Just trying to close the loop on this thread (six weeks later, sorry). New drafts were published last month that (hopefully) have more clear text about the treatment of client_id. And it's been removed from examples where it's optional.
http://www.ietf.org/mail-archive/web/oauth/current/msg11213.html On Tue, Mar 19, 2013 at 4:22 AM, Sergey Beryozkin <sberyoz...@gmail.com>wrote: > Hi, > > Just one remark, the example in [1] shows "client_id"; IMHO it makes sense > to clarify than in this context (where the assertion is used as a grant), > it is optional as per: > > http://tools.ietf.org/html/**rfc6749#section-3.2.1<http://tools.ietf.org/html/rfc6749#section-3.2.1> > > "A client MAY use the "client_id" request parameter to identify itself > when sending requests to the token endpoint" > > and otherwise > > http://tools.ietf.org/html/**rfc6749#section-2.3<http://tools.ietf.org/html/rfc6749#section-2.3> > > dictates how the client authentication is done. > > By the way, my reading of the main spec's section 2.3 tells me that the > only time one would use only "client_id" in the form payload is when the > client secret is empty or perhaps the client is not in the possession of > the secret. > > Does it make sense to completely drop a "client_id" parameter in the > example at [1] in the assertion draft and use an example with a Basic > authentication instead ? > > Thanks, Sergey > > > On 15/03/13 22:12, Brian Campbell wrote: > >> So currently the base assertion document defines scope as an HTTP >> parameter on the access token request message when using an assertion as >> a grant[1]. And that applies to both the SAML and JWT grants (perhaps >> that needs to be more clear?). Also RFC 6749 defines the scope parameter >> for the client credentials access token request[2], which similarly >> applies to both SAML and JWT in the case of assertion client >> authentication using the "client_credentials" grant type. >> >> [1] http://tools.ietf.org/html/**draft-ietf-oauth-assertions-** >> 10#section-4.1<http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-4.1> >> [2] >> http://tools.ietf.org/html/**rfc6749#section-4.4.1<http://tools.ietf.org/html/rfc6749#section-4.4.1> >> >> >> On Fri, Mar 15, 2013 at 3:43 PM, Lewis Adam-CAL022 >> <Adam.Lewis@motorolasolutions.**com <adam.le...@motorolasolutions.com> >> <mailto:Adam.Lewis@**motorolasolutions.com<adam.le...@motorolasolutions.com>>> >> wrote: >> >> Right ... thinking about this further I think the answer is "all of >> the above." If the JWT is a grant type then as you say it needs a >> scope param and optionally a client_id param. I argued for the >> client_id param earlier since it could assist with HOK scenarios >> once those further develop. >> >> But when the JWT is used as an AT then it will definitely require >> the scope as a claim. >> >> So I change my argument to "both" :) >> >> adam >> >> -----Original Message----- >> From: oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org**> >> [mailto:oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org**>] On >> Behalf Of Sergey Beryozkin >> Sent: Friday, March 15, 2013 4:31 PM >> To: oauth@ietf.org <mailto:oauth@ietf.org> >> Subject: Re: [OAUTH-WG] JWT grant_type and client_id >> >> Hi >> On 15/03/13 20:40, Lewis Adam-CAL022 wrote: >> > Hi John, >> > >> > I would like to argue that the scope should be a parameter in the >> access >> > token request message, the same as it is for the RO creds grant and >> > client creds grant type. This would keep it consistent with the >> core >> > OAuth grant types that talk directly to the token endpoint. >> > >> Assuming the assertion is acting as a grant, then it is indeed an >> access >> token request message, so IMHO it makes sense to get an outbound scope >> parameter optionally supported which I guess will imply that the >> client >> id will also have to accompany it... >> >> Cheers, Sergey >> >> > Thoughts? >> > >> > adam >> > >> > *From:*John Bradley [mailto:ve7...@ve7jtb.com >> <mailto:ve7...@ve7jtb.com>] >> > *Sent:* Friday, March 15, 2013 12:10 PM >> > *To:* Lewis Adam-CAL022 >> > *Cc:* Brian Campbell; "WG <oauth@ietf.org >> <mailto:oauth@ietf.org>>"@il06**exr02.mot.com<http://il06exr02.mot.com>< >> http://il06exr02.mot.com> >> > *Subject:* Re: [OAUTH-WG] JWT grant_type and client_id >> > >> > The spec is a touch vague on that. I think the scopes should be >> in the >> > assertion and the client can use the scopes outside the assertion >> to >> > down-scope. >> > >> > Having a standard claim in JWT and SAML for passing scopes is >> probably >> > useful as part of a profile. >> > >> > John B. >> > >> > On 2013-03-14, at 8:47 PM, Lewis Adam-CAL022 >> > <Adam.Lewis@motorolasolutions.**com<adam.le...@motorolasolutions.com> >> >> <mailto:Adam.Lewis@**motorolasolutions.com<adam.le...