Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Nat Sakimura <sakimura@gmail.com> Thu, 15 March 2012 09:03 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67BDC21F86D4 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 02:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.226
X-Spam-Level:
X-Spam-Status: No, score=-3.226 tagged_above=-999 required=5 tests=[AWL=0.372, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FA1lpa2qRvI0 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 02:03:31 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 4207421F86CB for <oauth@ietf.org>; Thu, 15 Mar 2012 02:03:31 -0700 (PDT)
Received: by bkuw5 with SMTP id w5so2262009bku.31 for <oauth@ietf.org>; Thu, 15 Mar 2012 02:03:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=qgIAfmoj0beuRNP92ZF8h9ZWNbwoVh/+tpCiWa9ANj0=; b=eSxXjbhyzed2VyaSnflYVasuH8tPQu2VPj6Bgae0oxjQWAhw/43uNU9xwhQjkC06NE ioF7ywucm1jKIckgAllmqL3y5cB216o8Y7pC9EwXMGmzIa2c4nsvVEQ4m4OVp3haDMFZ kR6noKtmLYWinZUKSr5RvCX0NRUxp604DV9J9nFcyuEGUzXnSwqiwj62Xt9oPGMigu4t fiqXlpPBeXR70ai0ZlKPJL+oCE8gwHo6wrwIqmDXA+Sq0MqwzmEJSnxxaJwwgyRJk7zr 5Wgha/VVzY4/7yJTLxIjB1LexaZVPMqK13ExEE0To0dQRS8xlF6nn5EqQB3B6LCyt5AN Ying==
MIME-Version: 1.0
Received: by 10.204.149.218 with SMTP id u26mr2210820bkv.82.1331802210353; Thu, 15 Mar 2012 02:03:30 -0700 (PDT)
Received: by 10.204.232.203 with HTTP; Thu, 15 Mar 2012 02:03:30 -0700 (PDT)
In-Reply-To: <CALaySJL9EphC=L2Dj++9bCcusnOPouQ4vRmuEdDM-6ggURo-fA@mail.gmail.com>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qE3KcFgJey7xXzW8dkTPzvtcu_ke7abkOEMS4hwi93yEg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08919@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGdjJpK6dMzSyoxEb_2rQcB-anXzvWaW-PLdYTZW_jECieBSMg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08932@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B16804296739436641D4E3@TK5EX14MBXC284.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08949@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qG+jdej64rjWM8V4MU_uxEc-2WoT4MKqhD_9ef0jBYwgg@mail.gmail.com> <CAC4RtVBzDdeJViT_zOJ4QQQoo4Soy0iJJL_EK5zGd+94J1h7RQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF0896E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CALaySJ+tTmh1jHzn-6g+CSwLWNoq0KQ1HKXD-KdaORZKJwjv6w@mail.gmail.com> <CALaySJL9EphC=L2Dj++9bCcusnOPouQ4vRmuEdDM-6ggURo-fA@mail.gmail.com>
Date: Thu, 15 Mar 2012 18:03:30 +0900
Message-ID: <CABzCy2Bi+YvaJiXwsnNPFHXxGDkFSRiMEzKbVi9YD8zF7D8nxg@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Breno de Medeiros <breno@google.com>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0015175cd0a2a8c13904bb445d40"
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 09:03:32 -0000
So, Eran's first proposal: A client application consisting of multiple components, each with its own client type (e.g. a distributed client with both a confidential server-based component and a public browser-based component), MUST register each component separately as a different client to ensure proper handling by the authorization server, unless the authorization server provides other registration options to specify such complex clients. kind of meets my concern. There seems to be another issue around the usefulness of return_type in such case raised by Breno, and if I understand it correctly, Eran's answer was that these separate components may have the same client_id so that return_type is a valid parameter to be sent at the request. So, to clarify these, perhaps changing the above text slightly to the following solves the problem? A client application consisting of multiple components, each with its own client type (e.g. a distributed client with both a confidential server-based component and a public browser-based component), MUST register each component separately as a different client to ensure proper handling by the authorization server, unless the authorization server provides other registration options to specify such complex clients. Each component MAY have the same client_id, in which case the server judges the client type and the associated security context based on the response_type parameter in the request. Would it solve your problem, Breno? Best, =nat
- [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. … Marius Scurtescu
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Marius Scurtescu
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Richer, Justin P.
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Nat Sakimura
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… John Bradley
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Nat Sakimura
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… John Bradley