IETF Logo Mail Archive

[OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Marius Scurtescu <mscurtescu@google.com> Wed, 14 March 2012 16:53 UTC

Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02A2221F85B6 for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 09:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmfrquWwi0PQ for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 09:53:44 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id DF6FD21F852C for <oauth@ietf.org>; Wed, 14 Mar 2012 09:53:43 -0700 (PDT)
Received: by yhpp34 with SMTP id p34so2323484yhp.31 for <oauth@ietf.org>; Wed, 14 Mar 2012 09:53:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type :x-system-of-record; bh=Tx/wnuWBEcWnlHJXPolRtZulnLekQjer2ahzvdXKXXw=; b=ZB3fdgYIAzuGV2fjGjjl93cUOAAS5vDMXHM7V29lkAJPS3PtmbVD1nhJjFMtjeuC0/ RHi2hABKEHmVzvuz4chCd9JyBWIcVwbYpiioeC08T0nCMIo8Fr3sD7jtRHkvKd1Mrk5C Q7tORo7apF+OMC8gN4+oKr8zFZNnQUZCgR8TYHFw24m/Lorf/th9pRS3c3aJ4W8KbJnm Tl+1mhX53gDEdOHiSLZXT6vKAlR1fI86CEIaEl7h/TJiPvFailNsf0BX8pZ+0SNBSAYe 7OAScU1LieZZD1Jh7DDkqiM6EJL7akND6s72y/ShGOOtyLWL5ibhiVrSz5IN4QxK/xTl GvWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type :x-system-of-record:x-gm-message-state; bh=Tx/wnuWBEcWnlHJXPolRtZulnLekQjer2ahzvdXKXXw=; b=OA9JkFRn3XwlYqhAafHBUMWNxwrgXIZfqw4eO2PyVq0zXXbeBoKxngo1m6JvQkSFm5 RpG6D45qSgAe2m+VLMrLjAgvT60bqGqFg3bVfiP/NlH5XafSqlrcDXxUPgaeKVQQG5NS XeAASoQo0r0t3BIqEWjS8Gk7bEsX7360jcbClnV5IyLOzzjKA5hBHziEEZ7tlFS9/ZZr L3gR+HaefrwURlOrbQ2Q9cS/5I9gf/4nypGZHMeIST3hFedGQsbfs8UTcn9sf5r6dE3h EZ/PzzhNxrrLugzC7PqTpCcIsQbXWlheAa42Gd2bqIqoUGIjwnguR34aek0EgqcfbyUV nK/A==
Received: by 10.236.153.70 with SMTP id e46mr3840091yhk.29.1331744023438; Wed, 14 Mar 2012 09:53:43 -0700 (PDT)
Received: by 10.236.153.70 with SMTP id e46mr3840082yhk.29.1331744023358; Wed, 14 Mar 2012 09:53:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.164.1 with HTTP; Wed, 14 Mar 2012 09:53:23 -0700 (PDT)
From: Marius Scurtescu <mscurtescu@google.com>
Date: Wed, 14 Mar 2012 09:53:23 -0700
Message-ID: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQmjZx64BHrrEPJEz/tnVgpOqMyYbPcvX1SexjXAfatN67Vgq04z2JK0+VIpByfh0KBTW4RiFGOIKThfDgxFhIff3YGAGyYssoMTGh2nb26FQFaOMK2gAkqSm6fceGW3gxJ3WAx8
Cc: Breno de Medeiros <breno@google.com>
Subject: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 16:53:45 -0000

Hi,

Nat Sakimura started a thread on the OpenID Connect list about a
breaking change introduced by rev 2.3

The paragraph in question is in section 2.1:

"A client application consisting of multiple components, each with its
own client type (e.g. a distributed client with both a confidential
server-based component and a public browser-based component), MUST
register each component separately as a different client to ensure
proper handling by the authorization server.  The authorization
server MAY provider tools to manage such complex clients through a
single administration interface."

http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-oauth-v2-23.txt

You can see the thread here:
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120312/001672.html

This paragraph basically prevents response_type=code+token which is
already implemented by many providers and also relied on by OpenID
Connect.

The intent, I think, was to prevent clients from embedding the client
secret meant for a confidential client into a public client.
JavaScript based clients using the token flow do not need the client
secret, so this concern does not apply.

Thoughts?

Thanks,
Marius

v2.23.0 | Report a Bug | By Email