Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

John Bradley <ve7jtb@ve7jtb.com> Thu, 21 January 2016 14:17 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 881A61A8843 for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 06:17:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UlEWl4GKeQi8 for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 06:17:44 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 339EA1A8835 for <oauth@ietf.org>; Thu, 21 Jan 2016 06:17:44 -0800 (PST)
Received: by mail-qg0-x22d.google.com with SMTP id o11so32300075qge.2 for <oauth@ietf.org>; Thu, 21 Jan 2016 06:17:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=2Qx2LxZL/mqN8TZLWFjp6MyURTnfsR7TlB7oGY2W+dU=; b=vAl8IKiJ7UuEZCls4/QZWF+5SOpHiTCLpS2Xafd3sNMPKV8bsWVAGOcQfDoC2PCeCY N6v0hBiryEZWqKKpzXKbeXhTsYN81Z5QuBxkkVhU6RpCGUaqcB1ugGcUK573X1E2PrJa J/NwTP3YqNxwf54VRtglR9ynP8ZIMZDTc4hnQBfOcbOyIx3l/SRWj0zWawTKPp9nWtxm s1ZzoNK3OtENI8PD33YI7vCp735VqzQxNeC3I+848nc03lnlmZIorT+oCwYof91VzgQS 7mhBbEnJKyDuFlAr3VvklgUhRk+EkI/Xlckt25xqvx+ZVDIeCxW7Z4eHHjMmt2BqbClt OVYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=2Qx2LxZL/mqN8TZLWFjp6MyURTnfsR7TlB7oGY2W+dU=; b=miGJ2tDCx9j62LbStyc5qobDxr+cFhkJs8izxH5VUZmUr81M/dNMok+DPqi9euw2iD PRO8U+8SOzjf+by0aL5JLR8W3pQsqD8DwXUFlZyGZA04UdCALbDRliSLi79syCAL0kr4 fL/4j0+7bh5TVUoR+S36GBRHoSEWRhgx2s6X/1zJEzRJ79wyOsZmerwAdAR0jAGDFWSw veuWsBef+G+bfSbFfGy2lq8+snB3caiGRdIjb8U3xa54HCdgZ6iN59Rz+JXNLnMHTbyH r57KAtISJClbSOURaG8D0OmJVMTllmSWtzMHDQhN17NwzM1ATbvhMxi1hknJ7KpMjavH OcpQ==
X-Gm-Message-State: AG10YOSbz3hwFUT0g/yuFSLC+wxxjSKMnVigIJumAmiTIRQTdtdOLxDwIHgrWHt9dDl6wA==
X-Received: by 10.140.104.100 with SMTP id z91mr18959773qge.26.1453385863273; Thu, 21 Jan 2016 06:17:43 -0800 (PST)
Received: from [192.168.8.100] ([181.202.73.168]) by smtp.gmail.com with ESMTPSA id l18sm593615qgd.36.2016.01.21.06.17.41 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 21 Jan 2016 06:17:42 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_C4B842D3-E644-44EE-A384-FD4A444143B6"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAAP42hCKRpEnS7zVL7C_jpaFXwXUjzkNUzxtDa9MUKAQw7gsAA@mail.gmail.com>
Date: Thu, 21 Jan 2016 11:17:41 -0300
Message-Id: <10631235-AF1B-4122-AEAE-D56BBF38F87E@ve7jtb.com>
References: <568D24DD.3050501@connect2id.com> <EA392E73-1C01-42DC-B21D-09F570239D5E@ve7jtb.com> <CAAP42hAA6SOvfxjfuQdjoPfSh3HmK=a7PCQ_sPXTmDg+AQ6sug@mail.gmail.com> <568D5610.6000506@lodderstedt.net> <CAAP42hA8SyOOkJ-D299VgvQUdQv6NXqxSt9R0TK7Zk7JaU56eQ@mail.gmail.com> <F9C0DF10-C067-4EEB-85C8-E1208798EA54@gmail.com> <CABzCy2A+Z86UCJXeK1mLPfyq9p1QQS=_dekbEz6ibP8Z8Pz87Q@mail.gmail.com> <CAAP42hCKRpEnS7zVL7C_jpaFXwXUjzkNUzxtDa9MUKAQw7gsAA@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/J-93eTLscl4PKYCG_pL1LPiyhes>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2016 14:17:47 -0000

The code_challenge and code_challenge_method parameter names predate calling the spec PKCE.  

Given that some of us deployed early versions of PKCE in products and opensource to mitigate the problem before the spec was completed we decided not to rename the parameter names from code_verifier_method to pkce_verifier_method.  

For consistency we should stick with code_verifier_methods_supported in discovery.

John B.

> On Jan 21, 2016, at 3:12 AM, William Denniss <wdenniss@google.com>; wrote:
> 
> "code_challenge_methods_supported" definitely works for me.
> 
> Any objections to moving forward with that? I would like to update our discovery doc shortly.
> 
> On Thu, Jan 21, 2016 at 1:37 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
> Ah, OK. That's actually reasonable. 
> 
> 2016年1月21日(木) 9:31 nov matake <matake@gmail.com <mailto:matake@gmail.com>>:
> I prefer “code_challenge_methods_supported”, since the registered parameter name is “code_challenge_method”, not “pkce_method".
> 
>> On Jan 19, 2016, at 11:58, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote:
>> 
>> Seems like we agree this should be added. How should it look?
>> 
>> Two ideas:
>> 
>> "code_challenge_methods_supported": ["plain", "S256"]
>> 
>> or
>> 
>> "pkce_methods_supported": ["plain", "S256"]
>> 
>> 
>> 
>> On Wed, Jan 6, 2016 at 9:59 AM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>> +1
>> 
>> 
>> Am 06.01.2016 um 18:25 schrieb William Denniss:
>>> +1
>>> 
>>> On Wed, Jan 6, 2016 at 6:40 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>>> Good point.  Now that PKCE is a RFC we should add it to discovery.
>>> 
>>> John B.
>>> > On Jan 6, 2016, at 9:29 AM, Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote:
>>> >
>>> > I just noticed PKCE support is missing from the discovery metadata.
>>> >
>>> > Is it a good idea to add it?
>>> >
>>> > Cheers,
>>> >
>>> > Vladimir
>>> >
>>> > --
>>> > Vladimir Dzhuvinov
>>> >
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth