Re: [OAUTH-WG] Your opinion about draft-ideskog-assisted-token
George Fletcher <gffletch@aol.com> Mon, 22 February 2021 17:27 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12BFB3A1F23 for <oauth@ietfa.amsl.com>; Mon, 22 Feb 2021 09:27:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hQHFM7hgPOvB for <oauth@ietfa.amsl.com>; Mon, 22 Feb 2021 09:27:39 -0800 (PST)
Received: from sonic304-21.consmr.mail.ne1.yahoo.com (sonic304-21.consmr.mail.ne1.yahoo.com [66.163.191.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B5263A1EFF for <oauth@ietf.org>; Mon, 22 Feb 2021 09:27:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1614014848; bh=UVh65XIGIggG38ieUQVwXLtXwm5sr6vS10QWUqhUCyQ=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject:Reply-To; b=bzyyJeB3qfyOjOsmKZ+jlqGp/Vuul+f0zsR8K0DwwuK8B2PV5OLyJVTBTN+CRDn2g10+w1MY0hw5LJk5qnpdYksaAqc209gPr6W6o5OuZUBzyqqbOrgwnRfvQ34vDEP0FFKH07jzPNBdbJ3aySEMdiH2ZignGxqcV6fCXg/v7ka+ACrv+CxsJ2poaLIwWicARgkMG0LX8i7Fz9SEidVE+Np5LKvCmh91YF1jAUUCismBOZKTVvqREdShEimhNi07qRnlGdtchbuenH4eol1NOB3ypGBKStPMveco7FwvemhQn51LJ57exBsFWoNnmdxXMnq98gBi6AWZjAxLoxwnTQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1614014848; bh=rwOlJrZuOOtLwz1B8uGaydERIrXboS5y15nfe6MWi93=; h=X-Sonic-MF:Subject:To:From:Date:From:Subject; b=SsR26crohmDbbRfhlfUtJ6zJRtr88bitHpA1YnsFwwafv0vMf6MYzxFlk6u0fZkoTVVmflwQ0Wxb9kF0PnKkQKShRpr15vALOIB3YJ8yoXEcX/YCjCFtZ5WSeW/SI3q16LxrtbX6yD0ifwntPE+fy2xNxl/H23OXcZAA0JBMmnSSNTi/V/thfbA8TVX6NuEh6vcSfCd/2yK3b5l7zG9A/MLvyyDyJ9Dxh4D7RXi+y9dKaiZ1fBD07KlBgAq8U/TS2hc3kYMwkP0laBuRbgyExfP0TowSplWVPHD7razGWWj66w1FHkYvmjjN/jKxo+ivkJStha6jjjk8RIu9ee9KNw==
X-YMail-OSG: ddt8tq0VM1nrMiCCGM5qa2Ihd8JA97s0LnORl2e9P.rtm3Su32p_HmdYKXBPCTw aPRG_la5ep1l0RUEoh4m5gXo3q.6iHmjW7no9imN.U41RloFmSxHu1_fW_m6xT5OUBYklG_1lj2g fMpgNwt6FI6.Ux85l5UBiMrKIAqyDJotiXtVrYIOMucTXLJI3HxHnidAtVNzULLxyQ.awNeaXO7j s1iGRyYceMHnFJLEtgowLg8wQwyc3X6W7qz3BJyzkmbuwLQ.C3OMwk3NGkbF648eMvQwqQA9_BJy lFsLLOgY9mVfieYLdyNGo92QuYCrFYORKa0ohcN6B382WDe6D5aziE77WoJj.0NOrLY69C8MT7nb iyFA1vNq12ifXmCpIxL7ROXaVK80R_emzQCsGdChODvd9RAYLHla6aWruCB7RFl_c5pFsmfytFAj U0pwpkljFoI_SBX.jehB1SKEQmH_ihoDSNOQAM4zw7KTK8g0jtnxsjt695YETpFmZMdBxMJW4A4W hW7g_rR1U8CCYbeUoTrM.wHR_xhogyoo3dtauFTAWiiw3cdr9vtWi_RO9RaZzyvBy4CLuVQ0HFu6 k7umM2hUSrjFqolRoM4ruwqzu2ZWi2YlN7HDe3C6jiZbh.IqOl.aBSqFpj4HWy1zfjKJM0AmGFRa bc7fvFC368KBKkcc_4rbPNsATfeJ5vWkYsomLb8WvXQQhrLoqSeuO7YQq5nHvKLuS0_AyB.GkRlw lYzFUnzcPipC_yiNKQ61GhPJjsBt4JhsOv7mFUCX1jtTZBjXVMGM1aoy_towGv.cxD.CGvnsSVzz XHLfqFhYt9x2wUJK7Ksd2u20xN1kEDquKi.BtXHKizq.H_dgCAiYTK.CF69YINWT1CBi7GBgzP4j fPDLdXXbAme9HZbjUs_m_L3uBk62sbNwMb_RR_ATCN0Q3qi6NAS4qL8YslcnuLtw80lHIdGLPDrd 8u0fDBu5Wc8592erzulnKZWKnezQn1PF2MKzxFacF6hBGFDjCJAWOxCZrc6s_C16YyrrhVhdw0FY COfHXX2UyloZWQ_ztKOshFoPpdtZVKCFdJAJzIfYbO8iVaqNGNngy0P9gfPsb5fw4XUrz78bTRxx W5FcHJ9NS8tlEIK5Hzuxtw.3pHpDWR4rpJAalc5z2TawwTJvRpOqW4l.DxW2jrE1zpPLUZrvxehZ CKHcZuulkyzJ_qkuHKSz_ak.WNHd.vMkstSPIuVx4Hhuv0bJCdZuYl9KKFU66YozJ9Dz4AX1szDv c1BkzgUB07gJZmVbX.syusCdrnITmm9GvQtRQElqGR2qNuqUXhGT0gmIgw7wG487qDB7O_koBeDc 6uMG4BvIDbyGg_l5ejvkNbTnK3nrJ0pFrZws2uLUrRwrsUXjJvpsFTFuRgQXOsX8gXWQbj1FHWGR