IETF Logo Mail Archive

[OAUTH-WG] Preliminary OAuth Core draft -29

Mike Jones <Michael.Jones@microsoft.com> Mon, 09 July 2012 07:08 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 964B611E8073 for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 00:08:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LaPlx6lew50x for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 00:08:47 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe004.messaging.microsoft.com [216.32.180.14]) by ietfa.amsl.com (Postfix) with ESMTP id 39AAE11E8083 for <oauth@ietf.org>; Mon, 9 Jul 2012 00:08:42 -0700 (PDT)
Received: from mail40-va3-R.bigfish.com (10.7.14.247) by VA3EHSOBE005.bigfish.com (10.7.40.25) with Microsoft SMTP Server id 14.1.225.23; Mon, 9 Jul 2012 07:06:50 +0000
Received: from mail40-va3 (localhost [127.0.0.1]) by mail40-va3-R.bigfish.com (Postfix) with ESMTP id 29F792C02A3 for <oauth@ietf.org>; Mon, 9 Jul 2012 07:06:50 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: 0
X-BigFish: VS0(zzc85fhzz1202hzz8275bh8275dhz2fh793h2a8h668h839hd25hf0ah107ah34h)
Received-SPF: pass (mail40-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC101.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail40-va3 (localhost.localdomain [127.0.0.1]) by mail40-va3 (MessageSwitch) id 1341817608172891_4664; Mon, 9 Jul 2012 07:06:48 +0000 (UTC)
Received: from VA3EHSMHS010.bigfish.com (unknown [10.7.14.241]) by mail40-va3.bigfish.com (Postfix) with ESMTP id 162C140093 for <oauth@ietf.org>; Mon, 9 Jul 2012 07:06:48 +0000 (UTC)
Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS010.bigfish.com (10.7.99.20) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 9 Jul 2012 07:06:44 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.53]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0309.003; Mon, 9 Jul 2012 07:08:58 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Preliminary OAuth Core draft -29
Thread-Index: Ac1doaVzn0rH3CgzRNqCMkZEFAvQfw==
Date: Mon, 09 Jul 2012 07:08:56 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436657C93A@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: multipart/mixed; boundary="_007_4E1F6AAD24975D4BA5B16804296739436657C93ATK5EX14MBXC283r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: [OAUTH-WG] Preliminary OAuth Core draft -29
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 07:08:47 -0000

A preliminary version of OAuth core draft -29 is attached for the working group's consideration and discussion on today's call.  I believe that this addresses all issues that have been raised, including Julian's issues about the ABNF, character sets, and form encoding.  Changes are:


  *   Added "MUST" to "A public client that was not issued a client password MUST use the client_id request parameter to identify itself when sending requests to the token endpoint" and added text explaining why this must be so.
  *   Added that the authorization server MUST "ensure the authorization code was issued to the authenticated confidential client or to the public client identified by the client_id in the request".
  *   Added Security Considerations section "Misuse of Access Token to Impersonate Resource Owner at Public Client".
  *   Deleted ";charset=UTF-8" from examples formerly using "Content-Type: application/x-www-form-urlencoded;charset=UTF-8".
  *   Added the phrase "and a character encoding of UTF-8" when describing how to send requests using the HTTP request entity-body, per Julian Reschke's suggestion.
  *   Added "The ABNF below is defined in terms of Unicode code points [UNICODE5]; these characters are typically encoded in UTF-8".
  *   For symmetry when using HTTP Basic authentication, also apply the application/x-www-form-urlencoded encoding to the client password, just as was already done for the client identifier.
  *   Reduced multiple blank lines around artwork elements to single blank lines.
  *   Removed Eran Hammer's name from the author list, at his request. Dick Hardt is now listed as the editor.

                                                            Best wishes,
                                                            -- Mike

v2.23.0 | Report a Bug | By Email