Re: [OAUTH-WG] [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec

Mike Jones <Michael.Jones@microsoft.com> Mon, 16 March 2020 04:01 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A61F3A097C for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2020 21:01:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysPItlNRe5iT for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2020 21:01:54 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on070b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe56::70b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53E2D3A0977 for <oauth@ietf.org>; Sun, 15 Mar 2020 21:01:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PVTSVpv7TTIRO359DyXT56LmsPY6Uvp8TndmheJp9Hb3JvTxo9t7OZyjETyK2idVNPvyhFRPV1wsnILFCZS6V4ZxAPvaxG280X3gyAzKKTbGN4UD4+nJi1+tqZVn2hi/r93zGDDwzQdqQCLVI6L0291JnFZSo0+jBw5reXpyU14JeF2B9s7gLBjHlIb/q9zM6tQmX/Ma8GUTrD9M19o88cjP9oZ+0O/cVNwhYZcvEvohr5ROYnuVBoqd6sMe6KfKF2elRHjfOlbDHsjPNf6dRzP6ODNuva2lw7XXWMYXSvpBwd1QXCKhVjPgDdRrYa1T5jWfoxZEi3+bE8lHj2wptQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=/RgcVW7iDKoyQunzudGXXoawXsRnxaIOnqWA4UTz454=; b=jt/O3jeBaWnWyRnKbG1FHmFYnrJATsPpnH3Su/Q7V+rxcOia2WKkGJ4oqLt+stGsXLmagEk8YIetyHlShmhvJYtUMT2/HTRZG20M9+HtlspezFDd/9RqXVDvQnx939P5LqMETHXVvyqjSRXEIspf79la6R8t8iz4l8u0BHbfwX58kXaTTbBRcTIxPpNM85CnNXAeTH2+QbZ3t5MBAJdyCn9qgErf9MtpWr6gDVBo4U/83kZu9/H9sY064cxMdDcqLysfiWBNB3DIiJrbn4m68OtRpt0zeAOEupEPpRRcX3OrjPgzhg9rQ3kwlsSCCi18IUuhx9W/3oN6BvQNBymIhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=/RgcVW7iDKoyQunzudGXXoawXsRnxaIOnqWA4UTz454=; b=K9NRYYhRy5Mc7FFM24RJNy7dV89x2HXQ3mcsn7vF5Q/csROK5F7gfP+7pkHJFpDqZ48+AuN5YOnP+C+0+0u9g8ynNorQLufWK6ZpQRzi239cy2xpXy+JvEF/w5UI8o570rxNkv25u+3F15dfy2xdNv3Vo5XIwHlijBjlpixSXdg=
Received: from MN2PR00MB0688.namprd00.prod.outlook.com (2603:10b6:208:199::23) by BL0PR00MB0418.namprd00.prod.outlook.com (2603:10b6:207:31::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2857.0; Mon, 16 Mar 2020 04:01:51 +0000
Received: from MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::6c98:d689:472f:655b]) by MN2PR00MB0688.namprd00.prod.outlook.com ([fe80::6c98:d689:472f:655b%9]) with mapi id 15.20.2853.000; Mon, 16 Mar 2020 04:01:51 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Dick Hardt <dick.hardt@gmail.com>
CC: "aaron@parecki.com" <aaron@parecki.com>, "torsten@lodderstedt.net" <torsten@lodderstedt.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec
Thread-Index: AdX7EUp0NE9c1cRJT0ewWWCSTubf5wAI+xuAAAQU/7A=
Date: Mon, 16 Mar 2020 04:01:51 +0000
Message-ID: <MN2PR00MB0688B318D58DF71142285E7EF5F90@MN2PR00MB0688.namprd00.prod.outlook.com>
References: <DM6PR00MB0684B029182673EADC9E0288F5F80@DM6PR00MB0684.namprd00.prod.outlook.com> <CAD9ie-s6BYhFUH0qg=gggRqbEK+RRKNEOm0VTgwS0hduTK5yDw@mail.gmail.com>
In-Reply-To: <CAD9ie-s6BYhFUH0qg=gggRqbEK+RRKNEOm0VTgwS0hduTK5yDw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=dd996be3-5243-4bb0-add0-00001a0b97a9; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-03-16T03:46:58Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.81.134]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5a449196-9102-48c0-bcde-08d7c95ec20e
x-ms-traffictypediagnostic: BL0PR00MB0418:
x-microsoft-antispam-prvs: <BL0PR00MB0418BCB88DCC2D73BB1FB4FEF5F90@BL0PR00MB0418.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03449D5DD1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(136003)(396003)(39860400002)(346002)(366004)(376002)(199004)(8676002)(54906003)(53546011)(81156014)(6506007)(86362001)(316002)(6916009)(7696005)(33656002)(71200400001)(9686003)(55016002)(81166006)(5660300002)(52536014)(186003)(4326008)(8990500004)(26005)(10290500003)(21615005)(2906002)(966005)(76236002)(478600001)(66556008)(8936002)(66476007)(66946007)(64756008)(76116006)(66446008)(99710200001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR00MB0418; H:MN2PR00MB0688.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xih/x60E90d/cUAbkayVn8BvocicY7PgJu2O6mUzwHpz/+3s6Izo+Rg3yeVDeRm4iZ8jjr6VgF44VWdD+xgJAF86IXbrd0hbr6/4oapLpbMh7m0nEJHM/DoQcNum5IUGGYrg5siai8GoDqVzXBIWXo2jdvuyZhVAKWvcGKTBvOpCIdcBsaPY9vRRegWbY+wCJPYNUDkqPKYoOpHz3wG7KGCHz9mogZZHWViyyfQfFhzowhqap0nM/q1WkkBLfMQyWgklLjWtlRMuXnZcKFVR5x4Yhu6bvfhh/H/UL1yzy5P9yLiAsCTUK1OZ99GjgLqOW+otSAWH8hCBLO6X6I08J35HfLvKxpqofOU1NM75pH9TT45YknDKPseuOZACWgUgOhrSif+O65trN0tg+GmPkuxzcROYhv5K0LfnfioAZxU/+D9qFeNWS8l3w14C2cbIOS30RkdB9Mwqnr8g1xTydQ4g5J3o6cr9pBoDX6pLSlhRaOTw7ddCaq2VuuL/SQSqYdbDYbw8M8gdwmd8H4LWbCiCiu0WaKoiy2yQW0ia7/j2ppx8NHRzZ009mQC4Mh77
x-ms-exchange-antispam-messagedata: ZTpR4FjqV5vIxUQV/u3GCTWzhYwEDLHY4gMRRTDJG2FZNuvE5Ci8Z26An9gHGsDTmd8tfQ1o4TIt1uJFmBz+agQNjsZPLhYLyAmyXy/rHrAYpd4emry4jfvyOE6sKeXMP/S1b6bw7DTNWL6s48mAoQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0688B318D58DF71142285E7EF5F90MN2PR00MB0688namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a449196-9102-48c0-bcde-08d7c95ec20e
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2020 04:01:51.5650 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kfktqicNvKNr7Lk7b4I8BRwJsh6ryMv9UO2DC4D+0pD0YcGWK3/M1nS/xWwaEkkoMnahw3ce6oTjkQL031yBPA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0418
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CDcNm_q8iNgUDj6BF5NhAWsRRho>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 04:01:56 -0000

