Re: [OAUTH-WG] First Draft of OAuth 2.1

"Schanzenbach, Martin" <martin.schanzenbach@aisec.fraunhofer.de> Thu, 12 March 2020 06:11 UTC

Return-Path: <martin.schanzenbach@aisec.fraunhofer.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D56143A1086 for <oauth@ietfa.amsl.com>; Wed, 11 Mar 2020 23:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.623
X-Spam-Level:
X-Spam-Status: No, score=-1.623 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.274, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u-mSwZmz8Xqf for <oauth@ietfa.amsl.com>; Wed, 11 Mar 2020 23:11:47 -0700 (PDT)
Received: from mail-edgeS23.fraunhofer.de (mail-edges23.fraunhofer.de [153.97.7.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E33073A1084 for <oauth@ietf.org>; Wed, 11 Mar 2020 23:11:43 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2GHOAD30Wle/xoBYJllHQEBAQkBEQU?= =?us-ascii?q?FAYF7gVRVbFYBHhIqCodThTqIE5lXA4FaBAYJAQEBAQEBAQEBAwQBGAsMBAE?= =?us-ascii?q?BAoRBAoIOJDgTAhABAQYBAQEBAQUEAgJphVYMg1NwAQEBAQEBAQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEWAjgLSgsSAQEdAQEBAQIBAQFsCwULAgEIGBgWJwslAgQOBQ6DGAG?= =?us-ascii?q?CWx8CDqoWgieDfTgBAwKBD4RvEIE4gVOGYoN3gVw+gREnDxGCTT6CZAEBAgG?= =?us-ascii?q?BSFgRgnSCLASXZphJAwQDgUZ2g3KCPIEoigCFFh2CSjFQi0Ysi36XfJJWAgQ?= =?us-ascii?q?CBAUCFYFpIyqBLnFFCgUlAVUdgSYpCUcYDZIQhRSFQUIBMYw+gQ2BEAEB?=
X-IPAS-Result: =?us-ascii?q?A2GHOAD30Wle/xoBYJllHQEBAQkBEQUFAYF7gVRVbFYBH?= =?us-ascii?q?hIqCodThTqIE5lXA4FaBAYJAQEBAQEBAQEBAwQBGAsMBAEBAoRBAoIOJDgTA?= =?us-ascii?q?hABAQYBAQEBAQUEAgJphVYMg1NwAQEBAQEBAQEBAQEBAQEBAQEBAQEWAjgLS?= =?us-ascii?q?gsSAQEdAQEBAQIBAQFsCwULAgEIGBgWJwslAgQOBQ6DGAGCWx8CDqoWgieDf?= =?us-ascii?q?TgBAwKBD4RvEIE4gVOGYoN3gVw+gREnDxGCTT6CZAEBAgGBSFgRgnSCLASXZ?= =?us-ascii?q?phJAwQDgUZ2g3KCPIEoigCFFh2CSjFQi0Ysi36XfJJWAgQCBAUCFYFpIyqBL?= =?us-ascii?q?nFFCgUlAVUdgSYpCUcYDZIQhRSFQUIBMYw+gQ2BEAEB?=
X-IronPort-AV: E=Sophos;i="5.70,543,1574118000"; d="asc'?scan'208";a="16536472"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeS23.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Mar 2020 07:11:40 +0100
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D0BwAX0mle/2q0YZllHgELHINPVWx?= =?us-ascii?q?VAQEeEioKjQ2GBIIQmVeBZwkBAwEBAQEBAwQBGAsMBAEBhEMCggonOBMCEAE?= =?us-ascii?q?BBQEBAQIBBQRthQpMDIVjAQEBAQIBAQFUGAsFCwIBCBgYFicLBx4CBA4FDoM?= =?us-ascii?q?YAYJbHwIOqhaCJ4Q1AQMCgQ+EbxCBOIFThmKFUz6BEScPEYJNPoJkAQECAYF?= =?us-ascii?q?IWBGCdIIsBJdmmEkDBAOBRnaDcoI8gSiKAIUWHYJKMVCLRiyLfpd8klYCBAI?= =?us-ascii?q?EBQIVgWkiKoEucUUKBSUBVR2BJikJRxgNkhCFFIVBQQEBMYw+gQ2BEAEB?=
X-IronPort-AV: E=Sophos;i="5.70,543,1574118000"; d="asc'?scan'208";a="77323033"
Received: from 153-97-180-106.vm.c.fraunhofer.de (HELO xch-onprem-04.ads.fraunhofer.de) ([153.97.180.106]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/AES256-GCM-SHA384; 12 Mar 2020 07:11:38 +0100
Received: from xch-onprem-07.ads.fraunhofer.de (10.225.16.45) by xch-onprem-04.ads.fraunhofer.de (10.225.16.52) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1779.2; Thu, 12 Mar 2020 07:11:08 +0100
Received: from xch-onprem-07.ads.fraunhofer.de ([fe80::b4ab:1a1b:1de3:9f87]) by xch-onprem-07.ads.fraunhofer.de ([fe80::b4ab:1a1b:1de3:9f87%5]) with mapi id 15.01.1779.005; Thu, 12 Mar 2020 07:11:08 +0100
From: "Schanzenbach, Martin" <martin.schanzenbach@aisec.fraunhofer.de>
To: Aaron Parecki <aaron@parecki.com>
CC: OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] First Draft of OAuth 2.1
Thread-Index: AQHV+AUusYsr1k1xf02FDH1HKzWXxKhEaV6A
Date: Thu, 12 Mar 2020 06:11:08 +0000
Message-ID: <250C6734-6ACF-4C5D-BC52-B8C8EE7A2F6D@aisec.fraunhofer.de>
References: <CAGBSGjp6xRL21fdY+dosAhwS3Db6z1hxHU5uPGGprC-c_Ec-Cg@mail.gmail.com>
In-Reply-To: <CAGBSGjp6xRL21fdY+dosAhwS3Db6z1hxHU5uPGGprC-c_Ec-Cg@mail.gmail.com>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.225.16.62]
Content-Type: multipart/signed; boundary="Apple-Mail=_49F50754-6CE3-4C93-B031-3BF44F1674E1"; protocol="application/pgp-signature"; micalg=pgp-sha256
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EqGaQKTYIJLyPZCI_wAQrL6cmho>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 06:12:53 -0000

