On Thu, Sep 26, 2019 at 9:30 AM Aaron Parecki <aa...@parecki.com> wrote:
> > Depending on client type and authentication method, the request might > > also include the "client_id" parameter. > > I assume this is hinting at the difference between public clients > sending only the "client_id" parameter and confidential clients > sending only the HTTP Basic Authorization header which includes both > the client ID and secret? It would probably be helpful to call out > these two common examples if I am understanding this correctly, > otherwise it seems pretty vague. > What this is trying to convey is that because client authentication at this Pushed Authorization Request Endpoint happens the same way as at the token endpoint (and other endpoints called directly by the client) the client_id parameter will sometimes be present but not necessarily as some types of client auth use the client_id parameter (none, client_secret_post, tls_client_auth, self_signed_tls_client_auth) and some don't (client_secret_basic, client_secret_jwt, private_key_jwt). Although the draft does later say "The AS MUST validate the request the same way as at the authorization endpoint" which I think could reasonably be interpreted as requiring client_id. e.g., https://tools.ietf.org/html/rfc6749?#section-4.1.1 & https://tools.ietf.org/html/rfc6749?#section-4.2.1 So perhaps the sentence in question should be removed and have client_id be a required parameter at the PAR endpoint. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
