<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Actually come to think of it, why wouldn't a client be able to do
both client_secret_basic and client_secret_post to a server that
supports them? It's the same info presented in *almost* the same
way. <br>
<br>
This combination may be the exceptional case, though, as the other
types (client_secret_jwt,private_key_jwt, or even "none" that OIDC
hasn't adopted yet) aren't particularly mutually compatible. <br>
<br>
-- Justin<br>
<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 10:53 AM, Justin Richer
wrote:<br>
</div>
<blockquote cite="mid:MLQM-20130123111640496-8525@mlite.mitre.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
OK, thanks for catching that. I'll file a bug against Oauth2
Dynreg as well (which has the same examples). John is right that
it is defined as a single value and the examples are off.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 01/23/2013 10:03 AM, Mike Jones
wrote:<br>
</div>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B168042967394366A742BE@TK5EX14MBXC283.redmond.corp.microsoft.com"
type="cite">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<base href="x-msg://1194/">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">That’s
what I thought. Thanks for confirming.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
-- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
John Bradley [<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:ve7jtb@ve7jtb.com">mailto:ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Wednesday, January 23, 2013 7:02 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab]
token_endpoint_auth_method Registration example error?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The server may support multiple methods,
but the client MUST only register one, so it shouldn't be
multi value for simplicity.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you need two auth methods they
should be different client_id.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">This is intended mostly to enhance
security and prevent a server from taking
client_secret_basic from an attacker when the real client
is using private_key_jwt.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On 2013-01-23, at 9:07 AM, Mike
Jones <<a moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Registration
contains the following definition:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">token_endpoint_auth_method</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div style="margin-left:.5in">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">OPTIONAL. Requested authentication
method for the Token Endpoint. The options are</span><tt><span
style="color:#003366" lang="EN">client_secret_post</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">client_secret_basic</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">,<span class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">client_secret_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, and<span class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">private_key_jwt</span></tt><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">, as described in Section 2.2.1 of
[OpenID.Messages]. Other Authentication methods
may be defined by extension. If unspecified or
omitted, the default is<span
class="apple-converted-space"> </span></span><tt><span
style="color:#003366" lang="EN">client_secret_basic</span></tt><span
class="apple-converted-space"><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN"> </span></span><span
style="font-size:11.0pt;font-family:"Verdana","sans-serif""
lang="EN">HTTP Basic Authentication Scheme as
specified in Section 2.3.1 of [RFC6749].</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It
later uses “token_endpoint_auth_method” in two
example result values in this manner:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:#CCCCCC"><span
style="font-family:"Courier New""
lang="EN">"token_endpoint_auth_method":</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:#CCCCCC"><span
style="font-family:"Courier New""
lang="EN"> "client_secret_basic
client_secret_post",</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">This
looks like a bug to me, since the string appears
to be trying to contain multiple values.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thus,
I’m changing the string used to just<span
class="apple-converted-space"> </span></span><span
style="font-family:"Courier New""
lang="EN">"client_secret_basic"</span><span
class="apple-converted-space"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span></span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">to
make the example correct. But I thought I’d point
this out in case the example may have been
intentional in some manner.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">
-- Mike<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"><span
style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"><span
style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>