Re: [OAUTH-WG] PKCE & Hybrid Flow

John Bradley <ve7jtb@ve7jtb.com> Wed, 27 January 2016 12:51 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0A81A88F0 for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 04:51:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FfSbIoYthaz for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 04:51:46 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3CDD1A88E8 for <oauth@ietf.org>; Wed, 27 Jan 2016 04:51:45 -0800 (PST)
Received: by mail-qg0-x229.google.com with SMTP id e32so5336256qgf.3 for <oauth@ietf.org>; Wed, 27 Jan 2016 04:51:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=OE8bdEhaezE4PO6TwX0moLvKclnxcEkQDwntwe5Qga8=; b=DGvIwNinVO+4xK9vBsXH3Cg03QAUP3LmGk3qOwqmHL/lILsZqCCmABMyPi1BP0i2jA 0VX083yBpM+4BtQR4T1gQco2z/TmFcuu7TNFkRn0HBIju0WCSru4+khbmlWNu2uUnTuE 6K1wU5QGRdAWM0m/ys9sBdGe2VKpMgxqvO+8ESd5c3uC9VII4oIeYjozX6VVT8c/CXAt HIzwmHTN0zv6u3hasUqj9S2SibztUkkGviTXYLEef2KFOtwf+hKgZs3OA1ArBQHBWcjx Do4rso0sk0ErK8UFgY2NC0OHK2m1Vvx19kvePdvHCTwMbWEHWj+IyAZijDbidpbH8Kle 7+Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=OE8bdEhaezE4PO6TwX0moLvKclnxcEkQDwntwe5Qga8=; b=Q1npfhzg0nw1QM8zXuUgcwUrTaZlR3YbEGs7AbEffYxYf0VZt7a71haHaR/ckMXDQF piHkIAsiZeYUzgAeIuVdqygF1CN4UcXu/Gm7FQ+cTVEU1QP0RJhwm6mIBKyodu65M3xa ifKEzSSsXhOe5k43PwebSRJHgiQOsIGEpHgyryqfPb0xRTjDYqpHAx3rWdVyuHK+oUcN dFQBy2FpZqo2ZjrMm5f934H+/s0ah7PcZ7K6B6LU9L5ZDzvBGTqRLZgjkBHkp0R4wu+W 69XAmGnBC3hBo5xH8uv1tYmXA9jPS4AUpmicSQ657pwB/dtdJ8PVJ2Q6Og3VmvrOJRB9 G4Xg==
X-Gm-Message-State: AG10YORFLd8L95cDBrl5Dzb1K1TIKCSuOApiaIyfSE3QIvKOIBgfuUzFbizsDLTgouTqDA==
X-Received: by 10.140.128.8 with SMTP id 8mr3246971qha.54.1453899105024; Wed, 27 Jan 2016 04:51:45 -0800 (PST)
Received: from [192.168.1.68] ([191.115.81.165]) by smtp.gmail.com with ESMTPSA id s130sm2267233qhb.6.2016.01.27.04.51.41 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 27 Jan 2016 04:51:43 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_BB168983-D9B4-401E-B876-F121ABAEA0ED"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABzCy2DcwvLvk2Z6oZrEK8mbhb3M0eaLYidq8djOC_EfEt+V-Q@mail.gmail.com>
Date: Wed, 27 Jan 2016 09:51:35 -0300
Message-Id: <70953000-628C-4C82-A759-859E547A2D74@ve7jtb.com>
References: <etPan.56a7d2ec.b71f1ef.289@dombp.local> <8A68406E-0C0F-4CDB-A510-3C139CEE3AF4@ve7jtb.com> <CABzCy2DcwvLvk2Z6oZrEK8mbhb3M0eaLYidq8djOC_EfEt+V-Q@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/0y9sz6PDvF6va-KbjBwyatEGOB4>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] PKCE & Hybrid Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 12:51:48 -0000

It is confusing that the value is a string that is order independent based on space breaks, rather than a space separated list of responses requested.

Changing it now may be more trouble than it is worth, if it may break deployments.   The editor at the time really didn’t want multiple response types, so that was a way to have them but not really.

John B.

> On Jan 26, 2016, at 11:11 PM, Nat Sakimura <sakimura@gmail.com>; wrote:
> 
> To the end, perhaps amending RFC6749 so that the response type is treated as a space separated value would be a better way to go? 
> 
> 2016年1月27日(水) 5:20 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>:
> Yes it also applies to the “code id_token” response_type.   It would also apply to “code token” , “code token id_token” response types as well though I can’t think of why a native app would use those.
> 
> We can look at a errata to clarify.  It is a artifact of resonse_type being treated as a single string as opposed to being space separated values as most people would expect.
> 
> John B.
> 
>> On Jan 26, 2016, at 5:11 PM, Dominick Baier <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com>> wrote:
>> 
>> Hi, 
>> 
>> PKCE only mentions OAuth 2.0 code flow - but wouldn’t that also apply to OIDC hybrid flow e.g. code id_token?
>> 
>> — 
>> cheers
>> Dominick Baier
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>