Re: [OAUTH-WG] Using SAML2 Bearer for the authentication

Wed, 20 Feb 2013 03:45:44 -0800 

On 19/02/13 14:27, Brian Campbell wrote:

The scope of assertion based client authentication is only in OAuth and
only for the client calling the AS's token endpoint. Defining a general
HTTP auth scheme for assertions would have a much broader scope and be
much more difficult to standardize.

Understood, thanks.
I'd like to ask another question related to the subject of this thread, though the same would likely be relevant for using JWT for authenticating.
When the assertion is used for authenticating the client, a form "client_id" parameter is said to be optional. Next, section 6.1 [1] says that "Subject" of the assertion SHOULD be "client_id". 

I interpret it like this.
If "Subject" is set to "client_id" then there the actual client_id must be available as "client_id" form parameter, which will be posted alongside the assertion.
If not then the client_id is an actual Subject value and no "client_id" form parameter is expected to be available. 


Is it correct ?

Thanks, Sergey

[1] http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-6.1






On Tue, Feb 19, 2013 at 6:54 AM, Sergey Beryozkin <sberyoz...@gmail.com
<mailto:sberyoz...@gmail.com>> wrote:

    Hi,

    Assertions like SAML2 Bearer can be used for authenticating the client.
    Why a dedicated Authorization scheme can not be introduced, instead
    of or in addition to "client_assertion" & "client_assertion_type"
    parameters ?

    IMHO, the following

    Authorization: SAML "base64url-encoded assertion"

    grant_type=authorization_code&__code=123456

    is more in line with OAuth2 recommending not to prefer including
    client id & secret in the body:

    "Including the client credentials in the request-body using the two
    parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
    to directly utilize the HTTP Basic authentication scheme (or other
    password-based HTTP authentication schemes)" - though it talks about
    a password based scheme...

    similarly:

    Authorization: JWT "encoded jwt assertion"

    grant_type=authorization_code&__code=123456

    Just a thought.

    Cheers, Sergey


    _________________________________________________
    OAuth mailing list
    OAuth@ietf.org <mailto:OAuth@ietf.org>
    https://www.ietf.org/mailman/__listinfo/oauth
    <https://www.ietf.org/mailman/listinfo/oauth>



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to