Richer, Justin P. [mailto:jric...@mitre.org]
> Sent: Friday, August 19, 2011 4:56 AM
> To: Eran Hammer-Lahav; Lu, Hui-Lan (Huilan); Brian Campbell
> Cc: oauth
> Subject: RE: [OAUTH-WG] treatment of client_id for authentication and
> identification
>
> I find the or
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
> -Original Message-
> From: Lu, Hui-Lan (Huilan) [mailto:huilan...@alcatel-lucent.com]
> Sent: Thursday, August 18, 2011 1:45 PM
> To: Eran Hammer-Lahav; Brian Campbell
> Cc: oauth
> Subj
> Cc: oauth
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
> identification
>
> > > It is difficult to parse the last sentence of 3.2.1: "The security
> > > ramifications of
> > > allowing unauthenticated access by public clients to
> > It is difficult to parse the last sentence of 3.2.1: "The security
> > ramifications of
> > allowing unauthenticated access by public clients to the token endpoint
> > MUST be considered, as well as the issuance of refresh tokens to public
> > clients, their scope, and lifetime."
> >
> > I thi
FWIW, I was okay with the text EHL had originally proposed for 21.
>> > client_secret
>> > REQUIRED. The client secret. The client MAY omit the
>> > parameter if the client secret
>> > is an empty string.
>>
>> I would suggest rewording the above as follows:
>> clie
> -Original Message-
> From: Lu, Hui-Lan (Huilan) [mailto:huilan...@alcatel-lucent.com]
> Sent: Thursday, August 18, 2011 1:45 PM
> To: Eran Hammer-Lahav; Brian Campbell
> Cc: oauth
> Subject: RE: [OAUTH-WG] treatment of client_id for authentication and
> identifica
Eran Hammer-Lahav wrote:
> Added to 2.4.1:
>
> client_secret
> REQUIRED. The client secret. The client MAY omit the
> parameter if the
> client secret
> is an empty string.
I would suggest rewording the above as follows:
client_secret
REQUIRED unless it i
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
> identification
>
> I would be very much in favor of that addition/clarification.
>
> On Thu, Jul 28, 2011 at 9:20 AM, Eran Hammer-Lahav
> wrote:
> >
> > [...] and I can also add a short
..@hueniverse.com>>, oauth
mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
+1
Am 28.07.2011 15:10, schrieb Brian Campbell:
I would be very much in favor of that addition/clarification.
On Thu, Jul 28, 2011 at 9:20 A
+1
Am 28.07.2011 15:10, schrieb Brian Campbell:
I would be very much in favor of that addition/clarification.
On Thu, Jul 28, 2011 at 9:20 AM, Eran Hammer-Lahav wrote:
[...] and I can also add a short note that public clients may use
the client_id for the purpose of identification with the to
I would be very much in favor of that addition/clarification.
On Thu, Jul 28, 2011 at 9:20 AM, Eran Hammer-Lahav wrote:
>
> [...] and I can also add a short note that public clients may use
> the client_id for the purpose of identification with the token endpoint.
> EHL
>
bject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
the client_id parameter had been added to the token endpoint in -16. As far as
I remember, the reason was to properly separate client identification and
authentication in order to support further client authenti
tors...@lodderstedt.net>>
Date: Wed, 27 Jul 2011 15:21:16 -0700
To: Brian Campbell <mailto:bcampb...@pingidentity.com>>
Cc: Eran Hammer-lahav <mailto:e...@hueniverse.com>>, oauth <mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authent
g>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
I think that would be helpful, thanks.
On Wed, Jul 27, 2011 at 12:43 PM, Eran Hammer-Lahav
mailto:e...@hueniverse.com>> wrote:
If you want, we can tweak section 2.4.1 to make client_secret
Eran Hammer-lahav mailto:e...@hueniverse.com>>, oauth
mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
I personally think that would be more confusing than just adding the
client_id parameter to the token endpoint request (independe
I personally think that would be more confusing than just adding the
client_id parameter to the token endpoint request (independent of client
authentication credentials).
Am 27.07.2011 18:17, schrieb Brian Campbell:
I think that would be helpful, thanks.
On Wed, Jul 27, 2011 at 12:43 PM, Era
I think that would be helpful, thanks.
