Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
"Brock Allen" <brockallen@gmail.com> Sat, 08 December 2018 22:53 UTC
Return-Path: <brockallen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E867130F3A for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 14:53:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h97z2VKpD9yf for <oauth@ietfa.amsl.com>; Sat, 8 Dec 2018 14:53:17 -0800 (PST)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E9A9126CB6 for <oauth@ietf.org>; Sat, 8 Dec 2018 14:53:17 -0800 (PST)
Received: by mail-qk1-x729.google.com with SMTP id w12so4560707qkb.9 for <oauth@ietf.org>; Sat, 08 Dec 2018 14:53:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:date:message-id:subject:from:to:cc:in-reply-to :references:user-agent; bh=7/egPH50ov6UzkZDz8nxGTi2AWZ44Uw3Cerj+qntx/E=; b=BNiMf0eY38er8x8UUeiXQscB9bHsFpbNv/TVZxgGTsLq0eNJuoZa71Fl6KXuMpPbI/ v5Kc8qHD0yFxzYCPWBTxR52fAWQC8WrpqYrptJ94tvcNst4jzLySg+JpjZ5OtbIs3go1 3y5pAZQTSSFM5SJOS8HFZsIKRTas67PWCt9FK/UmCrl48QQBqNxsnZd4DLllDdzaY0WV VyhgXDpwRx5Ce11+7/64cDV/zr/JcUeZgdYfv/6SAcIHjFhc1MsZAyyxX6s0I4FGMY4F IF2olkItmRTcno7CJMKfzjwBKWU0PxT+WnK2nQcEZkBgt7DbwTswHPXIWTRcvhlDMjsr YE+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc :in-reply-to:references:user-agent; bh=7/egPH50ov6UzkZDz8nxGTi2AWZ44Uw3Cerj+qntx/E=; b=q+OtG/Tmv8eP7TMTDAMQuA4pKspRyIjvEffUOF2PjHXnxZBnd3EAX0FjMPFQz1tSuC vC8IORSWeHgri8eYjAHS7MwgCadLYEg/QxWdYo4L6VfXcrf/emzBuywOtyvJxqvts/wN j1TgRZchMl+w8Yivn1OeC8Wv6AWpyqCYmUF2CBiZin/0T9DXC8gtk6SgkUqXpgMMICqt zLM8MRs4WJzUhWpu94bnTTC+N0jEpwBEH03l0a3N1hXIIM14inq4Rxa4FfAHEbzyo1R7 Hh5YFYMkWnPvd8/miuwjATIRT/tZlDCYYXofbHfk6RJwJu53ATwrZZigkAjCv47uSd5b u+eA==
X-Gm-Message-State: AA+aEWaVnV4V4oz5wJSh1EQbH61kl5w6yRIkyGAfER60bGgQ7zT+6IjA LwilPtRwRfBgn+3Sw1UygI7IDfXK
X-Google-Smtp-Source: AFSGD/XXn8BZXhMTVjtaYEELKolU6BGigehMpE8BnzeVattFRVUf7rGdxSXzV0r6qzPiFMduipF9rA==
X-Received: by 2002:a37:b405:: with SMTP id d5mr6329680qkf.162.1544309596656; Sat, 08 Dec 2018 14:53:16 -0800 (PST)
Received: from [10.0.1.3] (pool-96-253-25-169.prvdri.fios.verizon.net. [96.253.25.169]) by smtp.gmail.com with ESMTPSA id 5sm5021285qkv.93.2018.12.08.14.53.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Dec 2018 14:53:16 -0800 (PST)
Content-Type: multipart/alternative; boundary="----=_NextPart_63220475.012849490289"
MIME-Version: 1.0
Date: Sat, 08 Dec 2018 17:53:15 -0500
Message-ID: <d34d9d15-6b50-4b1e-8483-80f0ab709a98@getmailbird.com>
From: Brock Allen <brockallen@gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: oauth@ietf.org
In-Reply-To: <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com>
References: <6d88c55a-a300-47ff-af77-8fdb7dcfbc25@getmailbird.com> <CAGBSGjrj95i97mVDJq7jDA0DsLH-NasiH+E0nqc+6XjL-mnt4Q@mail.gmail.com> <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com> <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com>
User-Agent: Mailbird/2.5.24.0
X-Mailbird-ID: d34d9d15-6b50-4b1e-8483-80f0ab709a98@getmailbird.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GeKD1Xliahl6xpW0fKQMlyi4M3A>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Dec 2018 22:53:20 -0000
Not pure OAuth. This only came up as a question while I was implementing code flow/pkce for oidc-client-js. I can appreciate not expanding the current OAuth2 behavior in the BCP, so that's fair. I only wanted to mention it in case it had not been considered. Having said that, I think I will implement an optional response_type in my code flow/pkce to allow fragment, but default to query (as that's the default for pure code flow). -Brock On 12/8/2018 1:58:05 PM, Aaron Parecki <aaron@parecki.com> wrote: Do you know of anyone currently doing this today in an OAuth-only application? If the group wanted to take some existing OIDC mechanisms and apply them to OAuth, I feel like that needs to happen in a separate RFC, and that's a much bigger discussion. This BCP shouldn't really be defining new behavior. It's similar to how "OAuth 2.0 for Mobile and Native Apps" is not where PKCE is defined, PKCE has its own RFC. - Aaron On Sat, Dec 8, 2018 at 10:33 AM Brock Allen <brockallen@gmail.com [mailto:brockallen@gmail.com]> wrote: For the same reason the implicit flow uses it -- to reduce exposure of the response params. I know the code is protected with the code_verifier, but it wouldn't hurt to reduce its exposure, no? -Brock On 12/8/2018 1:23:41 PM, Aaron Parecki <aaron@parecki.com [mailto:aaron@parecki.com]> wrote: What would be the benefit of using this response type? Are you aware of any OAuth (not OIDC) clients that do this today? - Aaron On Sat, Dec 8, 2018 at 7:29 AM Brock Allen <brockallen@gmail.com [mailto:brockallen@gmail.com]> wrote: Should the BCP suggest using OIDC's response_type=fragment as the mechanism for returning the code from the AS? Or simply suggest using the fragment component of the redirect_uri for the code, without a response_type parameter (IOW don't allow it to be dynamic)? -Brock _______________________________________________ OAuth mailing list OAuth@ietf.org [mailto:OAuth@ietf.org] https://www.ietf.org/mailman/listinfo/oauth [https://www.ietf.org/mailman/listinfo/oauth]
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Filip Skokan
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Jim Manico
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell