[OAUTH-WG] code flow for browsers?

Bill Mills <wmills_92105@yahoo.com> Tue, 10 February 2015 16:53 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53D2C1A90EB for <oauth@ietfa.amsl.com>; Tue, 10 Feb 2015 08:53:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.791
X-Spam-Level: *
X-Spam-Status: No, score=1.791 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oDN9SK8asYTX for <oauth@ietfa.amsl.com>; Tue, 10 Feb 2015 08:53:10 -0800 (PST)
Received: from nm37-vm6.bullet.mail.gq1.yahoo.com (nm37-vm6.bullet.mail.gq1.yahoo.com [98.136.216.253]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B2E1A90AA for <oauth@ietf.org>; Tue, 10 Feb 2015 08:50:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1423587005; bh=FxEqPwzVrFhiB3pYJeh0PGv/o6C8+q+/skFIZ7JIAtk=; h=Date:From:Reply-To:To:Subject:From:Subject; b=TIiXIEsEPPAbvRzun1cpUFcAxuVZme/mn01e5l507cTov6+sWHkbYtfq/XA4ZetEY7uSALCdIHkHiTaZBfmKQuvlz1Wi18Iqtws9ELwmkMJ83jsYo8KL1rfKq9fvj07YteWc+qZHHJ5o/aCGR8R4aPVPDDBDDxpKeqzpHKkClpMF8g+fx/uSkwo6uTcXGLqqrPgK+8ZNNLJafr2IowZg64pYVwTXl2p9VKpILFZROflTyPr4CH/e0hzXia3svklfzl6sLy+luwJGBnjnV6uFL77BUV64saAwrOGHLPpcWFadvUK9fLUX1qqP5X0kVjLhbV3DbznDMAf4YdkVdT+cmA==
Received: from [127.0.0.1] by nm37.bullet.mail.gq1.yahoo.com with NNFMP; 10 Feb 2015 16:50:05 -0000
Received: from [98.137.12.63] by nm37.bullet.mail.gq1.yahoo.com with NNFMP; 10 Feb 2015 16:47:06 -0000
Received: from [98.139.212.151] by tm8.bullet.mail.gq1.yahoo.com with NNFMP; 10 Feb 2015 16:47:06 -0000
Received: from [98.139.212.221] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 10 Feb 2015 16:47:06 -0000
Received: from [127.0.0.1] by omp1030.mail.bf1.yahoo.com with NNFMP; 10 Feb 2015 16:47:06 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 413863.26925.bm@omp1030.mail.bf1.yahoo.com
X-YMail-OSG: PScH5.0VM1mn3RrdNymYIIazuxADLC4vzghRoyjXaodFD7ICkY6kwApq3G8FNAC MiNpROwzmBoXdt7fNGW3HHn4T1nnUjiRq1.8EFckLqCgvOLUH1wBs6BVC.fJMRWXzV10o1Zz4Asn RVWvHR7VroaICOa.BwltTkfYLmLUxyRmRR6V5eLueGVJ.m._MhEpgv0JEoR6ExgySHMjR0RGHGYM rc65fELF0mJHryiWi9H8rVxA5.4WyKfRar.wrzVQwiHP.JyzLVzLoL_8yF7.hW1vMxdIzHlLCoYJ pYE80tmIRNShjGT130y5nZnjoK4aGGZktWdFunPIVRQzgFC4Kenf1Hg9gNL9rwSXneaSSTxX0U9D 5J7.bgyUc7bB1_aZLXz2PKFbhkqm1dNV4LTHyLBiR5IWCpyNVaEk7FyYfvuF3DK_gvEmklV4lzKZ G_JISu3I5u_m2GRE1.gEAgUl_B9VFx_Jx5rVO3A.gLDRE6.myfbRcW4yQm6NbPN2mEAysyD0JPBB sCGbDfKdza8NfBFvV.GHyld7NStPr0kwjMYRaGifrYXlr22eTDRItpiWQvciUq2QAn818DfnwePn QA_VPX0MuJ8j6.wNNtOkQkBigFva2t8NPBK3srkgthcd8xfEXm6x4J4XDO7EaJu_hCkGxaY4dXA--
Received: by 76.13.26.71; Tue, 10 Feb 2015 16:47:05 +0000
Date: Tue, 10 Feb 2015 16:47:05 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: OAuth WG <oauth@ietf.org>
Message-ID: <1076682052.2648765.1423586825705.JavaMail.yahoo@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_2648764_1924485152.1423586825703"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Gh2S9X1j9wNWIpI0BL4qKE6iWVU>
Subject: [OAUTH-WG] code flow for browsers?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 16:53:15 -0000

Does https://tools.ietf.org/html/draft-ietf-oauth-spop-10 provide a way for us to replace the implicit flow with the code+proof key model?  Yes, Implicit saves a round trip.  This does deal nicely with some of the security concerns raised recently around how fragments are handled in the browser.
-bill