Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?

Brian Campbell <bcampbell@pingidentity.com> Sat, 07 March 2020 13:27 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC3ED3A1333 for <oauth@ietfa.amsl.com>; Sat, 7 Mar 2020 05:27:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jiWgv7Y9cfTW for <oauth@ietfa.amsl.com>; Sat, 7 Mar 2020 05:27:36 -0800 (PST)
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2E0E3A1332 for <oauth@ietf.org>; Sat, 7 Mar 2020 05:27:35 -0800 (PST)
Received: by mail-lj1-x243.google.com with SMTP id d12so5213368lji.4 for <oauth@ietf.org>; Sat, 07 Mar 2020 05:27:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p/Je+cux80xV2wbr5c/3W+YDLrBf18Udn6NtEMzVzCo=; b=QHNBe/L5s0HdZ+xYAELevK0vuzewOYnqE21WaryZaMqHnMI5LBnqZTAwBPzEvxoKuG sNNwArNihs254QkhsOGrEH4hYFkN9ostyRFZsy0Il5+vcj3uVZ5RYvL1UJLvgL9QdJ8K OV8CEwgWZCp/yoGAbHcLtcC0PHBw5TPy5g5qP8XuFy/qq+uknV1IOz81I+np3u/wfy43 8BML3A5bY3oBJtZcHkvMqHj5tw5ZyvX1pFlHnmpeWpbhYaD4rNmaPDK+qUdLZg7lLL8r 1wiXXESK2oip7bBhSo/KjleKoVTGxDwUP1kWyuAGbSX6luAPm0i/zYvtTR6z3txoEu7R ARmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p/Je+cux80xV2wbr5c/3W+YDLrBf18Udn6NtEMzVzCo=; b=fajQqI/G/r2V4Zj5YRxWzVKre7pWYJXVOK1qyJrnVd8gIP1S5QuuaGMxwX1vf2UqLK FAvVxbJNuCwJkkt3M3OfX/FTuRzIUgPSgn87vLEu7/6SAAclOcc500jlj0UWXHW2ZmfE 9D6ebueMLMZNMhD8aom8+z7ZVui+ARkfCEhW6U2fOoePBStFsFryMHDt6Y6ZVpj/djpU eI5O44ae8FDhEH5Yc9zVhEHk0bLMKuULJWgxXH9/DSeqw0Ufxg1XqzUM97tqCxyyiGMY 3c3DTBJ2vYAPn52EWVFEVek+Ed1BqyvSbk9PLUsehr9ioQBCkOOqL4W73J1l3p0GyENp HY6g==
X-Gm-Message-State: ANhLgQ3M0QcaUmy3KvxiL6j/iaFZU7gHV9U0Nz0vv6vKoJvL4zYsX5Ag buPIdsXUhKfa+CDHk3YRxJXsRPjgmeOOONPTPm/UCJ/ijYzHkKvQ/S4KI4CasJzHqfGtW6zzdDj e4n6lD+a3sg740Pj/zfA=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vv/56m1F/iv16AVA2zn1oeg3DEFUNusfivDTARl?= =?utf-8?q?4ZJzyXziCjSt5cw1xujwNlR09My6QwA+vCUsVw38x58VQrA=3D?=
X-Received: by 2002:a2e:98c1:: with SMTP id s1mr4906885ljj.0.1583587653923; Sat, 07 Mar 2020 05:27:33 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-u+egKriB1nvm9CtvFgp4cY1j6sNykGVuTTpsyvR5hA2Q@mail.gmail.com> <CAO7Ng+tUPVfVXQs5MpnO4z5F25WimX-1qeCmLQfrD0Yhbj-ysA@mail.gmail.com> <CAD9ie-v9bvU0s72N0RoHY6y0uwJPK9cCSNCDV2khhD+jveCdHQ@mail.gmail.com>
In-Reply-To: <CAD9ie-v9bvU0s72N0RoHY6y0uwJPK9cCSNCDV2khhD+jveCdHQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sat, 7 Mar 2020 06:27:07 -0700
Message-ID: <CA+k3eCRQCa--76c-FYj9=xRJUbpS4UZ9wT6WaFwqNMebKU_iMg@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Dominick Baier <dbaier@leastprivilege.com>, oauth <oauth@ietf.org>, Vittorio Bertocci <Vittorio@auth0.com>
Content-Type: multipart/alternative; boundary="000000000000954bbd05a043bb00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/G5ozCCeh_WJXIwy6-KuqRDIXhcs>
Subject: Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2020 13:27:38 -0000
X-List-Received-Date: Sat, 07 Mar 2020 13:27:38 -0000

The name implicit grant is unfortunately somewhat misleading/confusing but,
for the case at hand, the extension mechanism isn't grant type so much as
response type and even response mode.

The perspective shared during the office hours call was, paraphrasing as
best I can, that there are legitimate uses of implicit style flows in
OpenID Connect (that likely won't be updated) and it would be really nice
if this new 2.1 or whatever it's going to be document didn't imply that
they were disallowed or problematic or otherwise create unnecessary FUD or
confusion for the large population of existing deployments.

On Fri, Feb 28, 2020 at 1:56 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> I'm looking to close out this topic. I heard that Brian and Vittorio
> shared some points of view in the office hours, and wanted to confirm:
>
> + Remove implicit flow from OAuth 2.1 and continue to highlight that grant
> types are an extension mechanism.
>
> For example, if OpenID Connect were to be updated to refer to OAuth 2.1
> rather than OAuth 2.0, OIDC could define the implicit grant type with all
> the appropriate considerations.
>
>
> ᐧ
>
> On Tue, Feb 18, 2020 at 10:49 PM Dominick Baier <dbaier@leastprivilege.com>
> wrote:
>
>> No - please get rid of it.
>>
>> ———
>> Dominick Baier
>>
>> On 18. February 2020 at 21:32:31, Dick Hardt (dick.hardt@gmail.com)
>> wrote:
>>
>> Hey List
>>
>> (I'm using the OAuth 2.1 name as a placeholder for the doc that Aaron,
>> Torsten, and I are working on)
>>
>> Given the points Aaron brought up in
>>
>> https://mailarchive.ietf.org/arch/msg/oauth/hXEfLXgEqrUQVi7Qy8X_279DCNU
>>
>>
>> Does anyone have concerns with dropping the implicit flow from the OAuth
>> 2.1 document so that developers don't use it?
>>
>> /Dick
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._