key_jwt.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">John B.</p>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On 2013-01-23, at
9:07 AM, Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:</p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
</p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif"">Registration
contains the following
definition:</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN">token_endpoint_auth_method</span></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN">OPTIONAL. Requested
authentication method for the
Token Endpoint. The options are</span><tt><span
style="font-size:10.0pt;
color:#003366" lang="EN">client_secret_post</span></tt><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;
color:#003366" lang="EN">client_secret_basic</span></tt><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;
color:#003366" lang="EN">client_secret_jwt</span></tt><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN">, and<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;
color:#003366" lang="EN">private_key_jwt</span></tt><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN">, as described in
Section 2.2.1 of
[OpenID.Messages]. Other
Authentication methods may be
defined by extension. If
unspecified or omitted, the
default is<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;
color:#003366" lang="EN">client_secret_basic</span></tt><span
class="apple-converted-space"><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN"> </span></span><span
style="font-size:11.0pt;
font-family:"Verdana","sans-serif""
lang="EN">HTTP Basic
Authentication Scheme as
specified in Section 2.3.1 of
[RFC6749].</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif"">It
later uses
“token_endpoint_auth_method” in
two example result values in
this manner:</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
style="" lang="EN">"token_endpoint_auth_method":</span></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
style="" lang="EN">
"client_secret_basic
client_secret_post",</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif"">This
looks like a bug to me, since
the string appears to be trying
to contain multiple values.</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif""> </span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;
font-family:"Calibri","sans-serif"">Thus,
I’m changing the string used to
just<span
class="apple-converted-space"> </span></span></p>
</div>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote>
<br>
</body>
</html>