Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document
Warren Parad <wparad@rhosys.ch> Wed, 15 July 2020 18:57 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D37733A0E8A for <oauth@ietfa.amsl.com>; Wed, 15 Jul 2020 11:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys-ch.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qncs_qdyNDyu for <oauth@ietfa.amsl.com>; Wed, 15 Jul 2020 11:57:31 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 226583A0E8B for <oauth@ietf.org>; Wed, 15 Jul 2020 11:57:31 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id q198so2873566qka.2 for <oauth@ietf.org>; Wed, 15 Jul 2020 11:57:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys-ch.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PgG5uPIgaP+s1AtO2gaG/jwY1jrNVeMwOWfT3EQpHRw=; b=BFCfgpIbRlG0BYUDCmDC4z+U+e8Mmu585GlS/HV0iev9vYgQEBkGf6UK7gWdEDYKIX RjcWLVKlLSUKlLqf+yDbpgIdoaBtcUDVoU7jwYFzxN2p+KJ2P85qr0ZmlKgz0oAXCuTE q25/AvOzuvca4Q/Vor18QeZGhws2vkgmPKRI3x/L+e0YKVTJCWAaQVa3hrTKroXUnWVY k2OzCfFGiH/Ou9hCfnveByqrqm1vOfCtMjKXqCCvIv1J6t5Ooy4b7PHN/FYFVgmY1lFB LaUTS6Uk2UrfDTbZQLsiYS8/baHCETuMJZOprrxIvk0W99/s5wlBHvukeyEBU8GaZO9t BdCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PgG5uPIgaP+s1AtO2gaG/jwY1jrNVeMwOWfT3EQpHRw=; b=Q+bk04W0SD+NRTOUw8udIGedDwGNmdB3uZKMmcD+Yb0xzH4QvzY5gdNPBiv6g2fSaB fASFW5OjyPQYEzQlQY8awArfRQDOpQaNbQkHbug2RdcHklx7Sj3kfZn8MQMEFYQoXRhl NvjLvbswiut7geOYx1XQSr+iWxl9ctrWvE3nN8ONlWU/WPBpl+XI+NqkFogj2IeUvcfd In1I6owOvaTIsuhA8QRtXdy01E/3HOn8vt8au99audBpByLla+ooexrM9KlQz7GzDRR0 zH0gkm6U6ZiOQ4oaGFkQEsc5HA3NkWsB7gJSH8HFMh/s5DWvUuoSiMDhQM4qlXH6DzZN Z9JQ==
X-Gm-Message-State: AOAM530oXtGrjLhFkdD3zRiOFHgOpVUp+0BlUEas5nx2EOnNZlvBwYGO juc+eshLLetDyJm9eFuhtiuleElDPqp9H2I8Ndbt
X-Google-Smtp-Source: ABdhPJyKdwwgGOrUrszCgsVoMuBccLuWpRzUvoaRkxyo4ufeoi2rxmCastVXNdC1PVDMhJLgQghXar4V7HoQht5UKNE=
X-Received: by 2002:a37:8a06:: with SMTP id m6mr495854qkd.191.1594839449482; Wed, 15 Jul 2020 11:57:29 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP-CTbXYnmmgxEEVkHEXgtN5JnYSfS5KZvhogGvHrppkjA@mail.gmail.com> <CAD9ie-suSMcc9kzcAdvkrsXNaO2r0_Fp7HKTZenaVaqs9Uz4Jw@mail.gmail.com>
In-Reply-To: <CAD9ie-suSMcc9kzcAdvkrsXNaO2r0_Fp7HKTZenaVaqs9Uz4Jw@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 15 Jul 2020 20:57:18 +0200
Message-ID: <CAJot-L0wYMMkUDjEbn3O50_A-Ly03ASdz=UhU_yZuLaayN3mpA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="000000000000dcfb8105aa7f7eec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0x7jGjrZPRfMinrFOrf2dXVJyXk>
Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 18:57:34 -0000
I only recently joined this WG DL, so maybe this was already discussed by I have two things I'm confused/curious about: 1. Can we avoid using (1, 2, 3) on the left side of the diagram to describe, I'm not even sure what they are supposed to represent, not to mention the RO in the diagram doesn't really provide value (for me) relevant to the code grant flow. It's confusing to see these numerical identifiers twice in the same picture. But maybe there is something hidden in this that I'm missing, still 3a and 3b could be used to identify different legs of the same code path. [image: image.png] 2. It seems recently more and more common to pass the access_token to some RS via a cookie, yet 7.2.1 says it defines two methods. I think we need some RFC2119 <https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html#RFC2119> keywords here, to suggest that either SHOULD use one of these two, or MUST. And then optionally state whether or not we recommend or reject the use of cookies as a place for access tokens. It's also possible that the language threw me off, because would an access token in a cookie be a bearer token, but no matter, if I'm having this thought, then surely others have it as well, right? [image: image.png] *Warren Parad* Secure your user data and complete your authorization architecture. Implement Authress <https://bit.ly/37SSO1p>. <https://rhosys.ch> On Wed, Jul 15, 2020 at 7:55 PM Dick Hardt <dick.hardt@gmail.com> wrote: > +1 > > On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > >> All, >> >> This is a *call for adoption* for the following *OAuth 2.1* document as >> a WG document: >> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html >> >> Please, provide your feedback on the mailing list by *July 29th.* >> >> Regards, >> Rifaat & Hannes >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Call for adoption - OAuth 2.1 document Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Dick Hardt
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Warren Parad
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Neil Madden
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… John Bradley
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Michael A Peck
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Falk Andreas
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Hans Zandbelt
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Sascha Preibisch
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… vittorio.bertocci
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… William Denniss
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Dominick Baier
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Jim Willeke
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Daniel Fett
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Dave Tonge
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Nat Sakimura
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - OAuth 2.1 docu… Sascha Preibisch