You need to verify that when you use an authorization code, not when you use an assertion.
EHL On 7/15/10 3:54 AM, "Elena Lozano" <elena.loz...@rediris.es> wrote: Hi everyone, As we adapt the RedIRIS PHP OAuth2 library[1] to the last version of the draft we have found some issues regarding the client secret and client id. The thing is that we don't understand the security given with the client_id and client_secret of the assertion profile. The last changes on the protocol said that: "the authorization server MUST verify that the redirection URI received matches the registered URI associated with the client identifier." This provides one way to perform the correct identification of the client but doesn't work with the assertion profile. In the assertion profile, we understand that the client_id is optional and that the assertion could have the information about the client identification. This could happen when the assertion authorizes an application, but in our use cases, the assertions doesn't have information about the client application. This is a problem because in our request to the Auth Server we cannot check if the application is registered correctly. We can send the client_id in the request, but we have the same problem, because someone can 'steal' our client id and impersonate the client. We think that we can solve that signing parameters in the request, adding the client_id signature or something like this but we're not sure that this is referred in the protocol. What do you think it's better to solve this issue? I don't know if i'm understanding something in a wrong way, so please correct me if i'm wrong. Thanks! Elena. [1] http://www.rediris.es/oauth2
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth