Re: [OAUTH-WG] OAUTB for Access Token in Implicit Grant
Brian Campbell <bcampbell@pingidentity.com> Thu, 24 May 2018 21:58 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FBD712E899 for <oauth@ietfa.amsl.com>; Thu, 24 May 2018 14:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J3eidgOqn4Se for <oauth@ietfa.amsl.com>; Thu, 24 May 2018 14:58:15 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DEDC124E15 for <oauth@ietf.org>; Thu, 24 May 2018 14:58:15 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id p124-v6so4159478iod.1 for <oauth@ietf.org>; Thu, 24 May 2018 14:58:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zu8nfqHmf9vCCyYWROYdOG8hLQtKo3WY5VkEopg83bs=; b=T1A9JhPSYoHaBUWRHjug5RwD0ZAaq5O6JycnS5Kck0PsLFTpf1xjNLVOM/KTu/3htL 1+PlQNWV7RhLmSKy7FvxUrs6Yv79pdhbIAbl+Bo1BO+JqJGFzlZxy/hH6Ovs7/hz4MJl 3USIF7WPNbHIrp5tvLWv+XPi94uM00ENINbuY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zu8nfqHmf9vCCyYWROYdOG8hLQtKo3WY5VkEopg83bs=; b=ZfLHTzFneK4P8Or/4FC+N5Cjvac3C5mcy4rTFmwqIaxVP7eCCkigshoNMhFOinn1ZE 4f6X1VnBUxYzHdM2oPx5bFUFzGpP5wZxLpqTXIHP2IRu1Q9wVA+PbOcbMBumyuZwHM04 GSRXFuBnLHwsFsnEndRKR0RsXZE56672Zez3N3ps+neg/5N3vD57oH3TsLSVE2JfzHKW P2Sx4cQBBWzn73EWXrKKjrfGYKVtK1j0SOHg8QARRy/4/+eAyZw8eFGNu5xVcOr3p0RC hSELsYTVS8cIgtV0m7l+tnsqOBghgDpwN9LVmFqzGPsDYVA63cIVZ1Xlp1rErIy8z3Al kJhw==
X-Gm-Message-State: ALKqPwc2Je4jTNSU6lTcu4oTAaS2ftA84HVQTP8EkNZxnyMMvold/x5n CDsxfpJr4vuho1fIwXAgXUyrB/rkNAkzLuM6wIRWRebGuNY1u2M61ckr47cCh4B4f2lECVtAQNL EcCacgdbMgc0onfwZ
X-Google-Smtp-Source: AB8JxZpy9DU7MO9rmDSMAo5VlxBlYvAg7Z+73eyp9qApDu5Xx5Hw1tmm2BetaFtW1o3YXNDFcVsmplgQ3KjpI5eV+B4=
X-Received: by 2002:a6b:1456:: with SMTP id 83-v6mr8301535iou.218.1527199094413; Thu, 24 May 2018 14:58:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Thu, 24 May 2018 14:57:43 -0700 (PDT)
In-Reply-To: <b18d8187-d011-2b40-3055-e0c5ef8f564d@sec.uni-stuttgart.de>
References: <df0f8268-13a8-90d7-fc40-32e5b7371cc9@gmx.de> <CA+k3eCRT-Paqq5_jLFNpH9n6Se6K+dOcvD+o2-99zBAcPHedmg@mail.gmail.com> <b18d8187-d011-2b40-3055-e0c5ef8f564d@sec.uni-stuttgart.de>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 24 May 2018 15:57:43 -0600
Message-ID: <CA+k3eCRk5FsRwu+B6LcUONR1giZKg3mcPbfkge_CJVnTcb=C-w@mail.gmail.com>
To: Daniel Fett <daniel.fett@sec.uni-stuttgart.de>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000086398a056cfabf92"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FpjtqDhPNqMABMdS1Gxkv2M0XuI>
Subject: Re: [OAUTH-WG] OAUTB for Access Token in Implicit Grant
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 21:58:18 -0000
Yeah, that's what is implied. At least given the way that https://tools.ietf.org/html/draft-ietf-tokbind-https provides to signal to the client to reveal the Referred Token Binding. I've heard that there's some potential for the Fetch spec to provide some APIs or controls around Token Binding, which might facilitate other ways of getting the Referred Token Binding into a request. But I don't know the details or likelihood or timeline. And whatever form that takes may or may not facilitate other options for 'front-channel' requests to the authorization endpoint. On Wed, May 23, 2018 at 10:27 AM, Daniel Fett <daniel.fett@sec.uni- stuttgart.de> wrote: > > Just to clarify: This implies that there must be an HTTP(S) request from > the browser to the protected resource which then gets redirected to the > authorization endpoint. Is that correct? > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] OAUTB for Access Token in Implicit Gra… pedram.h
- Re: [OAUTH-WG] OAUTB for Access Token in Implicit… Brian Campbell
- Re: [OAUTH-WG] OAUTB for Access Token in Implicit… Daniel Fett
- Re: [OAUTH-WG] OAUTB for Access Token in Implicit… Brian Campbell
- Re: [OAUTH-WG] OAUTB for Access Token in Implicit… Daniel Fett