Hi all, I was exploring the topic of client authentication in various RFCs. A few things are not 100% clear to me, I would be interested to get your feedback.
RFC7591 sets up the registry for client authentication methods on the token endpoint and adds: - none - client_secret_basic (RFC2617) - client_secret_post (RFC6749) I don’t understand why that registry seems limited to the token-endpoint. Client authentication also applies to other protected (OAuth) endpoints such as token introspect, so it makes sense to have a generic (OAuth) client authentication method registry. OIDC specs indicate a few more: - client_secret_jwt - private_key_jwt Is my understanding correct that client_secret_jwt refers to the same client authentication method as described in https://tools.ietf.org/html/rfc7523#section-2.2 ? Furthermore there is RFC6750 which suggest 3 client authentication mechanisms which are not included in the registry: - Bearer / authorisation request header - bearer / URI query parameter - bearer / form encoded body parameter For example, the RFC7662 suggests to use the “bearer / authorisation request header” mechanism as client authentication/authorisation mechanism. Any reason why this was not done? Thanks in advance for any related feedback, regards, Jaap Francke
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
