+1

to using the same client authn method as for the /token endpoint

On 3/11/19 12:31 PM, Brian Campbell wrote:


On Mon, Mar 11, 2019 at 10:22 AM Filip Skokan <[email protected] <mailto:[email protected]>> wrote:

    Strike that, it should maybe just use the registered auth method
    for the token endpoint?


Yeah, that's what I'd think would be the way to go.


    If there's auth we should also make it clear that client_id should
    not be omitted from the request body and it must be the same as
    the one provided with client authentication.


Fair point.


    S pozdravem,
    *Filip Skokan*


    On Mon, 11 Mar 2019 at 17:14, Filip Skokan <[email protected]
    <mailto:[email protected]>> wrote:

        If we're about to add client authentication for the
        device_authorization_endpoint, i'd say we should also register
        for device_authorization_endpoint_auth_method,
        device_authorization_endpoint_auth_signing_alg client
        metadata. Maybe define the default value to be "none" / not
        provided to be in line with the late draft implementations. Wdyt?

        S pozdravem,
        *Filip Skokan*


        On Mon, 11 Mar 2019 at 17:08, Brian Campbell
        <[email protected]
        <mailto:[email protected]>> wrote:

            I do realize it's very late in the process for this
            document but believe these omissions can be addressed in
            the document with only minor changes/additions and that
            it'd be better late than not at all..

            On Mon, Mar 11, 2019 at 10:03 AM Brian Campbell
            <[email protected]
            <mailto:[email protected]>> wrote:

                Another omission[1] (maybe, I believe it is anyway) to
                the Device Flow is that client authentication isn't
                defined for the device authorization request to device
                authorization endpoint.

                I suspect that it's largely an oversight because
                public clients are really the conical use-case for the
                device flow and no authentication is needed or
                possible in that case. There are, however, likely to
                be cases where a client with credentials will do the
                device flow and it would be good for the AS to be able
                to properly authenticate such clients before setting
                up and saving the state for the transaction. Having
                normal client authentication at device authorization
                endpoint also brings better consistency to client
                identification/authentication for requests made
                directly from client to AS.


                [1] error responses from the device authorization
                endpoint should probably also be defined
                
https://mailarchive.ietf.org/arch/msg/oauth/DMTUR1msdNQPiLh0xVXe39933k4



            /CONFIDENTIALITY NOTICE: This email may contain
            confidential and privileged material for the sole use of
            the intended recipient(s). Any review, use, distribution
            or disclosure by others is strictly prohibited...  If you
            have received this communication in error, please notify
            the sender immediately by e-mail and delete the message
            and any file attachments from your computer. Thank
            you./_______________________________________________
            OAuth mailing list
            [email protected] <mailto:[email protected]>
            https://www.ietf.org/mailman/listinfo/oauth

    _______________________________________________
    OAuth mailing list
    [email protected] <mailto:[email protected]>
    https://www.ietf.org/mailman/listinfo/oauth


/CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you./

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

--
Identity Standards Architect
Verizon Media                     Work: [email protected]
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to