Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
Aaron Parecki <aaron@parecki.com> Sat, 08 December 2018 18:58 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88705130E5F for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 10:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.358
X-Spam-Level:
X-Spam-Status: No, score=-3.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWj1PPL2cfIo for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 10:58:06 -0800 (PST)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00E2D130E2F for <oauth@ietf.org>; Sat, 8 Dec 2018 10:58:05 -0800 (PST)
Received: by mail-io1-xd35.google.com with SMTP id r9so5905598ioa.1 for <oauth@ietf.org>; Sat, 08 Dec 2018 10:58:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T7Hjcl9/zfXEHJKqI9PhxWH7CBbw900rb+BER5PwRUE=; b=VgqbnjnObkdvAqrvDhLZFlb+525gbmn8Rifl4QiHNAc8xzsPMraUcYsWOGVARfWLcX 2U+gVmViCBetJJ8oVUupvq4XLpEBNXrAHOkgPExx0y08trzxdlO1Gt0tmNvxjvSSVkpC np65BBs868QRgsaYu0CWzsCFH8QfGxT/BiUq8Wn0V7t/JRkTk278MnwsVJgeaGhPdTLa CcdH4tlOYg1W+iB2TWA42mgAi0aIHv1EF++6vdU/FHO91oFB4WUlj/314XDRB+oH8jpK 0pr66vOmEIj7/6D2npM2RM4xHUdyd90VmHav4vsa9LemjYd5KD280k2A1TujP0Gtts9V qY5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T7Hjcl9/zfXEHJKqI9PhxWH7CBbw900rb+BER5PwRUE=; b=poZFd5eZrQKcJ0Sr8zEACLa3WFARGfPZCTnK/1/4SDN4qIaWwTcar4C0dTC2YkTYpc 28xxmU2XofwPvsJGccNRLGbdM40rS0jUA0KXXvAOgT4AiFzBNXBJsdm4c68zEcmw7LfL K8zWmnA5NGff20r6BT3+LFwMXYZjL0FOg64tKczqNNxazXgwq0Tjt4QM1PZyKxlOfRa+ VflfK8liHlFpAOjTRAdC/mDUoEFwC1C++dqxkc9ZkM0iAHPyodRNru2l0wMzROeJSisJ pkhNUv2nZRio8nTrw9JatC6DiryWZ6wElMI3fgexgdj2Yt7Jub04c6lIt+KXRN9aT0K9 rWOQ==
X-Gm-Message-State: AA+aEWa46VJS+fh9abHryxiAL+OSKtvsHl+qNQRJIOzpw8CV/6cMBuRL VneLkci+FAuVonyIDG68VmtWo/HAoMo=
X-Google-Smtp-Source: AFSGD/X54ia6LPGuRbsj1CAOdIGvNjNRD7T+MnLNF0m70ScqK37vGaAPU2Bdq7x3PyCOzXYxBBHTxQ==
X-Received: by 2002:a5d:8d85:: with SMTP id b5mr5916576ioj.38.1544295485089; Sat, 08 Dec 2018 10:58:05 -0800 (PST)
Received: from mail-it1-f174.google.com (mail-it1-f174.google.com. [209.85.166.174]) by smtp.gmail.com with ESMTPSA id j129sm3351465itb.41.2018.12.08.10.58.03 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Dec 2018 10:58:03 -0800 (PST)
Received: by mail-it1-f174.google.com with SMTP id c9so12089322itj.1 for <oauth@ietf.org>; Sat, 08 Dec 2018 10:58:03 -0800 (PST)
X-Received: by 2002:a24:2d0b:: with SMTP id x11mr6595983itx.85.1544295483185; Sat, 08 Dec 2018 10:58:03 -0800 (PST)
MIME-Version: 1.0
References: <6d88c55a-a300-47ff-af77-8fdb7dcfbc25@getmailbird.com> <CAGBSGjrj95i97mVDJq7jDA0DsLH-NasiH+E0nqc+6XjL-mnt4Q@mail.gmail.com> <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com>
In-Reply-To: <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Sat, 08 Dec 2018 10:57:52 -0800
X-Gmail-Original-Message-ID: <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com>
Message-ID: <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com>
To: Brock Allen <brockallen@gmail.com>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b420be057c874f8b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/B-JmFBDWIAEN7Avg8Pr7fvHVN9o>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2018 18:58:10 -0000
Do you know of anyone currently doing this today in an OAuth-only application? If the group wanted to take some existing OIDC mechanisms and apply them to OAuth, I feel like that needs to happen in a separate RFC, and that's a much bigger discussion. This BCP shouldn't really be defining new behavior. It's similar to how "OAuth 2.0 for Mobile and Native Apps" is not where PKCE is defined, PKCE has its own RFC. - Aaron On Sat, Dec 8, 2018 at 10:33 AM Brock Allen <brockallen@gmail.com> wrote: > For the same reason the implicit flow uses it -- to reduce exposure of the > response params. I know the code is protected with the code_verifier, but > it wouldn't hurt to reduce its exposure, no? > > -Brock > > On 12/8/2018 1:23:41 PM, Aaron Parecki <aaron@parecki.com> wrote: > What would be the benefit of using this response type? Are you aware of > any OAuth (not OIDC) clients that do this today? > > - Aaron > > > On Sat, Dec 8, 2018 at 7:29 AM Brock Allen <brockallen@gmail.com> wrote: > >> Should the BCP suggest using OIDC's response_type=fragment as the >> mechanism for returning the code from the AS? Or simply suggest using the >> fragment component of the redirect_uri for the code, without a >> response_type parameter (IOW don't allow it to be dynamic)? >> >> -Brock >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Filip Skokan
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Jim Manico
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell