Re: [OAUTH-WG] Unclear parts in OAuth 2.0 specification
Todd W Lainhart <lainhart@us.ibm.com> Fri, 30 August 2013 12:40 UTC
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F66C21F9C12 for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 05:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.298
X-Spam-Level:
X-Spam-Status: No, score=-10.298 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmrLaN19a7JA for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 05:40:02 -0700 (PDT)
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by ietfa.amsl.com (Postfix) with ESMTP id 3950C21E80E3 for <oauth@ietf.org>; Fri, 30 Aug 2013 05:34:35 -0700 (PDT)
Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Fri, 30 Aug 2013 13:34:33 +0100
Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Fri, 30 Aug 2013 13:34:30 +0100
Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id B4973C90041; Fri, 30 Aug 2013 08:34:29 -0400 (EDT)
Received: from d01av05.pok.ibm.com (d01av05.pok.ibm.com [9.56.224.195]) by b01cxnp22035.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r7UCYTZG19202214; Fri, 30 Aug 2013 12:34:29 GMT
Received: from d01av05.pok.ibm.com (loopback [127.0.0.1]) by d01av05.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r7UCYTxa005375; Fri, 30 Aug 2013 08:34:29 -0400
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av05.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r7UCYTBi005372; Fri, 30 Aug 2013 08:34:29 -0400
In-Reply-To: <CAL520Rm0pRca3DJYC+mxeep2wDf3CH5nQfcgrD+FAo9pfgOGTQ@mail.gmail.com>
References: <CAL520Rm0pRca3DJYC+mxeep2wDf3CH5nQfcgrD+FAo9pfgOGTQ@mail.gmail.com>
To: Martin Ždila <m.zdila@mwaysolutions.com>
MIME-Version: 1.0
X-KeepSent: A0F347F9:2565A20F-85257BD7:0044B789; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP4 SHF39 May 13, 2013
Message-ID: <OFA0F347F9.2565A20F-ON85257BD7.0044B789-85257BD7.004512CC@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Fri, 30 Aug 2013 08:34:27 -0400
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF5|February, 2013) at 08/30/2013 08:34:28, Serialize complete at 08/30/2013 08:34:28
Content-Type: multipart/alternative; boundary="=_alternative 004512CA85257BD7_="
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13083012-0320-0000-0000-000000D833D7
Cc: oauth@ietf.org, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Unclear parts in OAuth 2.0 specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 12:40:12 -0000
Think that there are three different types of clients: confidential; public; and anonymous (my term). Confidential: id and secret; Public: id only; Anonymous: no credentials; You provide the type of credentials that you can, and the protected endpoint will accept or reject based on the operation and its protections. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainhart@us.ibm.com From: Martin Ždila <m.zdila@mwaysolutions.com> To: oauth@ietf.org, Date: 08/30/2013 03:42 AM Subject: [OAUTH-WG] Unclear parts in OAuth 2.0 specification Sent by: oauth-bounces@ietf.org Hello There are some unclear parts in OAuth 2.0 specification. 1. In 4.3. (B) there is following statement: When making the request, the client authenticates with the authorization server. In 4.3.2 there is following statement: If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server as described in Section 3.2.1. First statement states that client credentials must be always passed. Second states that it is required only for certain client types. Also, if client type doesn't provide credentials, there is no mean to identify it and so impossible to check if client credentials were actually required. 2. Authorization Code Grant and Implicit Grant use different URL part to encode its response. Former uses query and later fragment. If request has invalid or is missing response_type parameter then user agent should be redirected to URL with error response where error=unsupported_response_type. But if we don't know what type of grant we are handling, where to put error parameters? To query or fragment part of the URL? Please clarify that. Thanks in advance Best regards -- Ing. Martin Ždila Senior Analyst / Developer M-Way Solutions Slovakia s.r.o. Letná 27, 040 01 Košice Slovakia tel:+421-908-363-848 mailto:m.zdila@mwaysolutions.com http://www.mwaysolutions.com _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Unclear parts in OAuth 2.0 specificati… Martin Ždila
- Re: [OAUTH-WG] Unclear parts in OAuth 2.0 specifi… Dick Hardt
- Re: [OAUTH-WG] Unclear parts in OAuth 2.0 specifi… Todd W Lainhart