ArjJtWShLWRKMH_.npX2KEsjhZ0nwzxaufxyX03FVXhARBwAtkDfTlMKzSv1qlB7RdrEzgOkK5Vb SpR9bIHHRXAGe0uLmSl2QhRkpBUCU07W9qPQ0X7UUCmB2bcdyx53DUrqrqNsk0GZDc7rYIyKrhI9 3RGMCrWnhV2F6aASd7vvEGo2ZvAyzxYjc7XzfXYI4EPYRGhq.U8FLlfO9HANcsTt2mJFP1f1jhJI W5P2LCFixVSaM4xkTb62vAoolQMV0v6ixkmrHfXyK8CvVcviKeQwDrxCNWRVSIpj1uUNk22VsLOB kJTZ5SiOVaUGCS03DyULh9yJe5SMnoqLl9xal9.zurh80ySKJPmHKURozmhojbWCht0_i.97hAF8 WSK7frTFzmkLbO41quGoK5.6ufWMTMkPSBCbksqy5OG17cuuz6SaD5wRbREWW5iWXjclfedlUZFY iLeZDkHsBLwV5TXmC9IjHzt.Zkjc5g1zgsHifbKGvUKwWnDmRBWtUI68mNgOO5QCM8Xr.9GeQzcC dMhd7w.kNJOot.OqsyNrDLQFPINR1RvInVnjt4NTLf7bJV7_BDorcAGAsKJrvjmjuuId66GaKyHS K9YL036dgwHtn2P84f2_0fYEReVn_vdQfWZBVrhNpypb6LSs7apAre6igLgAvu97izYNqSPH9fs1 p86QRjrtryTdfO03xG.Qh5u5.FAbYr6vZKaSal5hYd2F9oyQ8jXnE3ToegZnWLhx5p_rShFsaJ40 Jzbr3GbXkmJ8XC5ZC6sku6tmvP57Jjz0aI2wgqUWIxlvv67RR1AIdKSYSdhG1pBCqv2X22A_ZJTu .yVQBmZbIlg8MAgp3nQf3LmFuum4O98kwW9iOHM2eA3YSZ2coNk6HfShLVanwW8nHTn3Ey.USdmk WE7piS7Plt9zgOo83t869lENMoidBLI_vYEAUtRyK0ixNMvgUYwKUabJ4xXcvI3upRWKY92Mbb_w Z2Q9HeqF029gpqxENjGpgekbJslrr98CYIcP.L6SFnnN2TsUCoaFCIJKQ3ATgR175FgEZ6bZIpns tCViYL2Y3UZ2Ww5.lKW6BET1kYFpJZzNGR.Z5CZkyxYNr1_SymqzSymoN7bXae2oeFZwOXku5uS_ 9zftj54pk.6rdAKznZ0HPrBjEUvN_kOqn8VeNAbetbFlVoYY5yjSW2t6hRiM2R_UTwdgESp4tTiY wsIUfzUhFS.grefDivKvm6gF7U5zQRw--
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Mon, 22 Feb 2021 17:27:28 +0000
Received: by smtp406.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID baf7d28ac969a89e22cb5c40fe2bdb87; Mon, 22 Feb 2021 17:27:25 +0000 (UTC)
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, rfc-ise@rfc-editor.org
Cc: draft-ideskog-assisted-token@ietf.org, oauth <oauth@ietf.org>
References: <1e5f0e825a2580f68c92aa5a1d798090.squirrel@www.rfc-editor.org> <702cf2e8d762ba733becdb5c735f72a9.squirrel@www.rfc-editor.org> <CA+k3eCRAUGoxM=pvHj2p+TUf1iVYfkVMi97oLzVo1rD8CgQzaA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <5c6fdcdf-47f5-152f-f459-0d61b0527dff@aol.com>
Date: Mon, 22 Feb 2021 12:27:22 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <CA+k3eCRAUGoxM=pvHj2p+TUf1iVYfkVMi97oLzVo1rD8CgQzaA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------956FA472611DBAF4430D6FD5"
Content-Language: en-US
X-Mailer: WebService/1.1.17712 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AkjN43xl0WWJO6rGZ3k2lkAc4RM>
Subject: Re: [OAUTH-WG] Your opinion about draft-ideskog-assisted-token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Feb 2021 17:27:47 -0000
Hi Adrian, I agree with Brian that the proposed document directly relates to ongoing work in the OAuth working group. Establishing a completely different mechanism for supporting Single Page Apps other than what is being proposed by the working group will lead to bifurcated implementations and potential confusion across the industry. I'd much prefer to see the work proposed to be considered for adoption by the OAuth working group such that it can go through the normal standardization process. This will also ensure that the security best practices document will cover any additional mechanisms and keep all that work together. Thanks, George On 2/19/21 4:09 PM, Brian Campbell wrote: > Hi Adrian, > > I believe this work was presented briefly to the WG in London during > IETF 101. As far as I can recall, the general reaction/thinking at > that time was that the WG really should be working on a document about > OAuth and single page applications (that may or may not include > something like the functionality in draft-ideskog-assisted-token). > Since that time the WG adopted and is actively working on 'OAuth 2.0 > for Browser-Based Apps' > https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ > <https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/> > which is intended as a BCP for single page applications acting as > OAuth clients. The prospective BCP details security considerations and > best practices around leveraging existing features of OAuth for single > page apps. Whereas draft-ideskog-assisted-token introduces a new > grant, new authorization server endpoint, and really a whole new > interaction model between client and authorization server. Publishing > an independent stream RFC that runs contrary to the BCP coming out of > the WG does seem potentially harmful. > > > > > On Mon, Feb 15, 2021 at 11:59 AM RFC ISE (Adrian Farrel) > <rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org>> wrote: > > Hi OAuth, > > The authors of draft-ideskog-assisted-token [1] have approached me > requesting that the draft be published as an Informational RFC in the > Independent Submission Stream [2]. > > The draft extends the OAuth 2.0 framework to include an additional > authorization flow for single page applications called the > assisted token > flow. It is intended to enable OAuth clients that are written in > scripting languages (such as JavaScript) to request user authorization > using a simplified method. Communication leverages HTML's iframe > element, > child windows, and the postMessage interface. This communication > is done > using an additional endpoint, the assisted token endpoint. > > It is clear to me that this work could be in scope for OAuth and I > want to > be sure that both: > - there is no interest within the WG in pursuing this approach > - there is no perceived harm to existing OAuth work if this goes ahead > > I'd appreciate any opinions. > > Many thanks, > Adrian > -- > Adrian Farrel (Independent Submissions Editor), > rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org> > > [1] https://datatracker.ietf.org/doc/draft-ideskog-assisted-token/ > <https://datatracker.ietf.org/doc/draft-ideskog-assisted-token/> > [2] https://www.rfc-editor.org/about/independent/ > <https://www.rfc-editor.org/about/independent/> > > > > > > > -- > Adrian Farrel (ISE), > rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] (no subject) RFC ISE (Adrian Farrel)
- [OAUTH-WG] Your opinion about draft-ideskog-assis… RFC ISE (Adrian Farrel)
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… Brian Campbell
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… Travis Spencer
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… George Fletcher