I’m glad you like the direction of my comments.  Sometimes saying what you’re *not* doing is as important as saying what you *are* doing, and I think this is such a case.

As an example of why this matters, a developer recently asked me “Would we have to use a different set of endpoints for OAuth 2.1?”  We should clearly scope this work so that the answer is “No, you would use the same endpoints.”

Given that the abstract talks about obsoleting OAuth 2.0, I believe it’s important for the abstract to say what’s being obsoleted, what’s not being obsoleted, and what the relationship of the new spec is to the one(s) it’s obsoleting.  As used in the vernacular by developers, I believe “OAuth 2.0” commonly refers to the set of OAuth 2.0 RFCs approved by this working group, which are the set of (currently 22) RFCs listed at https://datatracker.ietf.org/wg/oauth/documents/ - as well as at least some of the non-RFC specifications that extend OAuth 2.0 via the OAuth registries at https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml, particularly [OAuth 2.0 Multiple Response Type Encoding Practices<https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>].  I’m pretty sure you intend that OAuth 2.1 keep using much of that widely deployed work and not replace it.  You should be clear about that.

Since you say that there are new features in OAuth 2.1, what are they and are they essential to the OAuth 2.1 goals?  Or if they’re not essential, could they more profitably be factored into another specification so that the new features can be used either with OAuth 2.0 and OAuth 2.1?  That might make the resulting messaging to developers much clearer.

                                                       Thanks,
                                                       -- Mike

From: Dick Hardt <dick.hardt@gmail.com>
Sent: Sunday, March 15, 2020 6:50 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: aaron@parecki.com; torsten@lodderstedt.net; oauth@ietf.org
Subject: [EXTERNAL] Re: Clarifying the scope of the OAuth 2.1 spec

Hi Mike

I like where you are going with this, but what do we mean when we say OAuth 2.0? Is it RFC 6749? What is the OAuth 2.0 set of protocols?

OAuth 2.1 includes features that are not in RFC 6749, so it is not a subset of that specification.
ᐧ

On Sun, Mar 15, 2020 at 2:34 PM Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
The abstract of draft-parecki-oauth-v2-1 concludes with this text:
   This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749<https://tools.ietf.org/html/rfc6749>.

While accurate, I don’t believe that this text captures the full intent of the OAuth 2.1 effort – specifically, to be a recommended subset of OAuth 2.0, rather than to introduce incompatible changes to it.  Therefore, I request that these sentences be added to the abstract, to eliminate confusion in the marketplace that might otherwise arise:

    OAuth 2.1 is a compatible subset of OAuth 2.0, removing features that are not currently considered to be best practices.  By design, it does not introduce any new features to what already exists in the OAuth 2.0 set of protocols.

                                                       Thanks,
                                                       -- Mike

P.S.  I assert that any incompatible changes should be proposed as part of the TxAuth effort and not as part of OAuth 2.1.