<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Not all clients can necessarily use all forms of auth that a server
supports, so I see the two values as complimentary.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 12:14 PM, Mike Jones
wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394366A75F2B@TK5EX14MBXC283.redmond.corp.microsoft.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<base href="x-msg://1194/">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
server expresses what the client should do in the discovery
phase – not during registration. See the “</span><span
style="font-size:11.0pt;font-family:"Courier
New","serif";color:#1F497D">token_endpoint_auth_methods_supported</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">”
discovery result parameter in <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-discovery-1_0-12.html">
http://openid.net/specs/openid-connect-discovery-1_0-12.html</a>.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a class="moz-txt-link-freetext" href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013 9:02 AM<br>
<b>To:</b> Justin Richer<br>
<b>Cc:</b> Mike Jones; <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration example error?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Like discovery the response could be
multi value. However the client souls only register one
value if it wants to restrict what the server accepts for
that client_id. <br>
<br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On 2013-01-23, at 4:33 PM, Justin Richer <<a
moz-do-not-send="true" href="mailto:jricher@mitre.org">jricher@mitre.org</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">But now
that the server responds with the current configuration,
it's no longer just about client preference but also about
the server expressing to the client what it should do. So
if a client gets a client_secret, and the server is OK
with it using basic, post, or jwt with that secret, how
can the server tell the client this?<br>
<br>
The simplest thing is to keep it a single value as it is
now, but that's (as always) a tradeoff between flexibility
and complexity.
<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 11:28 AM, John Bradley
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">If you want a client to authenticate
multiple ways just don't register a prefrence.
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This was intended to prevent IdP
from accepting weaker methods of authentication from
attackers. If you are not doing that then the client
should be able to use anything the server supports.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Now if the client doesn't register
a public key then some methods will fail, but that is
a client decision.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I think trying to say I only want
to use 2 of the 5 available methods is overkill.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The client should just pick the one
it is going to use.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If it really needs two methods
maybe it is really two clients and somebody is fudging
things a bit.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On 2013-01-23, at 4:18 PM,
Justin Richer <<a moz-do-not-send="true"
href="mailto:jricher@mitre.org">jricher@mitre.org</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Actually
come to think of it, why wouldn't a client be able
to do both client_secret_basic and
client_secret_post to a server that supports them?
It's the same info presented in *almost* the same
way.
<br>
<br>
This combination may be the exceptional case,
though, as the other types
(client_secret_jwt,private_key_jwt, or even "none"
that OIDC hasn't adopted yet) aren't particularly
mutually compatible.
<br>
<br>
-- Justin<br>
<br>
<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 10:53 AM,
Justin Richer wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="margin-bottom:12.0pt">OK,
thanks for catching that. I'll file a bug
against Oauth2 Dynreg as well (which has the
same examples). John is right that it is defined
as a single value and the examples are off.<br>
<br>
-- Justin<o:p></o:p></p>
<div>
<p class="MsoNormal">On 01/23/2013 10:03 AM,
Mike Jones wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
what I thought. Thanks for confirming.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid
#B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013
7:02 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration
example error?</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The server may support
multiple methods, but the client MUST only
register one, so it shouldn't be multi value
for simplicity.<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">If you need two auth
methods they should be different client_id.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">This is intended mostly
to enhance security and prevent a server
from taking client_secret_basic from an
attacker when the real client is using
private_key_jwt.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">On 2013-01-23, at
9:07 AM, Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Registration
contains the following definition:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">token_endpoint_auth_method</span><o:p></o:p></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">OPTIONAL. Requested
authentication method for the Token
Endpoint. The options are</span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_post</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_basic</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, and<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">private_key_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, as described in Section
2.2.1 of [OpenID.Messages]. Other
Authentication methods may be
defined by extension. If unspecified
or omitted, the default is<span
class="apple-converted-space"> </span></span><tt><span
style="font-size:10.0pt;color:#003366" lang="EN">client_secret_basic</span></tt><span
class="apple-converted-space"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN"> </span></span><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">HTTP Basic Authentication
Scheme as specified in Section 2.3.1
of [RFC6749].</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It
later uses
“token_endpoint_auth_method” in two
example result values in this
manner:</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
style="font-family:"Courier
New","serif""
lang="EN">"token_endpoint_auth_method":</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="background:#CCCCCC"><span
style="font-family:"Courier
New","serif""
lang="EN"> "client_secret_basic
client_secret_post",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This
looks like a bug to me, since the
string appears to be trying to
contain multiple values.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thus,
I’m changing the string used to just<span
class="apple-converted-space"> </span></span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>