Re: [OAUTH-WG] Issue: Split the authorization endpoint into two endpoints

Sun, 18 Apr 2010 06:25:36 -0700

from my point of view, the discussion is not necessarily about other means (== authn mechn). Shared secrets are acceptable for most cases. The discussion is about how client credentials are passed to the authorization server API (direct calls only). The proposal is to do it the HTTP authentication way. The spec recommends to use Oauth Authorization headers for securing service/API access via HTTP instead of API parameters. From my point of view, it is a matter of consistency to apply the same pattern (credentials in Authorization headers) to the OAuth authorization server API as well.
From my point of view, the value of having the client_secret parameter is an interoperability baseline. Every library knowns how to perform client authn for OAuth. That's important!. You can achieve the same goal using a BASIC Authorization header + a lot of other advantages, which have already been pointed out in this thread. 


Additionally, WWW-Authentication headers could be used by the 
authorization server to signal the need for client authentication. In 
the current spec, I don't see a way to find out when client authn is 
required and when not.


regards,
Torsten.

Am 17.04.2010 16:32, schrieb Luke Shepard:



If, for your service, you want to use different means of 
authenticating clients, I see no reason why you can’t. Just ignore 
client_secret and do it your own way (it’s optional).



*From:* oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On 
Behalf Of *Manger, James H

*Sent:* Friday, April 16, 2010 9:52 PM
*To:* Eran Hammer-Lahav; OAuth WG

*Subject:* Re: [OAUTH-WG] Issue: Split the authorization endpoint into 
two endpoints



> This has nothing to do with it. There is no PUT and DELETE or POST 
with non-form body when *requesting a token**.*


It is relevant.


I don’t want to authenticate direct client requests **only** when they 
**request a token**.


Clients might make any variety of direct requests unrelated to OAuth.


There might even be other OAuth-related requests from clients to an 
authorization server in future (eg get meta data, or delete a token; 
even refreshing a token might be better as a GET).



I want to be able to use the same client auth mechanism, and same 
client credentials, for all these calls.



Some of these calls might be PUTs, DELETEs, non-form POSTs, GETs etc. 
even if requesting (& refreshing) a token is always a form POST.



Hence client_secret as a POST parameter when requesting a token is a 
poor design.



It should be perfectly valid (and not uncommon I expect) for a service 
to support OAuth for user delegation, but not use OAuth for making all 
direct client calls token-based — these address quite different issues.



Other services might use short-term refreshable tokens when clients 
(on their own behalf) access less trusted “content” service, but will 
use “normal” auth when clients talk to the trusted 
account/authorization system.


--

James Manger

*From:* Eran Hammer-Lahav [mailto:e...@hueniverse.com]
*Sent:* Saturday, 17 April 2010 12:58 PM
*To:* Manger, James H; Luke Shepard; John Kemp
*Cc:* OAuth WG

*Subject:* Re: [OAUTH-WG] Issue: Split the authorization endpoint into 
two endpoints



This has nothing to do with it. There is no PUT and DELETE or POST 
with non-form body when *requesting a token**.



*We need to do a better job not to confuse accessing protected 
resources with the flow calls. They are completely different.


EHL



On 4/16/10 7:02 PM, "James Manger" <james.h.man...@team.telstra.com> 
wrote:



>> In either case, we should not restrict the access token URL to 
POST-only.

>> A GET request is just as secure and can be much easier to write code for

> If you are using GET, then refresh tokens and client secrets will end
> up side by side in web server log files.


These are exactly the sort of reasons why client authentication should 
be any "normal" auth scheme, and not an OAuth-special client_secret 
POST parameter. That fails for PUT, DELETE, and POST with a non-form 
body; and the security changes with GET.


--
James Manger

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

   



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
























					Reply via email to