Hi,

I just read the document and have minor feedback:

Under "2.3 Client Authentication" you mention mTLS (RFC8705) and reference OpenID.
I am kind of missing RFC7523 here (JWT client authentication). Also, the OpenID link is broken.

Best
Martin

> On 12. Mar 2020, at 01:28, Aaron Parecki <aaron@parecki.com> wrote:
> 
> I'm happy to share that Dick and Torsten and I have published a first
> draft of OAuth 2.1. We've taken the feedback from the discussions on
> the list and incorporated that into the draft.
> 
> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01
> 
> A summary of the differences between this draft and OAuth 2.0 can be
> found in section 12, and I've copied them here below.
> 
>> This draft consolidates the functionality in OAuth 2.0 (RFC6749),
>> OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange
>> (RFC7636), OAuth 2.0 for Browser-Based Apps
>> (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current
>> Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage
>> (RFC6750).
>> 
>>  Where a later draft updates or obsoletes functionality found in the
>>  original [RFC6749], that functionality in this draft is updated with
>>  the normative changes described in a later draft, or removed
>>  entirely.
>> 
>>  A non-normative list of changes from OAuth 2.0 is listed below:
>> 
>>  *  The authorization code grant is extended with the functionality
>>     from PKCE ([RFC7636]) such that the only method of using the
>>     authorization code grant according to this specification requires
>>     the addition of the PKCE mechanism
>> 
>>  *  Redirect URIs must be compared using exact string matching as per
>>     Section 4.1.3 of [I-D.ietf-oauth-security-topics]
>> 
>>  *  The Implicit grant ("response_type=token") is omitted from this
>>     specification as per Section 2.1.2 of
>>     [I-D.ietf-oauth-security-topics]
>> 
>>  *  The Resource Owner Password Credentials grant is omitted from this
>>     specification as per Section 2.4 of
>>     [I-D.ietf-oauth-security-topics]
>> 
>>  *  Bearer token usage omits the use of bearer tokens in the query
>>     string of URIs as per Section 4.3.2 of
>>     [I-D.ietf-oauth-security-topics]
>> 
>>  *  Refresh tokens must either be sender-constrained or one-time use
>>     as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]
> 
> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12
> 
> I'm excited for the direction this is taking, and it has been a
> pleasure working with Dick and Torsten on this so far. My hope is that
> this first draft can serve as a good starting point for our future
> discussions!
> 
> ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk
> 
> P.S. This notice was also posted at
> https://aaronparecki.com/2020/03/11/14/oauth-2-1
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth