[OAUTH-WG] Clarifying the scope of the OAuth 2.1 spec

Mike Jones <Michael.Jones@microsoft.com> Sun, 15 March 2020 21:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FD113A1CAA for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2020 14:35:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 94xF01lWgc8L for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2020 14:35:03 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640139.outbound.protection.outlook.com [40.107.64.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C15B3A1CBF for <oauth@ietf.org>; Sun, 15 Mar 2020 14:34:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dbJcxW9KEjWPJxRQJrMFAsXX0QaZl492nlDsUIuzJPdmbrZ0ZmdqM0y5sp8bd6wHy3Vw88cyJV7SbiV2H+F3cX+BIgmg/uZy8MsO5i6lQYp9z6WWgAZZdisdpd9u43IKeDZrBqiGuawldxEtH4cqcizByKRQu8adOO/xO5yUPXx3q0Q3NIutaUmCJuR6IdnMq7F5BjswYfMMofV995kU7wZVNQICkJ7xOM1xG6H18BRLPPbVSYrWWn0PAH50XLYCpUVhe7DV8mQ/IhKdiilDPgazjbWDkOjg+HrIRA0tT0TeFb0T7CzICjsQVeXpXKA9TKEPpurGtsKTIN3CteJFeQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=kzJj+3Qt06yM2GAgVj/5W5M3yJu49S7Di03ZhjBi6h4=; b=C7fQ27s0ZmQQ9Tz/CoiMOAPaCKFX/4U85mzxv4LrbGb5OQ1xMbydJopeTvI1KmlyM5najI6Ph4KrMF48KlFwMVCkBfVdNGbxF4UZw4PL3ACwi8mXX/s5L4qzfqRk7dhOSbd0cLJZdqMJBmw5FF9EFnbGieotZnvRQ4KprUnMrkmhCCWcEK5t/OGcX4ODW9wLbV/ac44whemck+GsgfVlcuAQ+3pTqxbFnzauGAMbQsoh4IMwVw/qqIqaZcf788mIQLw0CvVykrkgNoMhD7stpx+3SpQD29MorYuYtQ4jWL/JgZGOScEaPeZxYWfDJ+NHkddokEt6SNKdSU48lcQIoA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=kzJj+3Qt06yM2GAgVj/5W5M3yJu49S7Di03ZhjBi6h4=; b=jKKFueMp0KYBy6+ne3a3YXlYSzTQh/W4UO+B6lQpMNuxM1x+832XTkTn+DRIqNqJ+9jNUtotwFsjCD/qTL3xMR7NAcbgP8CLCmYR9RFQ5KE3jrVbNn7jsr+atnM+fpVSv5wvrEI2Vfx0rwfukDIZ2i3iG4ZUzMafeZMqSJI5jJc=
Received: from DM6PR00MB0684.namprd00.prod.outlook.com (2603:10b6:5:21c::8) by DM6PR00MB0847.namprd00.prod.outlook.com (2603:10b6:5:20b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2857.0; Sun, 15 Mar 2020 21:34:56 +0000
Received: from DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::6442:6f5e:972:c9f7]) by DM6PR00MB0684.namprd00.prod.outlook.com ([fe80::6442:6f5e:972:c9f7%6]) with mapi id 15.20.2858.000; Sun, 15 Mar 2020 21:34:56 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "dick.hardt@gmail.com" <dick.hardt@gmail.com>, "aaron@parecki.com" <aaron@parecki.com>, "torsten@lodderstedt.net" <torsten@lodderstedt.net>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Clarifying the scope of the OAuth 2.1 spec
Thread-Index: AdX7EUp0NE9c1cRJT0ewWWCSTubf5w==
Date: Sun, 15 Mar 2020 21:34:56 +0000
Message-ID: <DM6PR00MB0684B029182673EADC9E0288F5F80@DM6PR00MB0684.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=00eaf034-d80a-43d5-821b-0000225d831b; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-03-15T21:24:34Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.81.134]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 7d8e64c4-9768-4bbd-9a09-08d7c928b4ac
x-ms-traffictypediagnostic: DM6PR00MB0847:
x-microsoft-antispam-prvs: <DM6PR00MB0847DCAC2A84F055CAF9227AF5F80@DM6PR00MB0847.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0343AC1D30
