feat: add client credentials as a MUST #245
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -113,7 +113,11 @@ from a browser or an application. | |||||||||||||||||||||
|
|
||||||||||||||||||||||
| Therefore, this specification assumes the use of the | ||||||||||||||||||||||
| [Authorization Code Flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps) with | ||||||||||||||||||||||
| PKCE, in accordance with OAuth and OIDC best practices, for interactive browser-based login. | ||||||||||||||||||||||
| For non-interactive use cases such as scripts, automated agents, and server-to-server communication, | ||||||||||||||||||||||
| this specification also requires support for the | ||||||||||||||||||||||
| [Client Credentials Grant](https://www.rfc-editor.org/rfc/rfc6749#section-4.4). | ||||||||||||||||||||||
| It is also assumed that there are no | ||||||||||||||||||||||
| preexisting trust relationships with the OP. This means that client registration, whether dynamic, | ||||||||||||||||||||||
| or static, is entirely optional. | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
|
|
@@ -288,13 +292,31 @@ Solid-OIDC defines the following `scope` value for use with claim requests: | |||||||||||||||||||||
| REQUIRED. This scope requests access to the End-User's `webid` Claim. | ||||||||||||||||||||||
| </dl> | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| # Client Credentials Grant # {#client-credentials} | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| Authorization Servers MUST support the OAuth 2.0 Client Credentials Grant [[!RFC6749]] (Section 4.4) | ||||||||||||||||||||||
| to enable non-interactive authentication for scripts, automated agents, and server-to-server | ||||||||||||||||||||||
| communication. | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| When using the Client Credentials Grant, the Client authenticates with the OP using a | ||||||||||||||||||||||
| `client_id` and `client_secret` pair previously obtained through client registration | ||||||||||||||||||||||
| (either static or dynamic). The Client sends a token request to the OP's token endpoint | ||||||||||||||||||||||
| with `grant_type=client_credentials` and the `webid` scope. | ||||||||||||||||||||||
jeswr marked this conversation as resolved.
Show resolved
Hide resolved
Comment on lines
+301
to
+304
There was a problem hiding this comment. There's a potential contradiction with the statement at lines 121-122 which says "client registration, whether dynamic, or static, is entirely optional." The Client Credentials Grant inherently requires client registration to obtain the client_id and client_secret pair. Consider either: (1) clarifying at lines 121-122 that client registration is optional for some flows but required for Client Credentials Grant, or (2) adding a note in the Client Credentials section that explicitly acknowledges this requirement represents an exception to the general optional nature of client registration mentioned in the Core Concepts section.
Suggested change
Member
Author
There was a problem hiding this comment. @acoburn @joachimvh can you confirm this is accurate with your implementations? |
||||||||||||||||||||||
|
|
||||||||||||||||||||||
| The OP MUST validate the `client_id` and `client_secret`, and if valid, MUST return | ||||||||||||||||||||||
|
Contributor
There was a problem hiding this comment. See comment above, I would not normatively require the use of a client_secret. |
||||||||||||||||||||||
| a DPoP-bound OIDC ID Token. The Client MUST include a valid DPoP proof [[!DPOP]] | ||||||||||||||||||||||
| with the token request. | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| The OP MUST advertise `client_credentials` in its `grant_types_supported` | ||||||||||||||||||||||
| metadata property in its OpenID Connect Discovery 1.0 [[!OIDC-DISCOVERY]] document. | ||||||||||||||||||||||
|
Contributor
There was a problem hiding this comment. Note that the |
||||||||||||||||||||||
|
|
||||||||||||||||||||||
| # Token Instantiation # {#tokens} | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| Assuming one of the following options | ||||||||||||||||||||||
| - Client ID and Secret, and valid DPoP Proof, using either the Authorization Code Grant or the Client Credentials Grant | ||||||||||||||||||||||
| - Dereferencable Client Identifier with a proper Client ID Document and valid DPoP Proof (for a Solid client identifier) | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| the OP MUST return a DPoP-bound OIDC ID Token. | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| ## DPoP-bound OIDC ID Token ## {#tokens-id} | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
|
|
@@ -401,10 +423,15 @@ requested resource. | |||||||||||||||||||||
| An OpenID Provider that conforms to the Solid-OIDC specification MUST advertise it in the OpenID Connect | ||||||||||||||||||||||
| Discovery 1.0 [[!OIDC-DISCOVERY]] resource by including `webid` in its `scopes_supported` metadata property. | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| Additionally, the OP MUST include `client_credentials` in its `grant_types_supported` | ||||||||||||||||||||||
| metadata property to indicate support for non-interactive authentication | ||||||||||||||||||||||
| via the Client Credentials Grant (see [[#client-credentials]]). | ||||||||||||||||||||||
|
Comment on lines
+426
to
+428
There was a problem hiding this comment. This requirement duplicates the one already stated in the Client Credentials Grant section (lines 310-311). The same requirement appears twice: once in the Client Credentials Grant section and once here in the Conformance Discovery section. Consider removing the duplication by keeping only one of these statements, or if both are intentional, clarify why the requirement is repeated. Typically, the discovery/conformance section would be the natural place for such metadata requirements, making lines 310-311 potentially redundant.
Suggested change
Member
Author
There was a problem hiding this comment. Only to implement this change if we go with MAY wording over MUST. |
||||||||||||||||||||||
|
|
||||||||||||||||||||||
| <div class="example"> | ||||||||||||||||||||||
| <pre highlight="json"> | ||||||||||||||||||||||
| { | ||||||||||||||||||||||
| "scopes_supported": ["openid", "offline_access", "webid"], | ||||||||||||||||||||||
| "grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"] | ||||||||||||||||||||||
| } | ||||||||||||||||||||||
| </pre> | ||||||||||||||||||||||
| </div> | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would avoid making any assumptions on which assertions a client provides to the AS for the client credentials grant. Quite a few Authorization Services rely on public keypairs to authenticate clients, cfr. RFC7523, for example this is the case in MS Entra
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For example this draft PR to CSS uses RFC7523