For introspection, we really just wanted to say "you can authenticate
the caller (client or RP) just like you would to the token endpoint". So
if you've got the means to do that with the assertion draft or with
client secrets or TLS certs or anything else, go for it. I would not
read the text of the assertions draft as restricting this other use case.
-- Justin
On 04/23/2014 12:42 PM, Mike Jones wrote:
The assertions draft is only trying to describe how to perform assertion-based
authentication at the Token Endpoint. Other drafts, such as the introspection
draft, could explicitly say that this can also be done in the same manner
there, but that's an extension, and should be specified by the extension draft,
if appropriate - not in the assertions draft.
Justin may have more to say about the applicability or lack of it to the
introspection draft, but I'm personally not familiar with it.
-- Mike
-----Original Message-----
From: OAuth [mailto:[email protected]] On Behalf Of Hannes Tschofenig
Sent: Wednesday, April 23, 2014 5:09 AM
To: [email protected]
Subject: [OAUTH-WG] Assertions: Client authentication for non-token endpoints?
Hi all,
in a discussion about re-using the client authentication part of the assertion
framework for other specifications currently in progress I ran into the
following question:
Section 6.1 of
http://tools.ietf.org/html/draft-ietf-oauth-assertions-15 talks about the
client using the assertion with the **token endpoint**.
Now, it appears that one cannot use the client authentication with other
endpoints, such as the introspection endpoint defined in
http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2
Am I reading too much into Section 6.1 of the assertion draft?
Ciao
Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
