IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

John Bradley <ve7jtb@ve7jtb.com> Thu, 15 March 2012 10:38 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D6821F8523 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 03:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4nD-XY-9Tt2 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 03:38:55 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0EFB921F8532 for <oauth@ietf.org>; Thu, 15 Mar 2012 03:38:54 -0700 (PDT)
Received: by yenm5 with SMTP id m5so3264223yen.31 for <oauth@ietf.org>; Thu, 15 Mar 2012 03:38:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=dfKC+dTx7adxJfwP0o/XoD8yNPg37pLKFfO1faZZVHI=; b=I98aypHwgxnXNyvlMlWsJ5NzHrx//zYFJ83acHQpneUZg2m5TkbPUtwVY1j8hFrOa1 fekzRlI8siFw5nmoVzFdZDquyiF5uOoz3WU92tlBMZv+YSu7T4WDyillp/6/VLdhyMSz FlTS6kbhSk2XSQiPvmNNfjow3IaSIBBWRErYXWmpTDlCs3m3luiSDoOyKqKKICylrWBd zPJKwAme8dLIu6VvTjVofuXtmsAeNSMeChxbwSv97tbKBKGk6SISrxrCsuc3dthKsJgq 0Xr7fd5ReEV4gl5Jj/m+qzYhqwg6hD29Be9KNkeebjoQPFRES9Sh8N70DW0/fV1+Kqrf k+kQ==
Received: by 10.224.33.212 with SMTP id i20mr6882485qad.56.1331807934533; Thu, 15 Mar 2012 03:38:54 -0700 (PDT)
Received: from [10.71.4.224] ([67.201.77.8]) by mx.google.com with ESMTPS id hr2sm558468qab.8.2012.03.15.03.38.43 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 15 Mar 2012 03:38:43 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_BCC24B9E-D70C-4CE3-A369-D8F31B72B790"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABzCy2Bi+YvaJiXwsnNPFHXxGDkFSRiMEzKbVi9YD8zF7D8nxg@mail.gmail.com>
Date: Thu, 15 Mar 2012 06:38:42 -0400
Message-Id: <261EEABF-6E72-4D7F-96F2-04C2C0FB5B93@ve7jtb.com>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qE3KcFgJey7xXzW8dkTPzvtcu_ke7abkOEMS4hwi93yEg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08919@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGdjJpK6dMzSyoxEb_2rQcB-anXzvWaW-PLdYTZW_jECieBSMg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08932@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B16804296739436641D4E3@TK5EX14MBXC284.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08949@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qG+jdej64rjWM8V4MU_uxEc-2WoT4MKqhD_9ef0jBYwgg@mail.gmail.com> <CAC4RtVBzDdeJViT_zOJ4QQQoo4Soy0iJJL_EK5zGd+94J1h7RQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF0896E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CALaySJ+tTmh1jHzn-6g+CSwLWNoq0KQ1HKXD-KdaORZKJwjv6w@mail.gmail.com> <CALaySJL9EphC=L2Dj++9bCcusnOPouQ4vRmuEdDM-6ggURo-fA@mail.gmail.com> <CABzCy2Bi+YvaJ iXwsnNPFHXxGDkFSRiMEzKbVi9YD8zF7D8nxg@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQnzTGdg2v5sXoSPfNQ98tdAI8kWNkcZt++LUAE3qjgnPZua3jWZN6gmxaJ55kNEDT3qS+Vw
Cc: Breno de Medeiros <breno@google.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 10:38:56 -0000

That seems to cover it.

My problem is that client registration has been treated largely as being out of scope other than some general principals.  We are now adding normative text, but still not specifying mechanisms.

Nat's text allows existing practice with complex clients like Facebook with 'token signed_request'  response_type.   

What exact mechanism one uses to register a confidential vs complex client is still out of scope and a bit of handwaving with a MUST.

John B.
On 2012-03-15, at 5:03 AM, Nat Sakimura wrote:

> 
> So, Eran's first proposal: 
> 
>   A client application consisting of multiple components, each with its
>   own client type (e.g. a distributed client with both a confidential
>   server-based component and a public browser-based component), MUST
>   register each component separately as a different client to ensure
>   proper handling by the authorization server, unless the authorization
>   server provides other registration options to specify such complex clients. 
> 
> kind of meets my concern. There seems to be another issue around the usefulness of return_type in such case raised by Breno, and if I understand it correctly, Eran's answer was that these separate components may have the same client_id so that return_type is a valid parameter to be sent at the request. 
> 
> So, to clarify these, perhaps changing the above text slightly to the following solves the problem? 
> 
>   A client application consisting of multiple components, each with its
>   own client type (e.g. a distributed client with both a confidential
>   server-based component and a public browser-based component), MUST
>   register each component separately as a different client to ensure
>   proper handling by the authorization server, unless the authorization
>   server provides other registration options to specify such complex clients.  
>   Each component MAY have the same client_id, in which case the server 
>   judges the client type and the associated security context  based on 
>   the response_type parameter in the request. 
> 
> Would it solve your problem, Breno? 
> 
> Best, 
> 
> =nat
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email