Authenticating Clients #172
Replies: 3 comments
-
Regarding aspect of Client authenticating to Resource Server. Depending on which identifier RS needs to authenticate we seem to have different reliance on Authorization Server. If client only needs to identify client by the key it holds and to which the token stays bound, RS can directly verify possession of that key. If we rely on some identifier like Requirement on which identity client has to prove to Resource Server also seems related to outcomes of Authentication panel. If access token includes (by value or reference) all the client authorization information that Resource Server should apply to the client using that access token, we can think of those authorization as 'semantic scopes', Resource Server doesn't need to verify any other client identity and use it to discover authorization details it should apply to the client. |
Beta Was this translation helpful? Give feedback.
-
Unless the RS requires a token that it issues itself. As you mentioned in today's panels, that could be an option in the rare case that the RS wants to identify the client. |
Beta Was this translation helpful? Give feedback.
-
Yes, precisely some AS would still issue the token and RS would need to rely on that AS verifying |
Beta Was this translation helpful? Give feedback.
-
I would like to clarify how, when and with who clients have to authenticate. OAuth provides couple of mechanisms for Client to Authenticate with Authorization Server. Also for Sender Constrained (bound) tokens, Client proves possession of private key to Resource Serve, which we can also consider as a from of authenticating (possibly relying on different way to identifying the client solid/authorization-panel#30)
During Authorization Code flow we rely on
redirect_uri
discussed in #22 and we also should document in one place how we rely on it for identifying and authenticating clients.I think we also need to clarify client authentication when using refresh tokens, especially if we consider issuing
client_secret
and expecting client to authenticate usingclient_id
&client_secret
. For fully in browser applications, non extractable CryptoKey provides more secure way of keeping secret than plain textclient_secret
and since we use Client Constrained (bound) tokens we require clients generate private key anyways. We could use Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants for clients to also use their private key for authenticating with authorization server, in that case we could possibly rely on Client Credentials Grant and don't even need to use refresh tokens.Beta Was this translation helpful? Give feedback.
All reactions