IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

"Richer, Justin P." <jricher@mitre.org> Tue, 22 July 2014 13:54 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4879D1B27EC for <oauth@ietfa.amsl.com>; Tue, 22 Jul 2014 06:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cmk3U8j6jlA9 for <oauth@ietfa.amsl.com>; Tue, 22 Jul 2014 06:54:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 53A461B27DD for <oauth@ietf.org>; Tue, 22 Jul 2014 06:54:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C29881F1559; Tue, 22 Jul 2014 09:54:23 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id B2D3C1F1558; Tue, 22 Jul 2014 09:54:23 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.118]) by IMCCAS02.MITRE.ORG ([129.83.29.69]) with mapi id 14.03.0174.001; Tue, 22 Jul 2014 09:54:23 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Thomas Broyer <t.broyer@gmail.com>
Thread-Topic: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
Thread-Index: AQHPpbRw2HhjKAwRPEyI0/Q0qsoAEg==
Date: Tue, 22 Jul 2014 13:54:22 +0000
Message-ID: <CA1810B0-6ED0-456F-8989-6B7EF73930D9@mitre.org>
References: <20140721185955.29738.31476.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739439ADDA25E@TK5EX14MBXC294.redmond.corp.microsoft.com> <CAEayHEO-_i+cB6mtb_OUaXF4OfyTrYwfv1mn2EYS-KEzTKY1GA@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439ADDAA2D@TK5EX14MBXC294.redmond.corp.microsoft.com> <CAEayHEO1W3axmpiKYGvGRn7vnS7NDNi41t4cAukMBKSB783yUw@mail.gmail.com>
In-Reply-To: <CAEayHEO1W3axmpiKYGvGRn7vnS7NDNi41t4cAukMBKSB783yUw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.40.126]
Content-Type: multipart/alternative; boundary="_000_CA1810B06ED0456F89896B7EF73930D9mitreorg_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/04r_0GMJfa8gwpG1JxisLEStMZw
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2014 13:54:26 -0000

Errors like these make it clear to me that it would make much more sense to develop this document in the OpenID Foundation. It should be something that directly references OpenID Connect Core for all of these terms instead of redefining them. It's doing authentication, which is fundamentally what OpenID Connect does on top of OAuth, and I don't see a good argument for doing this work in this working group.

 -- Justin

On Jul 22, 2014, at 4:30 AM, Thomas Broyer <t.broyer@gmail.com<mailto:t.broyer@gmail.com>> wrote:




On Mon, Jul 21, 2014 at 11:52 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Thanks for your review, Thomas.  The “prompt=consent” definition being missing is an editorial error.  It should be:

consent
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.

I’ll plan to add it in the next draft.

It looks like the consent_required error needs to be defined too, and you might have forgotten to also import account_selection_required from OpenID Connect.


I agree that there’s no difference between a response with multiple “amr” values that includes “mfa” and one that doesn’t.  Unless a clear use case for why “mfa” is needed can be identified, we can delete it in the next draft.

Thanks.

How about "pwd" then? I fully understand that I should return "pwd" if the user authenticated using a password, but what "the service if a client secret is used" means in the definition for the "pwd" value?

(Nota: I know you're at IETF-90, I'm ready to wait 'til you come back ;-) )

--
Thomas Broyer
/tɔ.ma.bʁwa.je/<http://xn--nna.ma.xn--bwa-xxb.je/>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email