IETF Logo Mail Archive

Re: [OAUTH-WG] Preliminary OAuth Core draft -29

Dick Hardt <dick.hardt@gmail.com> Mon, 09 July 2012 17:31 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA6FE11E8150 for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 10:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.582
X-Spam-Level:
X-Spam-Status: No, score=-3.582 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uYuLz2iHxpQ2 for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 10:31:28 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id DC16511E80C2 for <oauth@ietf.org>; Mon, 9 Jul 2012 10:31:27 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so20134709pbc.31 for <oauth@ietf.org>; Mon, 09 Jul 2012 10:31:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=rbphmG4tZlVcnROJ00bBCU+aJIoOofD1zrKZWGwzl28=; b=dV4p7E8Z6vK39ZsVZ48bWqBE10dN80qeyNGD2sPag0n9ZMuvg/0EMG5OyMN8vLvmRb 2JISxLUjCkfyJhDol556M1+R3KKNMh7JBjcjQHIefAE9y+raFkVfuYiET5R6tjU+7W7i jQk6T8YSadYhuM9WL+qEWmBC8a/D3kWbNnwNmXEvQybiWdIumppeE4wAXfjiovPd0TzP aqyupRbqVUNdbFqI75+XW50sM3ygP8ahyTBEqMng+W/XOQW6Mitz4aPKJHIqnBJkY0I5 e+GTmuAzPMcP2ousjA9kGA+niVOQAcVkDYI2Krn7guk6Sr1b1BnFYyy/lk+WtgZJ6uwd ST4g==
Received: by 10.68.223.129 with SMTP id qu1mr60951658pbc.165.1341855113275; Mon, 09 Jul 2012 10:31:53 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id to1sm28106102pbc.27.2012.07.09.10.31.51 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 09 Jul 2012 10:31:52 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_B54EE103-AFEB-4627-9F46-4059B4FDAE56"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436657C93A@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Mon, 09 Jul 2012 10:31:49 -0700
Message-Id: <6AD425FB-9453-489D-9282-6EC125D535D5@gmail.com>
References: <4E1F6AAD24975D4BA5B16804296739436657C93A@TK5EX14MBXC283.redmond.corp.microsoft.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1278)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Preliminary OAuth Core draft -29
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 17:31:28 -0000

Hi Mike

Reading over the spec, I think some more color in 4.2 on the risks of the Implicit Grant and where it makes sense and where it does not is in order. 
Also, this should be in Section 9.

Thoughts?

-- Dick

On Jul 9, 2012, at 12:08 AM, Mike Jones wrote:

> A preliminary version of OAuth core draft -29 is attached for the working group’s consideration and discussion on today’s call.  I believe that this addresses all issues that have been raised, including Julian’s issues about the ABNF, character sets, and form encoding.  Changes are:
>  
> Added "MUST" to "A public client that was not issued a client password MUST use the client_id request parameter to identify itself when sending requests to the token endpoint" and added text explaining why this must be so.
> Added that the authorization server MUST "ensure the authorization code was issued to the authenticated confidential client or to the public client identified by the client_id in the request".
> Added Security Considerations section "Misuse of Access Token to Impersonate Resource Owner at Public Client".
> Deleted ";charset=UTF-8" from examples formerly using "Content-Type: application/x-www-form-urlencoded;charset=UTF-8".
> Added the phrase "and a character encoding of UTF-8" when describing how to send requests using the HTTP request entity-body, per Julian Reschke's suggestion.
> Added "The ABNF below is defined in terms of Unicode code points [UNICODE5]; these characters are typically encoded in UTF-8".
> For symmetry when using HTTP Basic authentication, also apply the application/x-www-form-urlencoded encoding to the client password, just as was already done for the client identifier.
> Reduced multiple blank lines around artwork elements to single blank lines.
> Removed Eran Hammer's name from the author list, at his request. Dick Hardt is now listed as the editor.
>  
>                                                             Best wishes,
>                                                             -- Mike
>  
> <draft-ietf-oauth-v2-29 preliminary.txt><draft-ietf-oauth-v2-29 preliminary.html><draft-ietf-oauth-v2-29 preliminary.pdf><draft-ietf-oauth-v2-29 preliminary.xml>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email