On Wed, Jul 27, 2011 at 12:43 PM, Eran Hammer-Lahav wrote:
>
> If you want, we can tweak section 2.4.1 to make client_secret optional if
> the secret is the empty string. That will give you exactly what you want
> without making the document any more confus
From: Torsten Lodderstedt
mailto:tors...@lodderstedt.net>>
Date: Wed, 27 Jul 2011 10:38:36 -0700
To: Eran Hammer-lahav mailto:e...@hueniverse.com>>
Cc: Brian Campbell
mailto:bcampb...@pingidentity.com>>, oauth
mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client
dt <mailto:tors...@lodderstedt.net>>
Date: Wed, 27 Jul 2011 10:38:36 -0700
To: Eran Hammer-lahav mailto:e...@hueniverse.com>>
Cc: Brian Campbell <mailto:bcampb...@pingidentity.com>>, oauth <mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authenticati
a
> client there must be a way to relate this token to a certain client in order
> to give the user a chance to revoke this specific token.
>
> regards,
> Torsten.
>
>
> Hope this helps.
> EHL
>
> From: Brian Campbell
> Date: Wed, 27 Jul 2011 04:32:42 -0700
27 Jul 2011 10:38:36 -0700
To: Eran Hammer-lahav mailto:e...@hueniverse.com>>
Cc: Brian Campbell
mailto:bcampb...@pingidentity.com>>, oauth
mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
Am 27.07.2011 12:08, schrie
To: Eran Hammer-lahav mailto:e...@hueniverse.com>>
Cc: oauth mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for
authentication and
identification
I'm probably somewhat biased by having read previous version
of t
lto:bcampb...@pingidentity.com>>
Date: Wed, 27 Jul 2011 04:32:42 -0700
To: Eran Hammer-lahav mailto:e...@hueniverse.com>>
Cc: oauth mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
Okay, looking at some of those drafts ag
the token endpoint.
> I think the current text is sufficient, but if you want to provide specific
> additions I'm open to it.
> EHL
> From: Brian Campbell
> Date: Tue, 26 Jul 2011 10:16:21 -0700
> To: Eran Hammer-lahav
> Cc: oauth
> Subject: Re: [OAUTH-WG] tre
r-lahav mailto:e...@hueniverse.com>>
Cc: oauth mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
identification
I'm probably somewhat biased by having read previous version of the
spec, previous WG list discussions, and my current AS implementat
I'm probably somewhat biased by having read previous version of the
spec, previous WG list discussions, and my current AS implementation
(which expects client_id) but this seems like a fairly big departure
from what was in -16. I'm okay with the change but feel it's wroth
mentioning that it's like
> -Original Message-
> From: Brian Campbell [mailto:bcampb...@pingidentity.com]
> Sent: Monday, July 25, 2011 10:39 AM
> To: Eran Hammer-Lahav
> Cc: oauth
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
> identification
>
> I'm as
-
>> From: Brian Campbell [mailto:bcampb...@pingidentity.com]
>> Sent: Monday, July 25, 2011 9:28 AM
>> To: Eran Hammer-Lahav
>> Cc: oauth
>> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
>> identification
>>
>> How should HTTP
onday, July 25, 2011 9:28 AM
> To: Eran Hammer-Lahav
> Cc: oauth
> Subject: Re: [OAUTH-WG] treatment of client_id for authentication and
> identification
>
> How should HTTP Basic be used for a client not in possession of a client
> secret?
>
>
>
> On Mon, Jul 2
>> Sent: Monday, July 25, 2011 7:02 AM
>> To: oauth
>> Subject: [OAUTH-WG] treatment of client_id for authentication and
>> identification
>>
>> I need to revisit a question that came up about two months ago. I thought I
>> had a clear understanding of wh
nal Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Brian Campbell
> Sent: Monday, July 25, 2011 7:02 AM
> To: oauth
> Subject: [OAUTH-WG] treatment of client_id for authentication and
> identification
>
> I need to revisit a question th
I need to revisit a question that came up about two months ago. I
thought I had a clear understanding of when client_id was and wasn't
included in access token requests but drafts 18/19 seemed to have
changed things (or my understanding of 16 was wrong).
The question is, when is client_id a requi
32 matches
Mail list logo
