Hi, I've recently been working on the doorkeeper gem which implements OAuth 2.0, in particular to improve the Client Authentication handling, and I'm noticing that the mechanisms of client_secret_basic and client_secret_post are a bit under-defined, i.e., what happens if the HTTP Authorization only includes the username part and not the password (the client_id and client_secret respectively).
The specification that defines these is https://www.rfc-editor.org/rfc/rfc7591.html#section-4.2.2, and just refers back to https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1 For client_secret_post, it looks like client_id and client_secret values are required, however, client_secret can be omitted if the secret is an empty string > client_secret: The client secret. The client MAY omit the parameter if the > client secret is an empty string. If the client_secret is omitted, isn't that just the `none` client authentication mechanism? There doesn't seem to be language for client_secret_basic that specifies if the password part of the HTTP Basic authentication is required, the RFC simply says: > Clients in possession of a client password MAY use the HTTP Basic > authentication scheme as defined in [RFC2617] Does that imply HTTP Basic authentication can only be used with client password (client_secret)? It feels like it'd be good to get these properly specified somewhere, as the original specification in RFC 6749 is quite vague. Thanks, Emelia Smith _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
