Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?

Jared Jennings <jaredljennings@gmail.com> Wed, 18 March 2020 11:14 UTC

Return-Path: <jaredljennings@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95053A13CE for <oauth@ietfa.amsl.com>; Wed, 18 Mar 2020 04:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.096
X-Spam-Level:
X-Spam-Status: No, score=-1.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bIIOhKVA7QU9 for <oauth@ietfa.amsl.com>; Wed, 18 Mar 2020 04:14:35 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F3213A13D2 for <oauth@ietf.org>; Wed, 18 Mar 2020 04:14:34 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id a20so30498551edj.2 for <oauth@ietf.org>; Wed, 18 Mar 2020 04:14:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6Je8JXYefdyxjq6Z4zLapc2RpwpfOWdSzu91MqFtKi0=; b=d/wbKwuAYXXLANraMTQU6zni7r8SvjOSugm2A54E1M7BGXqs53mm5HRtrjOQk6lSYD 8ULJO4UWNzCBz1B05b9YoHHg7QV897lSq44LslunQQh57+WN5EyzOq7hI72KwpWhdP91 SCOF65udB/DhyafffnIZMbEho6Ahdgeh4AU582fsOjmMIV9qulA2YGeYM39+ajm80hE1 FfnfXI+DWIoMOrFHSfvDg11yjDbmvI31jAJpZYlOmg1oF6BsnRZR2Era3pWHVqyQfGFw JJ9wcho0ikjRA/H5ucgQ3EXDoj5FRKLoZ66JIcxq1Ie4FleRh62ItjCFetpEqkKeDUb1 HcQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6Je8JXYefdyxjq6Z4zLapc2RpwpfOWdSzu91MqFtKi0=; b=mAPCxZweVBXgwA1ERGijzfV6n+JmrXBRygQ0kudEftI8NYQtzkjggpTmKBnnTTA0Up 78vdkKuep80u7Jjb/YiBQf0yfS9ZE/nDIR/XNjUWiP/aXyWBVGn7WQ+6mOFkUOe59KPV PoGDD5ycMBjVoaG3xKbSDa32Y0lV7WXf/pdBftfI8X3nIjmVk8b4yhh8WfHGkGxxQm4Y y7HfGmh3v2oeN0MY+t/TFIjUrP0yS/SEJoaDWSISSjxHUikWiyvcjJIsIH/0jaw7nCVC xKV9PiMgq0Uhp6Y+93/FfiZcmJDJ9EWQibww1tK/iRPWitmaD3VdBRtAAEImUoRUXNCF CZ6g==
X-Gm-Message-State: ANhLgQ0KJIxQcJmS6Y+Yrq/LJurWJkk8K0oVLBIczBddZpJQPyRaDM+L B0Kiw5mufNZM5nPzAEJ8/VB+Ba0iuZ1lzsEHOCFT5qp3
X-Google-Smtp-Source: =?utf-8?q?ADFU+vscGcSkm+gU7CHwb52QbHjocZLCHqC6idcUvD0d?= =?utf-8?q?IsoUNpkkmaAh5XdTwF4bgT0yzqPzeSdyYIxxosIW2mh0eaA=3D?=
X-Received: by 2002:a17:906:3db:: with SMTP id c27mr3744875eja.371.1584530072884; Wed, 18 Mar 2020 04:14:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s9HT=9MKPK+GpVngZc+9QMxHS6KL-Sfq-UPQz2VQ3ioA@mail.gmail.com> <3F805BA8-8ABB-4939-96CC-FD2FEC811322@lodderstedt.net> <CAD9ie-sZOG0=pbFW72fZR3XtzsNFRFCyFmF5xeEPFUzHzdmHaQ@mail.gmail.com> <CA+k3eCRJMtAstvrNKPE4qAqU7TCFytrCZC8tHtupWno_J0xKbQ@mail.gmail.com> <CAD9ie-uiLS=f1QrHyQAAaq2YP=gPVFCtOawbKXwh4xG8adw=vQ@mail.gmail.com> <CA+k3eCQGqduvcOi_S6cp49NUkr4Rt1ws7Lb6t3SvVgceaHKbOQ@mail.gmail.com> <CAO_FVe4B45fQjOtUtFw+nthLn3RtaivPik9jHkC8Fqu1C3ovZg@mail.gmail.com>
In-Reply-To: <CAO_FVe4B45fQjOtUtFw+nthLn3RtaivPik9jHkC8Fqu1C3ovZg@mail.gmail.com>
From: Jared Jennings <jaredljennings@gmail.com>
Date: Wed, 18 Mar 2020 06:14:21 -0500
Message-ID: <CAMVRk+JCruWcpp96iDVdCpLVo4pZkn312b48L9xbbb0b0BVaAQ@mail.gmail.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000021590405a11f2860"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6Ksgm1h-CfsQUfkkhMpLiKkyc2Q>
Subject: Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 11:14:37 -0000

I agree, but would add that as long as it says "this is being drop", but
does not impact "that", then the reader can understand context. "This does
not change support for implicit response that OpenID Connect (OIDC) makes
use of".

my two cents.

-Jared
Skype:jaredljennings
Signal:+1 816.730.9540
WhatsApp: +1 816.678.4152


On Thu, Mar 12, 2020 at 1:15 PM Vittorio Bertocci <Vittorio=
40auth0.com@dmarc.ietf.org> wrote:

> Sorry for the delay here.
> From the formal perspective, Torsten's language works for me as well.
> Thanks for taking the feedback into account.
>
> I still worry that without an explicit reference to OIDC
> implicit+form_post, I will have the conversation "but can we still do this
> in OIDC now that implicit has been deprecated in OAuth?" countless times
> with customers, but I'm resigned to that anyway :)
>
>
> On Sat, Mar 7, 2020 at 3:36 PM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> Sorry, was replying i. my phone on the weekend and trying to keep it
>> quick. I meant that I thought Torsten's suggestion was good.
>>
>> On Sat, Mar 7, 2020, 4:25 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Would you clarify what text works Brian?
>>>
>>> On Sat, Mar 7, 2020 at 3:24 PM Brian Campbell <
>>> bcampbell@pingidentity.com> wrote:
>>>
>>>> Yeah, that works for me.
>>>>
>>>> On Sat, Mar 7, 2020, 9:37 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>>>>
>>>>> Brian: does that meet your requirements?
>>>>>
>>>>> If not, how about if we refer to OIDC as an example extension without
>>>>> saying it is implicit?
>>>>> ᐧ
>>>>>
>>>>> On Sat, Mar 7, 2020 at 8:29 AM Torsten Lodderstedt <
>>>>> torsten@lodderstedt.net> wrote:
>>>>>
>>>>>> I think keeping the response type as extension point and not
>>>>>> mentioning implicit at all is sufficient to support Brian’s objective.
>>>>>>
>>>>>> Am 07.03.2020 um 17:06 schrieb Dick Hardt <dick.hardt@gmail.com>om>:
>>>>>>
>>>>>> 
>>>>>> How about if we add in a nonnormative reference to OIDC as an
>>>>>> explicit example of an extension:
>>>>>>
>>>>>> "For example, OIDC defines an implicit grant with additional security
>>>>>> features."
>>>>>>
>>>>>> or similar language
>>>>>> ᐧ
>>>>>>
>>>>>> On Sat, Mar 7, 2020 at 5:27 AM Brian Campbell <
>>>>>> bcampbell@pingidentity.com> wrote:
>>>>>>
>>>>>>> The name implicit grant is unfortunately somewhat
>>>>>>> misleading/confusing but, for the case at hand, the extension mechanism
>>>>>>> isn't grant type so much as response type and even response mode.
>>>>>>>
>>>>>>> The perspective shared during the office hours call was,
>>>>>>> paraphrasing as best I can, that there are legitimate uses of implicit
>>>>>>> style flows in OpenID Connect (that likely won't be updated) and it would
>>>>>>> be really nice if this new 2.1 or whatever it's going to be document didn't
>>>>>>> imply that they were disallowed or problematic or otherwise create
>>>>>>> unnecessary FUD or confusion for the large population of existing
>>>>>>> deployments..
>>>>>>>
>>>>>>> On Fri, Feb 28, 2020 at 1:56 PM Dick Hardt <dick.hardt@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I'm looking to close out this topic. I heard that Brian and
>>>>>>>> Vittorio shared some points of view in the office hours, and wanted to
>>>>>>>> confirm:
>>>>>>>>
>>>>>>>> + Remove implicit flow from OAuth 2.1 and continue to highlight
>>>>>>>> that grant types are an extension mechanism.
>>>>>>>>
>>>>>>>> For example, if OpenID Connect were to be updated to refer to OAuth
>>>>>>>> 2.1 rather than OAuth 2..0, OIDC could define the implicit grant type with
>>>>>>>> all the appropriate considerations.
>>>>>>>>
>>>>>>>>
>>>>>>>> ᐧ
>>>>>>>>
>>>>>>>> On Tue, Feb 18, 2020 at 10:49 PM Dominick Baier <
>>>>>>>> dbaier@leastprivilege.com> wrote:
>>>>>>>>
>>>>>>>>> No - please get rid of it.
>>>>>>>>>
>>>>>>>>> ———
>>>>>>>>> Dominick Baier
>>>>>>>>>
>>>>>>>>> On 18. February 2020 at 21:32:31, Dick Hardt (dick.hardt@gmail.com)
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Hey List
>>>>>>>>>
>>>>>>>>> (I'm using the OAuth 2.1 name as a placeholder for the doc that
>>>>>>>>> Aaron, Torsten, and I are working on)
>>>>>>>>>
>>>>>>>>> Given the points Aaron brought up in
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> https://mailarchive.ietf.org/arch/msg/oauth/hXEfLXgEqrUQVi7Qy8X_279DCNU
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Does anyone have concerns with dropping the implicit flow from the
>>>>>>>>> OAuth 2.1 document so that developers don't use it?
>>>>>>>>>
>>>>>>>>> /Dick
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>
>>>>>>>>>
>>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>>>> review, use, distribution or disclosure by others is strictly
>>>>>>> prohibited....  If you have received this communication in error, please
>>>>>>> notify the sender immediately by e-mail and delete the message and any file
>>>>>>> attachments from your computer. Thank you.*
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly
>>>> prohibited...  If you have received this communication in error, please
>>>> notify the sender immediately by e-mail and delete the message and any file
>>>> attachments from your computer. Thank you.*
>>>
>>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any file
>> attachments from your computer. Thank you.*
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>