<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">If you want a client to authenticate multiple ways just don't register a prefrence.<div><br></div><div>This was intended to prevent IdP from accepting weaker methods of authentication from attackers. If you are not doing that then the client should be able to use anything the server supports.</div><div><br></div><div>Now if the client doesn't register a public key then some methods will fail, but that is a client decision.</div><div><br></div><div>I think trying to say I only want to use 2 of the 5 available methods is overkill.</div><div><br></div><div>The client should just pick the one it is going to use.</div><div><br></div><div>If it really needs two methods maybe it is really two clients and somebody is fudging things a bit.</div><div><br></div><div>John B.</div><div><br><div><div>On 2013-01-23, at 4:18 PM, Justin Richer <<a href="mailto:jricher@mitre.org">jricher@mitre.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
Actually come to think of it, why wouldn't a client be able to do
both client_secret_basic and client_secret_post to a server that
supports them? It's the same info presented in *almost* the same
way. <br>
<br>
This combination may be the exceptional case, though, as the other
types (client_secret_jwt,private_key_jwt, or even "none" that OIDC
hasn't adopted yet) aren't particularly mutually compatible. <br>
<br>
-- Justin<br>
<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 10:53 AM, Justin Richer
wrote:<br>
</div>
<blockquote cite="mid:MLQM-20130123111640496-8525@mlite.mitre.org" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
OK, thanks for catching that. I'll file a bug against Oauth2
Dynreg as well (which has the same examples). John is right that
it is defined as a single value and the examples are off.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 10:03 AM, Mike Jones
wrote:<br>
</div>
<blockquote cite="mid:4E1F6AAD24975D4BA5B168042967394366A742BE@TK5EX14MBXC283.redmond.corp.microsoft.com" type="cite">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<base href="x-msg://1194/">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
what I thought. Thanks for confirming.<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013 7:02 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration example error?<o:p></o:p></span></p>
</div>
</div><p class="MsoNormal"><o:p> </o:p></p><p class="MsoNormal">The server may support multiple methods,
but the client MUST only register one, so it shouldn't be
multi value for simplicity.<o:p></o:p></p>
<div><p class="MsoNormal"><o:p> </o:p></p>
</div>
<div><p class="MsoNormal">If you need two auth methods they
should be different client_id.<o:p></o:p></p>
</div>
<div><p class="MsoNormal"><o:p> </o:p></p>
</div>
<div><p class="MsoNormal">This is intended mostly to enhance
security and prevent a server from taking
client_secret_basic from an attacker when the real client
is using private_key_jwt.<o:p></o:p></p>
</div>
<div><p class="MsoNormal"><o:p> </o:p></p>
</div>
<div><p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div><p class="MsoNormal"><o:p> </o:p></p>
<div>
<div><p class="MsoNormal">On 2013-01-23, at 9:07 AM, Mike
Jones <<a moz-do-not-send="true" href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:<o:p></o:p></p>
</div><p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Registration
contains the following definition:<o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">token_endpoint_auth_method</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div style="margin-left:.5in"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">OPTIONAL. Requested authentication
method for the Token Endpoint. The options are</span><tt><span style="color:#003366" lang="EN">client_secret_post</span></tt><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">,<span class="apple-converted-space"> </span></span><tt><span style="color:#003366" lang="EN">client_secret_basic</span></tt><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">,<span class="apple-converted-space"> </span></span><tt><span style="color:#003366" lang="EN">client_secret_jwt</span></tt><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">, and<span class="apple-converted-space"> </span></span><tt><span style="color:#003366" lang="EN">private_key_jwt</span></tt><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">, as described in Section 2.2.1 of
[OpenID.Messages]. Other Authentication methods
may be defined by extension. If unspecified or
omitted, the default is<span class="apple-converted-space"> </span></span><tt><span style="color:#003366" lang="EN">client_secret_basic</span></tt><span class="apple-converted-space"><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN"> </span></span><span style="font-size:11.0pt;font-family:"Verdana","sans-serif"" lang="EN">HTTP Basic Authentication Scheme as
specified in Section 2.3.1 of [RFC6749].</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It
later uses “token_endpoint_auth_method” in two
example result values in this manner:<o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div><p class="MsoNormal" style="background:#CCCCCC"><span style="font-family:"Courier New"" lang="EN">"token_endpoint_auth_method":</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div><p class="MsoNormal" style="background:#CCCCCC"><span style="font-family:"Courier New"" lang="EN"> "client_secret_basic
client_secret_post",</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This
looks like a bug to me, since the string appears
to be trying to contain multiple values.<o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thus,
I’m changing the string used to just<span class="apple-converted-space"> </span></span><span style="font-family:"Courier New"" lang="EN">"client_secret_basic"</span><span class="apple-converted-space"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">to
make the example correct. But I thought I’d point
this out in case the example may have been
intentional in some manner.<o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
-- Mike<o:p></o:p></span></p>
</div>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div><p class="MsoNormal"><span style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>
</div>
</div><p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs-ab<br></blockquote></div><br></div></body></html>