It is intended for confidential clients. In 2 it states that you may encrypt the JWT.
If asymmetric authentication using the assertion profile is used the registration endpoint would put the client's public key in the JWT and would not need to encrypt it. I expect that encrypting the JWT with integrity AES+HMAC would be a good solution for clients using symmetric secrets. The exact method for doing this can be determined by the AS as it is a token from the AS to the AS there are no interoperability issues with the symmetric case. In the case of a client using asymmetric assertion profile authentication it is possible that the registration endpoint is not tightly coupled to the registration endpoint. A single registration endpoint could issue stateless client_id that are accepted and verified by multiple AS. In this case the format of the JWT needs standardization for interoperability. John B. On 2013-10-15, at 6:06 AM, Pedro Felix <pmhsfe...@gmail.com> wrote: > Hi, > > Is this applicable to public (non-confidential) clients only? For > confidential clients, the verification of the client_secret doesn't seem to > be addressed by this proposal (token endpoint interactions). > We could however extend it to address this scenario, namely by using > encrypted JWTs with client_secret verification information. > > Thanks > Pedro > > > > On Tue, Oct 15, 2013 at 1:01 AM, John Bradley <ve7...@ve7jtb.com> wrote: > A new version of I-D, draft-bradley-stateless-oauth-client-00.txt > has been successfully submitted by John Bradley and posted to the > IETF repository. > > Filename: draft-bradley-stateless-oauth-client > Revision: 00 > Title: Stateless Client Identifier for OAuth 2 > Creation date: 2013-10-15 > Group: Individual Submission > Number of pages: 4 > URL: > http://www.ietf.org/internet-drafts/draft-bradley-stateless-oauth-client-00.txt > Status: > http://datatracker.ietf.org/doc/draft-bradley-stateless-oauth-client > Htmlized: > http://tools.ietf.org/html/draft-bradley-stateless-oauth-client-00 > > > Abstract: > This draft provides a method for communicating information about an > OAuth client through its client identifier allowing for fully > stateless operation. > > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
