In Connect the AS may support a number of token endpoint authentication methods. The reason to allow a client to register using a particular one is to prevent downgrade attacks.
If the client wants to always use an asymmetric signature you don't want to allow attackers to use weaker methods like http basic. So a server may support any number of methods, but it is reasonable for a client to specify which one it is going to use. In a closed system that may not be that useful but in a open system where the AS has a looser relationship to the client it is important. John B. On 2013-04-24, at 7:30 PM, Phil Hunt <[email protected]> wrote: > Hmmm… what was the objective or use case for having the client being able to > choose in the first place? > > It seems to me that the AS will make a decision based on many factors. As you > say, there isn't any other place that enumerates the various [authn] methods > a client can use to access the token endpoint. So, why do it? > > Phil > > @independentid > www.independentid.com > [email protected] > > > > > > On 2013-04-24, at 2:07 PM, Justin Richer wrote: > >> Seems reasonable to me, can you suggest language to add in the capability? >> Would it require an IANA registry? Right now there isn't any other place >> that enumerates the various methods that a client can use to access the >> token endpoint. >> >> -- Justin >> >> On 04/24/2013 04:17 PM, Phil Hunt wrote: >>> For parameters to token_endpoint_auth_method, the spec has defined >>> "client_secret_jwt" and "private_key_jwt". Shouldn't there be similar >>> options of SAML? >>> >>> Shouldn't there be an extension point for other methods? >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> [email protected] >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
