Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Anthony Nadalin <> Tue, 23 February 2016 23:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8FD861B370A for <>; Tue, 23 Feb 2016 15:09:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Utp_dh2qhJTi for <>; Tue, 23 Feb 2016 15:09:06 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::1:731]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 234DA1B3708 for <>; Tue, 23 Feb 2016 15:09:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AzmCeQwLJY37zQonsIgc9Jp+q8y/euTftQXG8gFYg3c=; b=IOZIRmeZ5QuqUSkyqAFxbVtU713wKjUaXww/61NidZDihSFRF8ZWNa2bnF2eGR5NXlKwYKJHzpOcJplctDJ/YwzNJyaLmxTTMEmxT/MiojNhzpE0NfVD/U7KIN3gLVKI14ZGALtlafwnwxPhm93gHW1abVzeogq7N46YoTAiZ2s=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.409.15; Tue, 23 Feb 2016 23:08:47 +0000
Received: from ([]) by ([]) with mapi id 15.01.0409.024; Tue, 23 Feb 2016 23:08:47 +0000
From: Anthony Nadalin <>
To: Hannes Tschofenig <>, "" <>
Thread-Topic: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
Thread-Index: AQHRa02wxzvG7zjtnEKFSlVIxrNR2p86RJxw
Date: Tue, 23 Feb 2016 23:08:47 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 0680781d-f9a7-428c-8808-08d33ca648e2
x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1233; 5:/c/PTEJGivfj42HjwvH8NKX13AjNjqbmA/uVMf88b5FYxzNFNeH7aD0UO4ZIIYc7+WRy4xccJvJjXRoC3ak8Jm/LtanjGGjh4+a+e3iwc+gT6IFCymfTV5YiJC82CA5dB5y6PVhRBybjExH7XAHdlQ==; 24:BW8xZh4erX9whgocjx0KnM0DiVsxxurYKDBmXv+pYdAmLeCvA1ZOPYgDXS6SAaxi1+tMJv702Yh6JukQ0kK78pHPVqfVOPbpD+iq5xYLk8E=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1233;
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:BN3PR0301MB1233; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1233;
x-forefront-prvs: 08617F610C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(72854002)(377454003)(87936001)(102836003)(3846002)(107886002)(11100500001)(76176999)(54356999)(189998001)(106116001)(5001960100002)(50986999)(76576001)(5004730100002)(66066001)(40100003)(5003600100002)(5008740100001)(586003)(1220700001)(5002640100001)(1096002)(2906002)(6116002)(3660700001)(74316001)(15975445007)(99286002)(3280700002)(92566002)(2900100001)(10400500002)(2950100001)(5005710100001)(2501003)(5001770100001)(8990500004)(33656002)(122556002)(10290500002)(86362001)(77096005)(10090500001)(19580405001)(19580395003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1233;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2016 23:08:47.2227 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1233
Archived-At: <>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Feb 2016 23:09:12 -0000

I would go with option A, option B introduces concepts/syntax that complicates the current Oauth model

-----Original Message-----
From: OAuth [] On Behalf Of Hannes Tschofenig
Sent: Friday, February 19, 2016 11:43 AM
Subject: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Early February I posted a mail to the list to make progress on the solution to the OAuth Authorization Server Mix-Up problem discovered late last year.

Here is my mail about the Authorization Server Mix-Up:

Here is my mail to the list that tries to summarize the discussion status and asked a few questions:

Unfortunately, my mail didn't lead to the intended success. While there was some feedback I wasn't getting the desired response.

In order to move forward I believe we need a working group document that serves as a starting point for further work in the group*. We have two documents that provide similar functionality in an attempt to solve the Authorization Server Mix-Up problem.

So, here is the question for the group. Which document do you want as a starting point for work on this topic:

-- Option A: 'OAuth 2.0 Mix-Up Mitigation' by Mike Jones and John Bradley


-- Option B: 'OAuth Response Metadata' by Nat Sakimura, Nov Matake and Sascha Preibisch


Deadline for feedback is March, 4th.

Hannes & Derek

PS: (*) Regardless of the selected solution we will provide proper acknowledgement for those who contributed to the work.