<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://1194/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">The server may support multiple methods, but the client MUST only register one, so it shouldn't be multi value for simplicity.<div><br></div><div>If you need two auth methods they should be different client_id.</div><div><br></div><div>This is intended mostly to enhance security and prevent a server from taking client_secret_basic from an attacker when the real client is using private_key_jwt.</div><div><br></div><div>John B.</div><div><br><div><div>On 2013-01-23, at 9:07 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Registration contains the following definition:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">token_endpoint_auth_method<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><span lang="EN" style="font-family: Verdana, sans-serif; ">OPTIONAL. Requested authentication method for the Token Endpoint. The options are</span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">client_secret_post</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; ">,<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">client_secret_basic</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; ">,<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">client_secret_jwt</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; ">, and<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">private_key_jwt</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; ">, as described in Section 2.2.1 of [OpenID.Messages]. Other Authentication methods may be defined by extension. If unspecified or omitted, the default is<span class="Apple-converted-space"> </span></span><tt style="font-family: 'Courier New'; color: rgb(0, 51, 102); "><span lang="EN" style="font-size: 12pt; ">client_secret_basic</span></tt><span lang="EN" style="font-family: Verdana, sans-serif; "><span class="Apple-converted-space"> </span>HTTP Basic Authentication Scheme as specified in Section 2.3.1 of [RFC6749].<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">It later uses “token_endpoint_auth_method” in two example result values in this manner:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-color: rgb(204, 204, 204); "><span lang="EN" style="font-size: 12pt; font-family: 'Courier New'; ">"token_endpoint_auth_method":<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; background-color: rgb(204, 204, 204); "><span lang="EN" style="font-size: 12pt; font-family: 'Courier New'; "> "client_secret_basic client_secret_post",<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">This looks like a bug to me, since the string appears to be trying to contain multiple values.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; ">Thus, I’m changing the string used to just<span class="Apple-converted-space"> </span><span lang="EN" style="font-size: 12pt; font-family: 'Courier New'; ">"client_secret_basic"</span><span class="Apple-converted-space"> </span>to make the example correct. But I thought I’d point this out in case the example may have been intentional in some manner.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "> -- Mike<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br></div></blockquote></div><br></div></body></html>