Dear Oauth Mailing List
After some discussion i had i wanted to ask you for some guidance.
For the following request
request_uri
https://example.com/token
request_method
POST
request_headers
{"Accept":"application/json","Authorization":"Basic
bWFnaWNpZDpwb3RhdG9zZWNyZXQ=","Content-Type":"application/x-www-form-urlencoded","Content-Length":"91"}
request_body
grant_type=client_credentials&scope=accounts&client_id=magicid
We had some discussions whether or not this request is a valid request, to
be more exact wether the clientid can be in the body.
Section 2.3.1 states
A client MAY use the "client_id" request parameter to identify itself when
sending requests to the token endpoint.
But at the same time in the case of a client password (2.3.1)
The clientid and secret are carried in the basic auth header as a form of
authentication as a preferred method ,
But the standard states that if you choose to use the body as a form of
authentication that if you can ommit the clientsecret the clientsecret is
an empty string, therefore passing only the client_id is the same as
passing the client_id and an empty string clientsecret .
So the current request would be according to the spec interpreted as
follows
Authentication 1) basic auth cleintid:secret
Authentication 2) body auth clientd and blank secret
You can choose to use the client_id in the body with public clients or in
the confidential client (the Lloyds situation) if you choose to add the
clientsecret there as well and are not using the basic auth header (this
is due to spec section 2.3 which states
The client MUST NOT use more than one authentication method in each
request.
In short there is no way in the spec that allows for the oauth provider to
distinguish between your intention of sending in the client_id again for
identification and a malformed request with double authentication.
So my stance is (for now) that you cannot send a clientid when you find
yourself in the clientid with a corresponding password situation.
Is that a correct statement ?
and if it is not how would that work ?
and if it is, when can you send the clientid in the body but use something
else for authentication (something like mtls ?) ?
Kind Regards
Van Oppens Tom
Tenzij hierboven anders aangegeven: / Sauf indication contraire ci-dessus:
/ Unless otherwise stated above:
International Business Machines of Belgium sprl / bvba
Siège social / Maatschappelijke zetel: Avenue du Bourget 42 Bourgetlaan,
B-1130 Bruxelles/Brussel
N° d'entreprise / Ondernemingsnr: TVA / BTW BE 0405 912 336
RPM Bruxelles / RPR Brussel_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
