1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Basic 2.2.6.1 - Client authentication clarifications

Issue #726 resolved
Michael Jones created an issue

From 24-Jan-13 spec call notes:

Pam's Comments on Basic: Basic 2.2.1. Client Prepares Authorization Request says Clients MAY construct the request using the HTTP GET or the HTTP POST method as defined in RFC 2616 [RFC2616]. Standard 2.3 says Authorization Servers MUST support the use of the HTTP "GET" and "POST" methods defined in RFC 2616 [RFC2616] at the Authorization Endpoint.

We don't need to express a preference between the methods in Basic
We may say that they can use either because OPs must support both

Basic 2.2.6.  Client Obtains ID Token and Access Token
Basic 2.2.6.1 says no preference between POST or GET
    References 4.1.3.  Access Token Request of OAuth 2.0 [RFC6749]
    References 3.2.1.  Client Authentication
    References 2.3.1.  Client Password
        Recommends using Basic in authorization header

We should recommend putting the client credentials in the Authorization header in Basic
    As recommended in OAuth 2.3.1
We may also want to mention that this is the client_secret_basic method from Registration

OAuth 3.2.  Token Endpoint says
    The client MUST use the HTTP "POST" method when making access token requests.

The phrase "Access Token Request" should appear in 2.2.6
We might also want the term "Client Authentication" to appear in 2.2.6.1

We may need to clarify what we mean by "Token Endpoint" - "OAuth Access Token Endpoint"

From: Mike Jones Sent: Thursday, January 24, 2013 10:47 AM To: 'Pamela Dingle'; openid-specs-ab@lists.openid.net Subject: RE: [Openid-specs-ab] Basic profile section 2.2.6.1

It’s not in bitbucket – but it’s in the about-to-be-released call notes.

I disagree that we should reference Messages. The whole point of Basic and Implicit is for them to be self-contained. If we were willing to tell people to just use Messages and Standard, we’d delete these (intentionally duplicative) specs.

I’ll send my proposed change to the list shortly.

                                                            -- Mike

From: openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net] On Behalf Of Pamela Dingle Sent: Thursday, January 24, 2013 10:42 AM To: openid-specs-ab@lists.openid.net Subject: [Openid-specs-ab] Basic profile section 2.2.6.1

Hi all,

We talked about basic profile section 2.2.6.1 on the call this morning, and Mike agreed to add a bit more helpful text in there that echoes the existing recommendation in RFC 6749 section 3.2 on using the authorization header to authenticate the client vs. including client credentials in the post body of the request sent to the endpoint.

On reading further, I think we could instead state that the possible ways that the client can authenticate to the Access Token Endpoint are listed in the Messages spec section 2.2.1, and that if a client is unsure which client authentication methods are supported, they can refer to a given openid provider's openid-configuration document, under the token_endpoint_auth_methods_supported element (described in Discovery section 3.2). The nice thing about referring to the messages and discovery specs rather than directly to the OAuth spec is that it introduces our simple vocabulary for the different types of client authentication, gives us a place to insert more guidance in the future, and also ties in the relationship with the discovery doc, so that if a developer wants to be more sophisticated they know where to look.

Mike, if you've got something in bitbucket for this change let me know and I'll put this into the ticket rather than into email, I just wanted to get this on the record before I forgot.

Cheers,

Pamela

Comments (3)

  4. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Basic
Milestone
Implementer's Draft
Version
Votes
0
Watchers
0
Jira Software: the preferred issue tracker for Bitbucket. Join the team!