IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Nat Sakimura <sakimura@gmail.com> Thu, 15 March 2012 09:03 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67BDC21F86D4 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 02:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.226
X-Spam-Level:
X-Spam-Status: No, score=-3.226 tagged_above=-999 required=5 tests=[AWL=0.372, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FA1lpa2qRvI0 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 02:03:31 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4207421F86CB for <oauth@ietf.org>; Thu, 15 Mar 2012 02:03:31 -0700 (PDT)
Received: by bkuw5 with SMTP id w5so2262009bku.31 for <oauth@ietf.org>; Thu, 15 Mar 2012 02:03:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=qgIAfmoj0beuRNP92ZF8h9ZWNbwoVh/+tpCiWa9ANj0=; b=eSxXjbhyzed2VyaSnflYVasuH8tPQu2VPj6Bgae0oxjQWAhw/43uNU9xwhQjkC06NE ioF7ywucm1jKIckgAllmqL3y5cB216o8Y7pC9EwXMGmzIa2c4nsvVEQ4m4OVp3haDMFZ kR6noKtmLYWinZUKSr5RvCX0NRUxp604DV9J9nFcyuEGUzXnSwqiwj62Xt9oPGMigu4t fiqXlpPBeXR70ai0ZlKPJL+oCE8gwHo6wrwIqmDXA+Sq0MqwzmEJSnxxaJwwgyRJk7zr 5Wgha/VVzY4/7yJTLxIjB1LexaZVPMqK13ExEE0To0dQRS8xlF6nn5EqQB3B6LCyt5AN Ying==
MIME-Version: 1.0
Received: by 10.204.149.218 with SMTP id u26mr2210820bkv.82.1331802210353; Thu, 15 Mar 2012 02:03:30 -0700 (PDT)
Received: by 10.204.232.203 with HTTP; Thu, 15 Mar 2012 02:03:30 -0700 (PDT)
In-Reply-To: <CALaySJL9EphC=L2Dj++9bCcusnOPouQ4vRmuEdDM-6ggURo-fA@mail.gmail.com>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qE3KcFgJey7xXzW8dkTPzvtcu_ke7abkOEMS4hwi93yEg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08919@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGdjJpK6dMzSyoxEb_2rQcB-anXzvWaW-PLdYTZW_jECieBSMg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08932@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B16804296739436641D4E3@TK5EX14MBXC284.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08949@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qG+jdej64rjWM8V4MU_uxEc-2WoT4MKqhD_9ef0jBYwgg@mail.gmail.com> <CAC4RtVBzDdeJViT_zOJ4QQQoo4Soy0iJJL_EK5zGd+94J1h7RQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF0896E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CALaySJ+tTmh1jHzn-6g+CSwLWNoq0KQ1HKXD-KdaORZKJwjv6w@mail.gmail.com> <CALaySJL9EphC=L2Dj++9bCcusnOPouQ4vRmuEdDM-6ggURo-fA@mail.gmail.com>
Date: Thu, 15 Mar 2012 18:03:30 +0900
Message-ID: <CABzCy2Bi+YvaJiXwsnNPFHXxGDkFSRiMEzKbVi9YD8zF7D8nxg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Breno de Medeiros <breno@google.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0015175cd0a2a8c13904bb445d40"
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 09:03:32 -0000

So, Eran's first proposal:

  A client application consisting of multiple components, each with its
  own client type (e.g. a distributed client with both a confidential
  server-based component and a public browser-based component), MUST
  register each component separately as a different client to ensure
  proper handling by the authorization server, unless the authorization
  server provides other registration options to specify such complex
clients.

kind of meets my concern. There seems to be another issue around the
usefulness of return_type in such case raised by Breno, and if I understand
it correctly, Eran's answer was that these separate components may have the
same client_id so that return_type is a valid parameter to be sent at the
request.

So, to clarify these, perhaps changing the above text slightly to the
following solves the problem?

  A client application consisting of multiple components, each with its
  own client type (e.g. a distributed client with both a confidential
  server-based component and a public browser-based component), MUST
  register each component separately as a different client to ensure
  proper handling by the authorization server, unless the authorization
  server provides other registration options to specify such complex
clients.
  Each component MAY have the same client_id, in which case the server
  judges the client type and the associated security context  based on
  the response_type parameter in the request.

Would it solve your problem, Breno?

Best,

=nat

v2.23.0 | Report a Bug | By Email