IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Nat Sakimura <sakimura@gmail.com> Thu, 24 July 2014 12:29 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7521A0243 for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 05:29:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iL_BjaDj5lFC for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 05:29:17 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9718D1A023E for <oauth@ietf.org>; Thu, 24 Jul 2014 05:29:16 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id s18so1866819lam.0 for <oauth@ietf.org>; Thu, 24 Jul 2014 05:29:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6GCHw35DX1mhTf60yXSUKxTuQDgniS1FgrdU5cHOlcE=; b=0ZxEgJ9tRA7NnTXJ7UshwzOSzM8DPpZlZB/4wQreikrnOkATQfA+EpnokefNBkTTQT gcg6pxaV/uZapmD21CGZ9OKogT41Jj33wza6EhqRIobzAFBnua2kWMGDJAThq10H/oYd NdW70CHG3tbBQ9/ZrVh9ZUuWGlbp7J93KuHU6uIwGg4pLuJVPGIxKbdBD5J/OCzoGZga AuoeBj/ftjeQl99pLx+NsDVbZYXShm5sKzouaJ7LGusz9m5ItrMxMKcgajrw5O7M2Vdr U1vXnkrBlOWUUqU8cpNdiixfiRVPaTKLC1Yfl9I0de2xGNmkQtDTJPBDpMyAkQol3RM8 vZKg==
MIME-Version: 1.0
X-Received: by 10.112.155.129 with SMTP id vw1mr8619712lbb.7.1406204954397; Thu, 24 Jul 2014 05:29:14 -0700 (PDT)
Received: by 10.112.150.233 with HTTP; Thu, 24 Jul 2014 05:29:14 -0700 (PDT)
In-Reply-To: <1E5B5066-E619-4965-B941-62C2CD72A37E@ve7jtb.com>
References: <201407221830.s6MIUYrf031075@outgoing.mit.edu> <CABzCy2CxNQ2d3=m9Bvc0+k6ikqZkwb940HwskvnAGvKoGnteSw@mail.gmail.com> <DE16B8D3-3590-45B3-BE08-D1A7CF9EF0FB@oracle.com> <CABzCy2B_iB1ZBskFJObKJjnftEH1STVyhx1-AE6Chrj76-se8g@mail.gmail.com> <F7F8C65F-C805-4C29-86F0-1835B7A80E3F@oracle.com> <4E1F6AAD24975D4BA5B16804296739439ADDD8F2@TK5EX14MBXC294.redmond.corp.microsoft.com> <CAEayHEM4SAM_2DwF8ceC4sen++o7azZnP16xDR8EodqSkxFajA@mail.gmail.com> <04E6EF5C-F36C-4987-9BA6-AF92408EEFCE@mitre.org> <CAEayHENPDasnJ8JBgxRuZSkcWg3+=1g6gOJzodWAJtHqMmc_Ww@mail.gmail.com> <CABzCy2CWN81to7nAtxsnCjSiXFhzh+iOu-2zyg+cjfCSgQZqbQ@mail.gmail.com> <2cc10b23a4238ec0c76087b09d1d290a@lodderstedt.net> <6859A770-F6D2-4481-BD5F-2E73779BC745@ve7jtb.com> <4E1F6AAD24975D4BA5B16804296739439ADDE116@TK5EX14MBXC294.redmond.corp.microsoft.com> <CABzCy2Ar_pJt30ctP6hQ47rpSUGMh-+rrYssWe+XFNY73dA_YQ@mail.gmail.com> <CAEayHENLvazYAcu==_3CM9x91DDqhHngtSarm4_qBu5Zf_-ipw@mail.gmail.com> <CAEayHENtujNPbVFYjO3iCN43RV3AWdxKFrX4qhDgMwKz6VtGhw@mail.gmail.com> <B3031E2C-8F1E-4DEC-B739-2F2FFC349D39@lodderstedt.net> <B86C4C6C-AC24-45DF-A3B4-F8D1A88BC64A@ve7jtb.com> <d4b20f338a298530b4a3430386502d25@lodderstedt.net> <1E5B5066-E619-4965-B941-62C2CD72A37E@ve7jtb.com>
Date: Thu, 24 Jul 2014 08:29:14 -0400
Message-ID: <CABzCy2Dmms4MGTsuQkzu3uQGChLtNDKQREo1_S7UwfaW3hQnqA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="089e01183046c9d66604feef9a86"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Bor_SS7juq_pZcpaNIxjAZPH9bM
Cc: "oauth@ietf.org list" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 12:29:23 -0000

And here is a quote from Ian's blog.

And although the authentication wheel is round, that doesn’t mean it isn’t
> without its lumps. First, we do see some reinventing the wheel just to
> reinvent the wheel. OAuth A4C is simply not a fruitful activity and should
> be put down.



> (Source)
> http://www.tuesdaynight.org/2014/07/23/do-we-have-a-round-wheel-yet-musings-on-identity-standards-part-1.html



2014-07-23 16:53 GMT-04:00 John Bradley <ve7jtb@ve7jtb.com>:

> I thought I did post this to the list.
>
> I guess I hit the wrong reply on my phone.
>
> John B.
> Sent from my iPhone
>
> On Jul 23, 2014, at 4:50 PM, torsten@lodderstedt.net wrote:
>
> we are two, at least :-)
>
> Why didn't you post this on the list?
>
> When will be be arriving?
>
> Am 23.07.2014 16:39, schrieb John Bradley:
>
> Ian Glazer mentioned this in his keynote at CIS yesterday.
>
> His advice was please stop,  we are creating confusion and uncertainty.
>
> We are becoming our own wort enemy. ( my view though Ian may share it)
>
> Returning just an id_ token from the token endpoint has little real value.
>
> Something really useful to do would be sorting out channel_id so we can do
> PoP for id tokens to make them and other cookies secure in the front
> channel.   I think that is a better use of time.
>
> I may be in the minority opinion on that,  it won't be the first time.
>
>
> John B.
> Sent from my iPhone
>
> On Jul 23, 2014, at 4:04 PM, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
>
>  You are right from a theoretical perspective. Practically this was
> caused by editorial decisions during the creation of the RFC. As far as I
> remember, there was a definition of the (one) token endpoint response in
> early versions. No one every considered to NOT respond with an access token
> from the token endpoint. So one might call it an implicit assumption.
>
> I'm worried that people get totally confused if an exception is introduced
> now given the broad adoption of OAuth based on this assumption.
>
> regards,
> Torsten.
>
> Am 23.07.2014 um 15:41 schrieb Thomas Broyer <t.broyer@gmail.com>:
>
>  Is it said anywhere that ALL grant types MUST use Section 5.1 responses?
> Each grant type references Section 5.1, and "access token request" is only
> defined in the context of the defined grant types. Section 2.2 doesn't talk
> about the request or response format.
> Le 23 juil. 2014 21:32, "Nat Sakimura" <sakimura@gmail.com> a écrit :
>
>> Is it? Apart from the implicit grant that does not use token endpoint,
>> all other grant references section 5.1 for the response, i.e., all shares
>> the same response.
>>
>>
>> 2014-07-23 15:18 GMT-04:00 Thomas Broyer <t.broyer@gmail.com>:
>>
>>> I hadn't realized the JSON response that requires the access_token field
>>> is defined per grant_type, so I'd be OK to "extend the semantics" as in the
>>> current draft.
>>> That was actually my main concern: that the token endpoint mandates
>>> access_token; but its actually not the case.
>>> Le 23 juil. 2014 20:46, "Nat Sakimura" <sakimura@gmail.com> a écrit :
>>>
>>>  I agree with John that overloading response_type @ authz endpoint is a
>>>> bad idea. It completely changes the semantics of this parameter. NOTE: what
>>>> I was proposing was not this parameter, but a new parameter response_type @
>>>> token endpoint.
>>>>
>>>> I also think overloading grant_type is a bad idea since it changes its
>>>> semantics. I quote the definition here again:
>>>>
>>>>  grant
>>>>     credential representing the resource owner's authorization
>>>>
>>>> grant_type
>>>>  type of grant sent to the token endpoint to obtain the access token
>>>>
>>>> It is not about controlling what is to be returned from the token
>>>> endpoint, but the hint to the token endpoint describing the type of
>>>> credential the endpoint has received. It seems the "control of what is
>>>> being returned from token endpoint"  is just a side effect.
