Re: [OAUTH-WG] New OAuth DPoP and Security BCP drafts

Brian Campbell <bcampbell@pingidentity.com> Wed, 14 August 2019 19:24 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52963120DF1 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2019 12:24:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OoPXx7jA73aX for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2019 12:24:36 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E7DC120847 for <oauth@ietf.org>; Wed, 14 Aug 2019 12:24:36 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id t24so5361743oij.13 for <oauth@ietf.org>; Wed, 14 Aug 2019 12:24:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XE6S+wrsumSV0eD37za41HmbT5kzW0UswVv/pFaa/tU=; b=B0uIrS3blh2mjPIV8GKUYjSknCbuuZuVRCWwZwEDwFMo4jXxZx6ANEyZuWjQ745y+O sLKEBQW89cKK/w+kQtiU2VxmxLuoxEAn5RMq8wYpv5fxOht5oh/eo3iQL0e29v6SoOZU 7G/fX4fyh8J6O7lDd4TGsZRRLGAttC4oHpr04=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XE6S+wrsumSV0eD37za41HmbT5kzW0UswVv/pFaa/tU=; b=FUfnsy82trZrMVWEA/6TomqcLvUoc1NVzFZKyvO3ppWXG7SriKlcsInPR/6MdIb0Lb AKV6kxT4vpxe/+qXaeZhek/nmQZ6uTfJCPnmZNMf5rBHQGNlYxNWyomLkF2IAJeXYeFb JTmi5+hglzLZpnkq18AJj/EoxuRpHlogkSWAZDxjd7ImokkTJRvVHxbiQey9yZNyF8i5 UG0cNgj30pZTcCQB4R3/cpvR5sh8eUrjM04MXGxlc0gba/BDqcRSkHYOYKeJKX9/X/Di 7CVofjCLVYyXA+mybVoCewQ4mSR1dcYVTQtsx43koHjiT6h4ieMzFBgf6/uW/Nt8ie3o 1cpg==
X-Gm-Message-State: APjAAAVHy+lSmwnu3ZActtcQftHwC/VggcTNU4TZE0zyEzOgUdDBgQ8t Kne5JgG1zPRND6+OBf5TAu2nc1p7vNNHTJeWo7upII2EAvWkPErDqdaxi4A4CxBvx3aUK5Y1dNw AmvSNp7zdzcdZqg==
X-Google-Smtp-Source: APXvYqy5S87H6H+RggmEaeX7bRCe0uQe0XHGShL4BqNYYohnbToCH6v4kg0dOAwiAwAYnBkuG0Soa+PSxegDr+vjTgk=
X-Received: by 2002:a02:9644:: with SMTP id c62mr938721jai.45.1565810675187; Wed, 14 Aug 2019 12:24:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAHB17EwniJw9R3Cr9d_AZjaepha+UO+eBBLHYdOZNUEyt+c2Xw@mail.gmail.com> <CAP=vD9v5FczqKihQZ=4aZXOyUn34RgVUcuJ=VfeE8Du2uHHffA@mail.gmail.com>
In-Reply-To: <CAP=vD9v5FczqKihQZ=4aZXOyUn34RgVUcuJ=VfeE8Du2uHHffA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 14 Aug 2019 13:24:09 -0600
Message-ID: <CA+k3eCQf4vtJJR+NHCRbeavSfsAujpg4G0j6WK4AgV5CRaZjhg@mail.gmail.com>
To: Sascha Preibisch <saschapreibisch@gmail.com>
Cc: Daniel Fett <danielf+oauth@yes.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014a5d6059018b5c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HmxSq6AzfU63H4F0p6aXfvjFIFs>
Subject: Re: [OAUTH-WG] New OAuth DPoP and Security BCP drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2019 19:24:38 -0000

It can be a bit of a balancing act to have examples that clearly and
concisely demonstrate the target functionality of the document but do so in
the context of an otherwise complete and valid protocol message that also
shows best practices being adhered to. But I think in this case I agree
that adding a code_verifier to that example is worthwhile to show one of
the generally agreed on best practices being followed and it doesn't add
too much bloat to the example.


On Thu, Aug 1, 2019 at 2:44 PM Sascha Preibisch <saschapreibisch@gmail.com>;
wrote:

> Hi all!
>
> I am reading through the latest draft ( ... dpop-02). When I got to
> the first example request (bullet 5.) I saw that only 'grant_type,
> code, redirect_uri' are used.
>
> If I am not mistaken the recommendation is to generally use PKCE with
> an authorization_code flow. Therefore, I wondered if the example
> should also include a 'code_verifier'.
>
> Thanks,
> Sascha
>
> On Mon, 8 Jul 2019 at 06:30, Daniel Fett <danielf+oauth@yes.com>; wrote:
> >
> > All,
> >
> > In preparation for the meeting in Montreal, I just uploaded a new
> version of the DPoP draft:
> > https://tools.ietf.org/html/draft-fett-oauth-dpop-02
> >
> > Please have a look and let me know what you think. We should make this a
> working group item soon.
> >
> > As you might have noticed, there is also a new version of the Security
> Best Current Practice draft:
> > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
> >
> > -Daniel
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._