+1
Phil
> On Nov 4, 2016, at 6:11 PM, John Bradley wrote:
>
> I can easily see Research and education publishing self signed certs in
> meta-data that is then used for client authentication and other things.
> I don’t want to limit this to only CA issued certs where the client_id is in
> the
I can easily see Research and education publishing self signed certs in
meta-data that is then used for client authentication and other things.
I don’t want to limit this to only CA issued certs where the client_id is in
the DN.Client_id tend not to be domain names currently.
Looking up a raw
few little things inline...
On Thu, Nov 3, 2016 at 6:41 AM, Justin Richer wrote:
> I agree that the client_id is unlikely to be found inside the certificate
> itself. The client_id is issued by the authorization server for the client
> to use at that single AS. The certificate is issued by the C
You could also sign the client_id with your private cert and send it
like normal OAuth requests...
But I like the idea of mapping the client_id server-side to the cert as
well.
Now we're talking real security. Bearer tokens are so Q1-2016. :)
Aloha, Jim
On 11/3/16 1:11 PM, Sergey Beryozkin wrot