>>>>
>>>> I am somewhat ambivalent[1] in changing the semantics of token
>>>> endpoint, but in as much as "text is the king" for a spec., we probably
>>>> should not change the semantics of it as Torsten points out. If it is ok to
>>>> change this semantics, I believe defining a new parameter to this endpoint
>>>> to control the response would be the best way to go. This is what I have
>>>> described previously.
>>>>
>>>> Defining a new endpoint to send code to get ID Token and forbidding the
>>>> use of it against token endpoint would not change the semantics of any
>>>> existing parameter or endpoint, which is good. However, I doubt if it is
>>>> not worth doing. What's the point of avoiding access token scoped to
>>>> UserInfo endpoint after all? Defining a new endpoint for just avoiding the
>>>> access token for userinfo endpoint seems way too much the heavy wait way
>>>> and it breaks interoperabiliy: it defeats the purpose of standardization.
>>>>
>>>> I have started feeling that no change is the best way out.
>>>>
>>>> Nat
>>>>
>>>> [1]  If instead of saying "Token endpoint - used by the client to
>>>> exchange an authorization grant for an access token, typically with
>>>> client authentication", it were saying "Token endpoint - used by the
>>>> client to exchange an authorization grant for tokens, typically with
>>>> client authentication", then it would have been OK. It is an expansion of
>>>> the capability rather than changing the semantics.
>>>>
>>>>
>>>>
>>>> 2014-07-23 13:39 GMT-04:00 Mike Jones <Michael.Jones@microsoft.com>:
>>>>
>>>>>  You need the alternative response_type value ("code_for_id_token" in
>>>>> the A4C draft) to tell the Authorization Server to return a code to be used
>>>>> with the new grant type, rather than one to use with the
>>>>> "authorization_code" grant type (which is what response_type=code does).
>>>>>
>>>>>
>>>>>
>>>>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John
>>>>> Bradley
>>>>> *Sent:* Wednesday, July 23, 2014 10:33 AM
>>>>> *To:* torsten@lodderstedt.net
>>>>>
>>>>> *Cc:* oauth@ietf.org
>>>>> *Subject:* Re: [OAUTH-WG] New Version Notification for
>>>>> draft-hunt-oauth-v2-user-a4c-05.txt
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> If we use the token endpoint then a new grant_type is the best way.
>>>>>
>>>>>
>>>>>
>>>>> It sort of overloads code, but that is better than messing with
>>>>> response_type for the authorization endpoint to change the response from
>>>>> the token_endpoint.  That is in my opinion a champion bad idea.
>>>>>
>>>>>
>>>>>
>>>>> In discussions developing Connect we decided not to open this can of
>>>>> worms because no good would come of it.
>>>>>
>>>>>
>>>>>
>>>>> The token_endpoint returns a access token.  Nothing requires scope to
>>>>> be associates with the token.
>>>>>
>>>>>
>>>>>
>>>>> That is the best solution.  No change required.  Better
>>>>> interoperability in my opinion.
>>>>>
>>>>>
>>>>>
>>>>> Still on my way to TO, getting in later today.
>>>>>
>>>>>
>>>>>
>>>>> John B.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>
>>>>> On Jul 23, 2014, at 12:15 PM, torsten@lodderstedt.net wrote:
>>>>>
>>>>>  The "response type" of the token endpoint is controlled by the value
>>>>> of the parameter "grant_type". So there is no need to introduce a new
>>>>> parameter.
>>>>>
>>>>> wrt to a potential "no_access_token" grant type. I do not consider
>>>>> this a good idea as it changes the semantics of the token endpoint (as
>>>>> already pointed out by Thomas). This endpoint ALWAYS responds with an
>>>>> access token to any grant type. I therefore would prefer to use another
>>>>> endpoint for the intended purpose.
>>>>>
>>>>> regards,
>>>>> Torsten.
>>>>>
>>>>>
>>>>>
>>>>> Am 23.07.2014 13:04, schrieb Nat Sakimura:
>>>>>
>>>>>  IMHO, changing the semantics of "response_type" @ authz endpoint
>>>>> this way is not a good thing.
>>>>>
>>>>>
>>>>>
>>>>> Instead, defining a new parameter "response_type" @ token endpoint, as
>>>>> I described in my previous message,
>>>>>
>>>>> probably is better. At least, it does not change the semantics of the
>>>>> parameters of RFC6749.
>>>>>
>>>>>
>>>>>
>>>>>  Nat
>>>>>
>>>>>
>>>>>
>>>>> 2014-07-23 12:48 GMT-04:00 Thomas Broyer <t.broyer@gmail.com>:
>>>>>
>>>>> No, I mean response_type=none and response_type=id_token don't
>>>>> generate a code or access token so you don't use the Token Endpoint (which
>>>>> is not the same as the Authentication Endpoint BTW).
>>>>>
>>>>> With response_type=code_for_id_token, you get a code and exchange it
>>>>> for an id_token only, rather than an access_token, so you're changing the
>>>>> semantics of the Token Endpoint.
>>>>>
>>>>>
>>>>>
>>>>> I'm not saying it's a bad thing, just that you can't really compare
>>>>> none and id_token with code_for_id_token.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Jul 23, 2014 at 6:45 PM, Richer, Justin P. <jricher@mitre.org>
>>>>> wrote:
>>>>>
>>>>> It's only "not using the token endpoint" because the token endpoint
>>>>> copy-pasted and renamed the authentication endpoint.
>>>>>
>>>>>
>>>>>
>>>>>  -- Justin
>>>>>
>>>>>
>>>>>
>>>>> On Jul 23, 2014, at 9:30 AM, Thomas Broyer <t.broyer@gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>>  Except that these are about not using the Token Endpoint at all,
>>>>> whereas the current proposal is about the Token Endpoint not returning an
>>>>> access_token field in the JSON.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Jul 23, 2014 at 4:26 PM, Mike Jones <
>>>>> Michael.Jones@microsoft.com> wrote:
>>>>>
>>>>> The response_type "none" is already used in practice, which returns no
>>>>> access token.  It was accepted by the designated experts and registered in
>>>>> the IANA OAuth Authorization Endpoint Response Types registry at
>>>>> http://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml#endpoint.
>>>>> The registered "id_token" response type also returns no access token.
>>>>>
>>>>>
>>>>>
>>>>> So I think the question of whether response types that result in no
>>>>> access token being returned are acceptable within OAuth 2.0 is already
>>>>> settled, as a practical matter.  Lots of OAuth implementations are already
>>>>> using such response types.
>>>>>
>>>>>
>>>>>
>>>>>                                                             -- Mike
>>>>>
>>>>>
>>>>>
>>>>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Phil Hunt
>>>>> *Sent:* Wednesday, July 23, 2014 7:09 AM
>>>>> *To:* Nat Sakimura
>>>>> *Cc:* <oauth@ietf.org>
>>>>> *Subject:* Re: [OAUTH-WG] New Version Notification for
>>>>> draft-hunt-oauth-v2-user-a4c-05.txt
>>>>>
>>>>>
>>>>>
>>>>> Yes. This is why it has to be discussed in the IETF.
>>>>>
>>>>>
>>>>>
>>>>> Phil
>>>>>
>>>>>
>>>>>
>>>>> @independentid
>>>>>
>>>>> www.independentid.com
>>>>>
>>>>> phil.hunt@oracle.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Jul 23, 2014, at 9:43 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> Reading back the RFC6749, I am not sure if there is a good way of
>>>>> suppressing access token from the response and still be OAuth. It will
>>>>> break whole bunch of implicit definitions like:
>>>>>
>>>>>
>>>>>
>>>>> authorization server
>>>>>       The server issuing access tokens to the client after successfully
>>>>>       authenticating the resource owner and obtaining authorization.
>>>>>
>>>>>
>>>>>
>>>>> After all, OAuth is all about issuing access tokens.
>>>>>
>>>>>
>>>>>
>>>>> Also, I take back my statement on the grant type in my previous mail.
