[OAUTH-WG] New Text for Sec 3.2.1 & 4.1.3

Sun, 01 Jul 2012 14:22:03 -0700 

Sec 4.1.2 states:

The authorization code is bound to the client identifier and redirection URI.

The security concern Sec 10.5 states

   If the client can be authenticated, the authorization servers MUST
   authenticate the client and ensure that the authorization code was
   issued to the same client.

Sec 3.2.1 
A public client that was not issued a client password MAY use the
   "client_id" request parameter to identify itself when sending
   requests to the token endpoint (e.g. for the purpose of providing
   end-user context, client usage statistics).

Nothing in the current spec requires that a Public client send it's client_id 
or redirect_uri to the token endpoint.
The client _id is only sent if it is a confidential client capable of 
authenticating itself.
The redirect_uri is only sent if the 'redirect_uri' parameter was included in 
the authorization request.
If the client has one registered redirect_uri it would not be sent to the 
authorization or token endpoint.

This leaves us with public clients using code flow that cannot determine if a 
token was granted to them or some other public client.


I propose changing Sec 3.2.1 to read:

A public client that was not issued a client password MUST use the
   "client_id" request parameter to identify itself when sending
   requests to the token endpoint. This allows the authorization server 
   to ensure that the code was issued to the same client.  
   Sending "client_id" prevents the client from
   inadvertently accepting a code intended for a client with a different
   "client_id".

Also change Sec 4.1.3 from:
o  authenticate the client if client authentication is included and
      ensure the authorization code was issued to the authenticated
      client,

To:
o  authenticate the client if client authentication is included,
o  ensure the authorization code was issued to the authenticated 
   confidential client or to the public client identified by the
  'client_id',


 

The Original text implies that it is a good idea to send it, but is unclear on 
what security it provides.

It is a small change that should not brake existing implementations, but will 
increase security for public clients using the code flow.

Regards
John B.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to