Hi everyone,
As we adapt the RedIRIS PHP OAuth2 library[1] to the last version of the draft
we have found some issues regarding the client secret and client id.
The thing is that we don't understand the security given with the client_id and
client_secret of the assertion profile.
The last changes on the protocol said that:
"the authorization server MUST verify that the
redirection URI received matches the registered URI associated with
the client identifier."
This provides one way to perform the correct identification of the client but
doesn't work with the assertion profile.
In the assertion profile, we understand that the client_id is optional and that
the assertion could have the information about the client identification.
This could happen when the assertion authorizes an application, but in our use
cases, the assertions doesn't have information about the client application.
This is a problem because in our request to the Auth Server we cannot check if
the application is registered correctly. We can send the client_id in the
request, but we have the same problem, because someone can 'steal' our client
id and impersonate the client.
We think that we can solve that signing parameters in the request, adding the
client_id signature or something like this but we're not sure that this is
referred in the protocol.
What do you think it's better to solve this issue?
I don't know if i'm understanding something in a wrong way, so please correct
me if i'm wrong.
Thanks!
Elena.
[1] http://www.rediris.es/oauth2
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