>>>>>
>>>>>
>>>>>
>>>>> The definition of grant and grant_type are respectively:
>>>>>
>>>>>
>>>>>
>>>>> grant
>>>>>
>>>>>     credential representing the resource owner's authorization
>>>>>
>>>>>
>>>>>
>>>>> grant_type
>>>>>
>>>>>     (string representing the) type of grant sent to the token endpoint
>>>>> to obtain the access token
>>>>>
>>>>>
>>>>>
>>>>> Thus, the grant sent to the token endpoint in this case is still
>>>>> 'code'.
>>>>>
>>>>>
>>>>>
>>>>> Response type on the other hand is not so well defined in RFC6749, but
>>>>> it seems it is representing what is to be returned from the authorization
>>>>> endpoint. To express what is to be returned from token endpoint, perhaps
>>>>> defining a new parameter to the token endpoint, which is a parallel to the
>>>>> response_type to the Authorization Endpoint seems to be a more symmetric
>>>>> way, though I am not sure at all if that is going to be OAuth any more. One
>>>>> straw-man is to define a new parameter called response_type to the token
>>>>> endpoint such as:
>>>>>
>>>>>
>>>>>
>>>>> response_type
>>>>>
>>>>>     OPTIONAL. A string representing what is to be returned from the
>>>>> token endpoint.
>>>>>
>>>>>
>>>>>
>>>>> Then define the behavior of the endpoint according to the values as
>>>>> the parallel to the multi-response type spec.
>>>>>
>>>>> http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
>>>>>
>>>>>
>>>>>
>>>>> Nat
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> 2014-07-23 7:21 GMT-04:00 Phil Hunt <phil.hunt@oracle.com>:
>>>>>
>>>>> The draft is very clear.
>>>>>
>>>>> Phil
>>>>>
>>>>>
>>>>> On Jul 23, 2014, at 0:46, Nat Sakimura <sakimura@gmail.com> wrote:
>>>>>
>>>>>  The new grant type that I was talking about was
>>>>>
>>>>> "authorization_code_but_do_not_return_access_nor_refresh_token", so to
>>>>> speak.
>>>>>
>>>>> It does not return anything per se, but an extension can define
>>>>> something on top of it.
>>>>>
>>>>>
>>>>>
>>>>> Then, OIDC can define a binding to it so that the binding only returns
>>>>> ID Token.
>>>>>
>>>>> This binding work should be done in OIDF. Should there be such a grant
>>>>> type,
>>>>>
>>>>> it will be an extremely short spec.
>>>>>
>>>>>
>>>>>
>>>>> At the same time, if any other specification wanted to define
>>>>>
>>>>> other type of tokens and have it returned from the token endpoint,
>>>>>
>>>>> it can also use this grant type.
>>>>>
>>>>>
>>>>>
>>>>> If what you want is to define a new grant type that returns ID Token
>>>>> only,
>>>>>
>>>>> then, I am with Justin. Since "other response than ID Token" is only
>>>>>
>>>>> theoretical, this is a more plausible way forward, I suppose.
>>>>>
>>>>>
>>>>>
>>>>> Nat
>>>>>
>>>>>
>>>>>
>>>>> 2014-07-22 14:30 GMT-04:00 Justin Richer <jricher@mit.edu>:
>>>>>
>>>>> So the draft would literally turn into:
>>>>>
>>>>> "The a4c response type and grant type return an id_token from the
>>>>> token endpoint with no access token. All parameters and values are defined
>>>>> in OIDC."
>>>>>
>>>>> Seems like the perfect mini extension draft for OIDF to do.
>>>>>
>>>>> --Justin
>>>>>
>>>>> /sent from my phone/
>>>>>
>>>>>
>>>>> On Jul 22, 2014 10:29 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>>>>> >
>>>>> > What about just defining a new grant type in this WG?
>>>>> >
>>>>> >
>>>>> > 2014-07-22 12:56 GMT-04:00 Phil Hunt <phil.hunt@oracle.com>:
>>>>> >>
>>>>> >> That would be nice. However oidc still needs the new grant type in
>>>>> order to implement the same flow.
>>>>> >>
>>>>> >> Phil
>>>>> >>
>>>>> >> On Jul 22, 2014, at 11:35, Nat Sakimura <sakimura@gmail.com> wrote:
>>>>> >>
>>>>> >>> +1 to Justin.
