Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?

Dick Hardt <dick.hardt@gmail.com> Fri, 28 February 2020 20:56 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 802853A1DCE for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 12:56:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.682
X-Spam-Level:
X-Spam-Status: No, score=-0.682 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPATpfKHGRTY for <oauth@ietfa.amsl.com>; Fri, 28 Feb 2020 12:56:32 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7D763A1DD0 for <oauth@ietf.org>; Fri, 28 Feb 2020 12:56:31 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id n25so3125527lfl.0 for <oauth@ietf.org>; Fri, 28 Feb 2020 12:56:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HKx48jYcPucsK+qdWJCvbzQPZoQwoVR6OQ8qCWIqCfQ=; b=LqM2VPMmvEz5BDG9aOERBu07TJkR1qHHrqE9uolm21ym92LX5ICMkZuBppyneH/MYU zReYQ5vBp2v/Ehfdosnb4jclvqZrg/JKNG6HS0YUvgEyFCH2MovKFlKSPBN0nQxS57+W 8zDWYAHsOnsfHNwyW2I0Sw6QDHfQEn+k80LHsLz+i7sjU6P5KuuJFlTcY2E3CyegDIwh IP2iUVzdubAW1TgY3fshA2oLLYJPUjDWuZaCUV1l0onsYFae/i1DdR3sGBgfgSfLWvvt JWgifYscIfshqcpdHoGgOmKdsffpb+iw4RR6XuA4vf8k8imuerLXW+O4vM/mzqbK8VpW +VPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HKx48jYcPucsK+qdWJCvbzQPZoQwoVR6OQ8qCWIqCfQ=; b=MXP+9ExEGhDRNm14ZrGpsuIUIY5WODcggj7ei70CnvfNb1ruv9BTS5HOUh+0PonnUu nfyNlX+6uYLOUZmnkef0uurtjNIZXQVvsjBy3sUGqE2IIOjqc9XtI1Iqx/lhDvEw0g2R 2wRW4HkomIPYuahs4USt1J+vkKo2fSKUmhceHBc42RUJu8buasdznZcudDDaR7xT7vUs oJdKpyv2h95v+KhPgTQTtB9MVKThLHcmGBoZhSjXQHHQon1uQmoglBV3if78KIYQ+EkG +kM7REuCPs2VACwEqSCOpJwfnIF/8NtDhi59+UOXHEhk8CVtPIYGZN7nc0ejRyPKLpC4 gW0A==
X-Gm-Message-State: ANhLgQ1e8dRUeq1/LJ1lmzXuIX1k/V03xlCU47dgRveZcnsDv1zbULnR P8/7T4VuZZ6hZT+xm9I5UXRhZRnLMCdSYN1gxAiXjobA
X-Google-Smtp-Source: ADFU+vvE4utuBeDTTqdWP7Ck30+1tHPY88a450QFiwgPcQDUrxR7ims2PC83storQV6QiiJm5XZxpnHhWtV065Lvk4Q=
X-Received: by 2002:a19:bece:: with SMTP id o197mr3682196lff.164.1582923389760; Fri, 28 Feb 2020 12:56:29 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-u+egKriB1nvm9CtvFgp4cY1j6sNykGVuTTpsyvR5hA2Q@mail.gmail.com> <CAO7Ng+tUPVfVXQs5MpnO4z5F25WimX-1qeCmLQfrD0Yhbj-ysA@mail.gmail.com>
In-Reply-To: <CAO7Ng+tUPVfVXQs5MpnO4z5F25WimX-1qeCmLQfrD0Yhbj-ysA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 28 Feb 2020 12:56:03 -0800
Message-ID: <CAD9ie-v9bvU0s72N0RoHY6y0uwJPK9cCSNCDV2khhD+jveCdHQ@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
Cc: oauth@ietf.org, Brian Campbell <bcampbell@pingidentity.com>, Vittorio Bertocci <Vittorio@auth0.com>
Content-Type: multipart/alternative; boundary="0000000000005a7d40059fa91256"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CzEZ_2stmQXtDNDfuyo0lbhrUkQ>
Subject: Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 20:56:34 -0000

I'm looking to close out this topic. I heard that Brian and Vittorio shared
some points of view in the office hours, and wanted to confirm:

+ Remove implicit flow from OAuth 2.1 and continue to highlight that grant
types are an extension mechanism.

For example, if OpenID Connect were to be updated to refer to OAuth 2.1
rather than OAuth 2.0, OIDC could define the implicit grant type with all
the appropriate considerations.


ᐧ

On Tue, Feb 18, 2020 at 10:49 PM Dominick Baier <dbaier@leastprivilege.com>
wrote:

> No - please get rid of it.
>
> ———
> Dominick Baier
>
> On 18. February 2020 at 21:32:31, Dick Hardt (dick.hardt@gmail.com) wrote:
>
> Hey List
>
> (I'm using the OAuth 2.1 name as a placeholder for the doc that Aaron,
> Torsten, and I are working on)
>
> Given the points Aaron brought up in
>
> https://mailarchive.ietf.org/arch/msg/oauth/hXEfLXgEqrUQVi7Qy8X_279DCNU
>
>
> Does anyone have concerns with dropping the implicit flow from the OAuth
> 2.1 document so that developers don't use it?
>
> /Dick
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>