Grant Management: public vs private clients

Issue #386 resolved
Brian Campbell created an issue

The incremental authz draft, hailing from the IETF OAUTH WG, is different from grant management but also similar in many respects. For security reasons, the former has some significantly distinct functionality based on whether the client can authenticate or not. William Denniss (the man with two first names) is a pretty smart dude so I trust there’s good reason for it. Meanwhile there’s no such distinction in grant management. I’ve admittedly not thought it all though but I suspect that grant management needs some more work in this respect. Like maybe different behavior or recommendations for public clients, of disallowing parts of it’s use by public clients. Or, if not, some security considerations/analysis saying why it’s okay.

Comments (8)

  1. Stuart Low

    I feel like incremental auth is targeted at gradual upgrading of authorisation (bottom up) where as grant management is about a clear view of all permissions (top down).

    Should public clients be in-scope at all?

  2. Dima Postnikov

    Thanks Brian. While there is nothing that prevents us from including support for both type of clients in the specification, we acknowledge, that inclusion of public clients needs some work.

    Given that there is no immediate use cases for it, we decided to exclude public client support from the first implementers draft.

  3. Log in to comment