Specify the client authentication method when using a Client Identifier #78
Comments
This sounds reasonable to me, would you like to make PR with what you are proposing here?
OP needs to know |
|
I'll open a PR after having discussed this in today's panel meeting. And the way I understand the spec you linked to, if the client used some authentication method during the Authorization request, it should include its authentication information during the Token Request too. |
|
I've been doing some research and it seems fine not to use client authentication with a token endpoint. When it comes to refresh tokens there is some guidance in:
I'll add this issue inline to the spec to welcome more feedback. Based on that we should be able to close it eventually. |
When making a request to the token endpoint of an OIDC provider, a client usually authenticates itself. Client authentication methods at the token endpoint are described in the OpenID spec (and to some extent the OAuth 2.0 spec, and they usually rely on a client having a client id/secret pair, either through static or dynamic registration.
Solid-OIDC introduces a new type of client authentication based on a Client Identifier available at a URL under the client's control, which means that no client registration is required, and no client secret is involved. The only method described in the OpenID spec that aligns with the absence of a client secret and any other form of registration is the
noneclient authentication method. In addition, the OAuth 2.0 spec seems to lean towards enforcing that HTTP Basic auth is only used when both a client id and secret are present. In the absence of a client secret, theclient_idshould therefore be sent as part of the token request body.Considering all this, it may be good to add a note to the Solid-OIDC specification, in the Client Identifiers section along the following lines:
The text was updated successfully, but these errors were encountered: