[OAUTH-WG] The response from the Google authorization endpoint
Alex Kalp <alexkalps@gmail.com> Thu, 05 November 2020 00:22 UTC
Return-Path: <alexkalps@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D5893A11A7 for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2020 16:22:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.062
X-Spam-Level:
X-Spam-Status: No, score=0.062 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5alOzuucYuBS for <oauth@ietfa.amsl.com>; Wed, 4 Nov 2020 16:22:30 -0800 (PST)
Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41DD73A11A8 for <oauth@ietf.org>; Wed, 4 Nov 2020 16:22:30 -0800 (PST)
Received: by mail-pf1-x441.google.com with SMTP id 13so71209pfy.4 for <oauth@ietf.org>; Wed, 04 Nov 2020 16:22:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=8kg1aAI2H3MNJ6xFgfTGx42agPNG4kiGvESJnd/jytI=; b=pP1jJueO4CrJTGjY0qVayksy1iQKZnyvPZV6kdlSCbMNSwGY8jShAYk89U01TXwkix kDK5N4bUB2VTFFTQ6HS9WJHojI3y1IynjUXqcb1gk6lB8MjIfPK3x0ykvk2uqBD383jY huHPbjDD9J523n6BD3+Y5EDA1iOwxs3Rx90CTaem6IHyL+maH+rF8bGjjxZ+4yLBdcyR G16MwUG3skfuh7mRfjwxMrhQI+ShlSb3XVuzM73UOz/VtagoT4UXaptOngzHcT3pddm3 r5awJK6gYpbYppco49pzgDnPXiEJXKLCQMpcT7obMpkdlrZhYKIQcJDY777RL3bZy5Oo tC4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=8kg1aAI2H3MNJ6xFgfTGx42agPNG4kiGvESJnd/jytI=; b=b9Rx6B6XZeuTYFaAb0sy0FMqniuVkA3IUPq8HR9eIrmoHP1XE969b8OpMGZmss6hH8 CfS5RmxFwLKarwKnUw1WoVL7U+xOXIUJF8f6pvl4qJuPcsqfhE3SKXjwjFuvQHKkBgmO N2x6rkjUVyyRCRwssEeu+2uHSp40fAv999kTLBXTawjh5I6ClksqQwluqjId35Xdh9A/ G8hJCfOfkmz0/XE7H5R9YgZxa9TRhzWRgBJIbBUX89fXkxzefXJ61JDBWr6THXLktSXI bi/3avfl3M2fWUWHc++n9N0JjpdT3JRXzQnelOh6JlJexVvYrZbvv8osu4EH64fFsDA4 R8Ew==
X-Gm-Message-State: AOAM533aMHfYFXQV32z0afQVHkaCaiNwVO+8eaOEVD8PNjJSMYDp2Nym RYOn3mFbX72mMJXIxbrmPcrQes/SL93vt01QQWs0QXdfFVRra1Fp
X-Google-Smtp-Source: ABdhPJwxhlwPuES9kUh+yS6czhynjAz3YHAHX+Ypzf9yOv43jv6VYDg1enHAlE5n5MwUpS9OBZB8qZOXYCi4BNDPINU=
X-Received: by 2002:a62:8449:0:b029:18b:16d2:9ea0 with SMTP id k70-20020a6284490000b029018b16d29ea0mr17309pfd.26.1604535749388; Wed, 04 Nov 2020 16:22:29 -0800 (PST)
MIME-Version: 1.0
From: Alex Kalp <alexkalps@gmail.com>
Date: Wed, 04 Nov 2020 16:23:19 -0800
Message-ID: <CA+YokQ0uT3FuJE155tNtp1OHz80wPu+e39wiJNWnx_g5jZFGZA@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005f2b3b05b3511717"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FM0IMX6tNK0tWcSwtPplyNB2Cqs>
Subject: [OAUTH-WG] The response from the Google authorization endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2020 04:33:44 -0000
Hi All, While trying out the OAuth 2.0 authorization code grant type with Google, I got the following response to my registered redirect_uri. https://localhost:9000/app_uri?*state*=caf324471khs872&%20*code* =4/5wFzvDar86R-AJWCIE&%20*scope*=profile%20openid%20 https://www.googleapis.com/auth/userinfo.profile&%20*authuser*=0&%20*prompt* =consent As per the RFC6749 section 4.1.2, the authorization response from the authorization endpoint only includes code and state. Appreciate if you can share any insights on why Google adds scope, authuser and prompt parameters to the response, which are not in the OAuth 2.0 RFC - and do we consider those additional parameters as a violation of the RFC6749? Thanks! -Alex
- [OAUTH-WG] The response from the Google authoriza… Alex Kalp
- Re: [OAUTH-WG] The response from the Google autho… Vladimir Dzhuvinov
- Re: [OAUTH-WG] The response from the Google autho… Alex Kalp
- Re: [OAUTH-WG] The response from the Google autho… Bunh Tha Chau
- Re: [OAUTH-WG] The response from the Google autho… Vladimir Dzhuvinov