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(376002)(366004)(346002)(39860400002)(396003)(136003)(199004)(8990500004)(66446008)(2906002)(66946007)(8936002)(66556008)(478600001)(66476007)(4744005)(76116006)(10290500003)(64756008)(71200400001)(8676002)(86362001)(9686003)(55016002)(6506007)(81166006)(33656002)(4326008)(186003)(110136005)(26005)(5660300002)(316002)(7696005)(52536014)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0847; H:DM6PR00MB0684.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UU8sqb0V7W6c74FM9tctcbqD5BEr+uaqqDFkqb5U2xVmobVJHNpd6YFl/fT/LZCzQJBF5WFwVUS92na0pEpNnK+puASb34FzmoDdUI2d+XGTl4CQtsK0rdZjO/WuH6RDvL52Xz7Dt1In0nVMlCgD0vJjc1O0PFRtM0rdCuym0QB5zvDxUbNTuPb8sehaXlO1cS0UyElx8D18F0FgXzoKbaYh1ME+GcFV9wu9dvr3fRTHrZh71L4NBzs2vLG95qXw3iZXqO79LWMTancalguMd2pY+4gY5rtF4cG/RAT04LdSRtKnLbKH8I07jkKX/nzjoTUqgtmQQbvHkaMVpvclZ8EbFudMIn+JXPaU4rLrz+WkNWRW3RTtuQpqJfpRa3+mhtjOGODUT89fu+kJic8RZ8Q4HxumXGMf8rQI6gGViz6gFuquWRv0jOvqAI1gsMSLDnnFj3eWxJOaDR8pfe4WrtcdrwmQx7PkxZYCWJIhXhR194UdxzmRVuqX2jEGC9JRtBhlJ+TxhnQ//ACRCoro8Q==
x-ms-exchange-antispam-messagedata: 5yeRBUU2SqMa3LaTcMBQuAOKqPBgTUPfa8tIGY+hHRkfwVWcRiNhK15wzOOr0NA4WAUHAJudNFnnC54gB6ANbcDMwvidp9zPhBcNJrPYlmcItN2L7kCHIL80s0+vayJS7FlP3HQaOvHM0vIzoHHZww==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB0684B029182673EADC9E0288F5F80DM6PR00MB0684namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d8e64c4-9768-4bbd-9a09-08d7c928b4ac
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2020 21:34:56.2154 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: l/PZUWg2TkL9RW6CiNx7Gfzrmei3br162+UgkeRvO+pnaV6DksEXc1S1u8XRpwmxJwheHH7wjMtt7raA07rBwg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0847
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4d6Z_C_xscwIt5qkJIID_6wLK1A>
Subject: [OAUTH-WG] Clarifying the scope of the OAuth 2.1 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2020 21:35:05 -0000

The abstract of draft-parecki-oauth-v2-1 concludes with this text:
   This specification replaces and obsoletes the OAuth 2.0 Authorization Framework described in RFC 6749<https://tools.ietf.org/html/rfc6749>.

While accurate, I don't believe that this text captures the full intent of the OAuth 2.1 effort - specifically, to be a recommended subset of OAuth 2.0, rather than to introduce incompatible changes to it.  Therefore, I request that these sentences be added to the abstract, to eliminate confusion in the marketplace that might otherwise arise:

    OAuth 2.1 is a compatible subset of OAuth 2.0, removing features that are not currently considered to be best practices.  By design, it does not introduce any new features to what already exists in the OAuth 2.0 set of protocols.

                                                       Thanks,
                                                       -- Mike

P.S.  I assert that any incompatible changes should be proposed as part of the TxAuth effort and not as part of OAuth 2.1.