+1 to Brian. I would like to point out that listing the participant in the protocol message and the authentication of the message sender is an entirely different thing. I see no problems in duplicating client_id in body and header. Of course, they have to match and must fail the authentication if they do not, but this should not be a problem. In fact, it may even be desirable for the message body to have self-contained references to the participants in the authentication protocol as shown in [1]. In such a case, it will necessarily duplicate in case of the basic authentication.
[1] Basin, D., Cremers, C., Meier, S.: Provably Repairing the ISO/IEC 9798 Standard for Entity Authentication. Journal of Computer Security - Security and Trust Principles archive Volume 21 Issue 6, 817-846 (2013) Best, --- Nat Sakimura On Thu, Jan 25, 2018 at 11:28 PM Brian Campbell <[email protected]> wrote: > Hi Tom, > > Indeed RFC 6749 is not well written with respect to this situation and > unfortunately leaves some room for varied interpretations. However, in my > own not entirely uninformed view having worked on this stuff for awhile > now, it is erroneous to interpret the presence of the client_id parameter > in the request body as client_secret_post authentication when there is no > corresponding client_secret parameter. As you alluded to, there are other > types of client authentication that explicitly allow (JWT > <https://tools.ietf.org/html/rfc7521>, SAML > <https://tools.ietf.org/html/rfc7522>, and their base spec > <https://tools.ietf.org/html/rfc7521#section-4.2>) or require (MTLS > <https://tools.ietf.org/html/draft-ietf-oauth-mtls-06>) the client_id > parameter and the OIDC core spec even has an example of the client_id > parameter in the body > <http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication> > when doing JWT client auth. If client_id with no client_secret in the > request body actually implies client_secret_post, then those RFCs (one soon > to be RFC) and OIDF standards are all contradicting OAuth 2.0 /RFC 6749. > Those supplementary standards as well as widespread > implementations/deployments in practice should, I believe, be considered > more authoritative than one particular implementation's problematic (in > terms of interoperability) interpretation of a not particularly well > written area of the OAuth spec. > > The problematic text from > https://tools.ietf.org/html/rfc6749#section-2.3.1 says that "the client > MAY omit the [client_secret] parameter if the client secret is an empty > string" so it would only really be reasonable for an AS to reject a request > as having two client authentication methods in the case that it issued a > client the empty string as a client secret (not a public client but a > client with an empty string as its actual secret), which should never > happen in practice, and that client sent both a basic authorization header > without a password and a client_id without a client_secret in the body. > That's one way to read it anyway. And regardless that text in Sec 2.3.1 is > problematic and should probably be updated with an errata on RFC 6749 to > get rid of the text about empty string password and just state that the > client_secret parameter is required when doing client_secret_post > authentication. Unfortunately the errata often get overlooked but it'd > still be good to have that fixed somewhere and a published RFC can't be > changed so errata is the only real option to document the actual intent of > the original specification. > > The presence of the client_secret parameter should be the only thing that > implies client_secret_post authentication. > > If a client_id parameter is present in conjunction with some client > authentication mechanism, then both must refer to the same client. > > > > > On Wed, Jan 24, 2018 at 3:19 AM, Tom Van Oppens <[email protected] > > wrote: > >> Dear Oauth Mailing List >> >> After some discussion i had i wanted to ask you for some guidance. >> >> For the following request >> >> *request_uri* >> https://example.com/token >> * request_method* >> POST >> * request_headers* >> {"Accept":"application/json","Authorization":"Basic >> bWFnaWNpZDpwb3RhdG9zZWNyZXQ=","Content-Type":"application/x-www-form-urlencoded","Content-Length":"91"} >> * request_body* >> grant_type=client_credentials&scope=accounts&client_id=magicid >> >> We had some discussions whether or not this request is a valid request, >> to be more exact wether the clientid can be in the body. >> Section 2.3.1 states >> *A client MAY use the "client_id" request parameter to identify itself >> when sending requests to the token endpoint. * >> >> But at the same time in the case of a client password (2.3.1) >> The clientid and secret are carried in the basic auth header as a form of >> authentication as a preferred method , >> But the standard states that if you choose to use the body as a form of >> authentication that if you can ommit the clientsecret the clientsecret is >> an empty string, therefore passing only the client_id is the same as >> passing the client_id and an empty string clientsecret . >> >> So the current request would be according to the spec interpreted as >> follows >> Authentication 1) basic auth cleintid:secret >> Authentication 2) body auth clientd and blank secret >> >> You can choose to use the client_id in the body with public clients or in >> the confidential client (the Lloyds situation) if you choose to add the >> clientsecret there as well and are not using the basic auth header (this is >> due to spec section 2.3 which states >> *The client MUST NOT use more than one authentication method in each >> request. * >> >> In short there is no way in the spec that allows for the oauth provider >> to distinguish between your intention of sending in the client_id again for >> identification and a malformed request with double authentication. >> >> >> So my stance is (for now) that you cannot send a clientid when you find >> yourself in the clientid with a corresponding password situation. >> Is that a correct statement ? >> and if it is not how would that work ? >> and if it is, when can you send the clientid in the body but use >> something else for authentication (something like mtls ?) ? >> >> Kind Regards >> Van Oppens Tom >> >> Tenzij hierboven anders aangegeven: / Sauf indication contraire >> ci-dessus: / Unless otherwise stated above: >> >> International Business Machines of Belgium sprl / bvba >> Siège social / Maatschappelijke zetel: Avenue du Bourget 42 Bourgetlaan, >> B-1130 Bruxelles/Brussel >> N° d'entreprise / Ondernemingsnr: TVA / BTW BE 0405 912 336 >> RPM Bruxelles / RPR Brussel >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
