Re: [OAUTH-WG] OAUTB for Access Token in Implicit Grant

Brian Campbell <> Thu, 24 May 2018 21:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9FBD712E899 for <>; Thu, 24 May 2018 14:58:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id J3eidgOqn4Se for <>; Thu, 24 May 2018 14:58:15 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4DEDC124E15 for <>; Thu, 24 May 2018 14:58:15 -0700 (PDT)
Received: by with SMTP id p124-v6so4159478iod.1 for <>; Thu, 24 May 2018 14:58:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zu8nfqHmf9vCCyYWROYdOG8hLQtKo3WY5VkEopg83bs=; b=T1A9JhPSYoHaBUWRHjug5RwD0ZAaq5O6JycnS5Kck0PsLFTpf1xjNLVOM/KTu/3htL 1+PlQNWV7RhLmSKy7FvxUrs6Yv79pdhbIAbl+Bo1BO+JqJGFzlZxy/hH6Ovs7/hz4MJl 3USIF7WPNbHIrp5tvLWv+XPi94uM00ENINbuY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zu8nfqHmf9vCCyYWROYdOG8hLQtKo3WY5VkEopg83bs=; b=ZfLHTzFneK4P8Or/4FC+N5Cjvac3C5mcy4rTFmwqIaxVP7eCCkigshoNMhFOinn1ZE 4f6X1VnBUxYzHdM2oPx5bFUFzGpP5wZxLpqTXIHP2IRu1Q9wVA+PbOcbMBumyuZwHM04 GSRXFuBnLHwsFsnEndRKR0RsXZE56672Zez3N3ps+neg/5N3vD57oH3TsLSVE2JfzHKW P2Sx4cQBBWzn73EWXrKKjrfGYKVtK1j0SOHg8QARRy/4/+eAyZw8eFGNu5xVcOr3p0RC hSELsYTVS8cIgtV0m7l+tnsqOBghgDpwN9LVmFqzGPsDYVA63cIVZ1Xlp1rErIy8z3Al kJhw==
X-Gm-Message-State: ALKqPwc2Je4jTNSU6lTcu4oTAaS2ftA84HVQTP8EkNZxnyMMvold/x5n CDsxfpJr4vuho1fIwXAgXUyrB/rkNAkzLuM6wIRWRebGuNY1u2M61ckr47cCh4B4f2lECVtAQNL EcCacgdbMgc0onfwZ
X-Google-Smtp-Source: AB8JxZpy9DU7MO9rmDSMAo5VlxBlYvAg7Z+73eyp9qApDu5Xx5Hw1tmm2BetaFtW1o3YXNDFcVsmplgQ3KjpI5eV+B4=
X-Received: by 2002:a6b:1456:: with SMTP id 83-v6mr8301535iou.218.1527199094413; Thu, 24 May 2018 14:58:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:144a:0:0:0:0:0 with HTTP; Thu, 24 May 2018 14:57:43 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Brian Campbell <>
Date: Thu, 24 May 2018 15:57:43 -0600
Message-ID: <>
To: Daniel Fett <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="00000000000086398a056cfabf92"
Archived-At: <>
Subject: Re: [OAUTH-WG] OAUTB for Access Token in Implicit Grant
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 May 2018 21:58:18 -0000

Yeah, that's what is implied. At least given the way that provides to signal to
the client to reveal the Referred Token Binding.

I've heard that there's some potential for the Fetch spec to provide some
APIs or controls around Token Binding, which might facilitate other ways of
getting the Referred Token Binding into a request. But I don't know the
details or likelihood or timeline. And whatever form that takes may or may
not facilitate other options for 'front-channel' requests to the
authorization endpoint.

On Wed, May 23, 2018 at 10:27 AM, Daniel Fett <daniel.fett@sec.uni-> wrote:

> Just to clarify: This implies that there must be an HTTP(S) request from
> the browser to the protected resource which then gets redirected to the
> authorization endpoint. Is that correct?

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._