>>>>> >>>
>>>>> >>>
>>>>> >>> 2014-07-22 9:54 GMT-04:00 Richer, Justin P. <jricher@mitre.org>:
>>>>> >>>>
>>>>> >>>> Errors like these make it clear to me that it would make much
>>>>> more sense to develop this document in the OpenID Foundation. It should be
>>>>> something that directly references OpenID Connect Core for all of these
>>>>> terms instead of redefining them. It's doing authentication, which is
>>>>> fundamentally what OpenID Connect does on top of OAuth, and I don't see a
>>>>> good argument for doing this work in this working group.
>>>>> >>>>
>>>>> >>>>  -- Justin
>>>>> >>>>
>>>>> >>>> On Jul 22, 2014, at 4:30 AM, Thomas Broyer <t.broyer@gmail.com>
>>>>> wrote:
>>>>> >>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> On Mon, Jul 21, 2014 at 11:52 PM, Mike Jones <
>>>>> Michael.Jones@microsoft.com> wrote:
>>>>> >>>>>>
>>>>> >>>>>> Thanks for your review, Thomas.  The "prompt=consent"
>>>>> definition being missing is an editorial error.  It should be:
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>> consent
>>>>> >>>>>>
>>>>> >>>>>> The Authorization Server SHOULD prompt the End-User for consent
>>>>> before returning information to the Client. If it cannot obtain consent, it
>>>>> MUST return an error, typically consent_required.
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>> I'll plan to add it in the next draft.
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> It looks like the consent_required error needs to be defined
>>>>> too, and you might have forgotten to also import account_selection_required
>>>>> from OpenID Connect.
>>>>> >>>>>
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>> I agree that there's no difference between a response with
>>>>> multiple "amr" values that includes "mfa" and one that doesn't.  Unless a
>>>>> clear use case for why "mfa" is needed can be identified, we can delete it
>>>>> in the next draft.
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> Thanks.
>>>>> >>>>>
>>>>> >>>>> How about "pwd" then? I fully understand that I should return
>>>>> "pwd" if the user authenticated using a password, but what "the service if
>>>>> a client secret is used" means in the definition for the "pwd" value?
>>>>> >>>>>
>>>>> >>>>> (Nota: I know you're at IETF-90, I'm ready to wait 'til you come
>>>>> back ;-) )
>>>>> >>>>>
>>>>> >>>>> --
>>>>> >>>>> Thomas Broyer
>>>>> >>>>> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>>>> >>>>> _______________________________________________
>>>>> >>>>> OAuth mailing list
>>>>> >>>>> OAuth@ietf.org
>>>>> >>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>
>>>>> >>>> _______________________________________________
>>>>> >>>> OAuth mailing list
>>>>> >>>> OAuth@ietf.org
>>>>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> >>>>
>>>>> >>>
>>>>> >>>
>>>>> >>>
>>>>> >>> --
>>>>> >>> Nat Sakimura (=nat)
>>>>> >>> Chairman, OpenID Foundation
>>>>> >>> http://nat.sakimura.org/
>>>>> >>> @_nat_en
>>>>> >>>
>>>>> >>> _______________________________________________
>>>>> >>> OAuth mailing list
>>>>> >>> OAuth@ietf.org
>>>>> >>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Nat Sakimura (=nat)
>>>>> > Chairman, OpenID Foundation
>>>>> > http://nat.sakimura.org/
>>>>> > @_nat_en
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Nat Sakimura (=nat)
>>>>>
>>>>> Chairman, OpenID Foundation
>>>>> http://nat.sakimura.org/
>>>>> @_nat_en
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Nat Sakimura (=nat)
>>>>>
>>>>> Chairman, OpenID Foundation
>>>>> http://nat.sakimura.org/
>>>>> @_nat_en
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thomas Broyer
>>>>> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thomas Broyer
>>>>> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Nat Sakimura (=nat)
>>>>>
>>>>> Chairman, OpenID Foundation
>>>>> http://nat.sakimura.org/
>>>>> @_nat_en
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> OAuth mailing list
>>>>>
>>>>> OAuth@ietf.org
>>>>>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>  _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Nat Sakimura (=nat)
>>>> Chairman, OpenID Foundation
>>>> http://nat.sakimura.org/
>>>> @_nat_en
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>   _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>   _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email