[Fedsec-cg] [Idel-wg] OIDC/OA4MP Specification v0.2 - please read and comment
Mischa Salle
msalle at nikhef.nl
Thu Jun 11 06:15:38 EDT 2015
On Wed, Jun 10, 2015 at 06:32:40PM +0000, Basney, Jim wrote:
> Hi Mischa,
>
> Thanks again for the comments. I've started to update http://goo.gl/VnMKXS
> based on our discussion.
Hi Jim,
great! I'll have a look in detail later (probably during TNC).
> Yes, I'm convinced. :)
>
> If I understand correctly it means that GET requests to the GetCert
> endpoint will contain two Authorization headers, one of type Basic
> containing the client_id and client_secret and another of type Bearer
> containing the access_token. However, as previously discussed, we prefer
> POST requests to the GetCert endpoint, in which case client_id,
> client_secret, and access_token are included in the
> application/x-www-form-urlencoded body. I've updated http://goo.gl/VnMKXS
> to match my understanding.
I think that sounds fine. One remark: is it allowed to have multiple
Authorization headers? It's not entirely clear from
https://tools.ietf.org/html/rfc7235#section-4.2
I think it's probably not intended, as it explicitly mentions in 4.1
that there can be multiple WWW-Authenticate headers... For a POST this
is obviously not an issue. Also, putting the client_secret in a GET is
generally not a good idea for the same reasons as we discussed before
(ends up in logfiles, browser caches etc.).
Best wishes,
Mischa
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4332 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/fedsec-cg/attachments/20150611/db0ef663/attachment.bin>
More information about the Fedsec-cg
mailing list