@motorolasolutions.com> >> > >> > >> <mailto:Adam.Lewis@**motorolasolutions.com<adam.le...@motorolasolutions.com> >> >> >> <mailto:Adam.Lewis@**motorolasolutions.com<adam.le...@motorolasolutions.com>>>> >> wrote: >> > >> > >> > >> > Hmmm, one more thought ... no scope?? The JWT is the grant, is it >> assumed >> > that the scope is conveyed as a claim within the token? Otherwise >> it >> > would seem that it would require a scope. >> > >> > Thoughts? >> > >> > adam >> > >> > *From:*Brian Campbell >> [mailto:bcampbell@**pingidentity.com<bcampb...@pingidentity.com> >> <mailto:bcampbell@**pingidentity.com <bcampb...@pingidentity.com>> >> > <http://pingidentity.com>] >> > *Sent:*Thursday, March 14, 2013 4:44 PM >> > *To:*Lewis Adam-CAL022 >> > *Cc:*Mike Jones; "WG <oauth@ietf.org <mailto:oauth@ietf.org> >> > <mailto:oauth@ietf.org >> <mailto:oauth@ietf.org>>>"@il0**6exr02.mot.com<http://il06exr02.mot.com> >> <http://il06exr02.mot.com> <http://il06exr02.mot.com> >> >> > *Subject:*Re: [OAUTH-WG] JWT grant_type and client_id >> > >> > Yes, that is correct. >> > >> > I'm working on new revisions of the drafts that will hopefully >> make that >> > point more clear. >> > >> > On Thu, Mar 14, 2013 at 5:26 PM, Lewis Adam-CAL022 >> > <Adam.Lewis@motorolasolutions.**com<adam.le...@motorolasolutions.com> >> >> <mailto:Adam.Lewis@**motorolasolutions.com<adam.le...@motorolasolutions.com> >> > >> > >> <mailto:Adam.Lewis@**motorolasolutions.com<adam.le...@motorolasolutions.com> >> >> >> <mailto:Adam.Lewis@**motorolasolutions.com<adam.le...@motorolasolutions.com>>>> >> wrote: >> > >> > Coming back to this... am I correct in that client_id is not >> required? We are implementing this spec and want to make sure >> that we are doing it right. By my understanding the only two >> parameters that are required in the JWT grant type are >> "urn:ietf:params:oauth:grant-**type:jwt-bearer" and the assertion. >> Is this correct? >> > >> > *From:*Mike Jones >> [mailto:Michael.Jones@**microsoft.com<michael.jo...@microsoft.com> >> <mailto:Michael.Jones@**microsoft.com <michael.jo...@microsoft.com>> >> > <mailto:Michael.Jones@**microsoft.com<michael.jo...@microsoft.com> >> <mailto:Michael.Jones@**microsoft.com <michael.jo...@microsoft.com> >> >>] >> > *Sent:*Monday, February 18, 2013 6:58 PM >> > *To:*Lewis Adam-CAL022;oauth@ietf.org >> <mailto:Adam-CAL022%3Boauth@**ietf.org<adam-cal022%253boa...@ietf.org>> >> <mailto:oauth@ietf.org >> >> <mailto:oauth@ietf.org>>WG >> > *Subject:*RE: JWT grant_type and client_id >> > >> > The client_id value and the access token value are independent. >> > >> > -- Mike >> > >> > *From:*oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org**> >> > <mailto:oauth-boun...@ietf.org >> >> <mailto:oauth-boun...@ietf.org**>>[mailto:oauth-bounces@ietf.**org<oauth-boun...@ietf.org> >> >> <mailto:oauth-boun...@ietf.org**> >> > <mailto:oauth-boun...@ietf.org >> <mailto:oauth-boun...@ietf.org**>>]*On Behalf Of*Lewis Adam-CAL022 >> > *Sent:*Monday, February 18, 2013 2:50 PM >> > *To:*oauth@ietf.org <mailto:oauth@ietf.org> >> <mailto:oauth@ietf.org <mailto:oauth@ietf.org>>WG >> >> > *Subject:*[OAUTH-WG] JWT grant_type and client_id >> > >> > Is there any guidance on the usage of client_id when using the JWT >> > assertion profile as a grant type? draft-ietf-oauth-jwt-bearer-04 >> makes >> > no mention so I assume that it is not required ... but it would be >> > necessary if using in conjunction with a HOK profile where the JWT >> > assertion is issued to - and may only be used by - the intended >> client. >> > Obviously this is straight forward enough, really I'm just >> looking to be >> > sure that I'm not missing anything. >> > >> > tx >> > >> > adam >> > >> > >> > ______________________________**_________________ >> > OAuth mailing list >> > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org >> >> <mailto:OAuth@ietf.org>> >> > >> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> >> > >> > ______________________________**_________________ >> > OAuth mailing list >> > OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org >> >> <mailto:OAuth@ietf.org>> >> > >> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> >> > >> > >> > >> > ______________________________**_________________ >> > OAuth mailing list >> > OAuth@ietf.org <mailto:OAuth@ietf.org> >> > >> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> >> >> ______________________________**_________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> >> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> >> >> >> >> >> >> ______________________________**_________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> >> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> >> >> >> > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
