Re: [OAUTH-WG] OAuth Digest, Vol 136, Issue 7

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 19 February 2020 07:25 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5563120024 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 23:25:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tirhAhFGXag9 for <oauth@ietfa.amsl.com>; Tue, 18 Feb 2020 23:25:24 -0800 (PST)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B678812001A for <oauth@ietf.org>; Tue, 18 Feb 2020 23:25:23 -0800 (PST)
Received: by mail-wm1-x32f.google.com with SMTP id t14so5536862wmi.5 for <oauth@ietf.org>; Tue, 18 Feb 2020 23:25:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:date:subject:message-id :cc:to; bh=qkpl7rv+Wp8rYAMDm1oITB07MZh9CGhkEntx8dLGJi8=; b=fAZ1R8GGR9WudUiDta1kKgIWQPUOutVs6xSmqub1JZT59pBp7SfoJ2LQQQ7TjvouvT jK2QxFLQurRHx0S23oDhHvtiCNAl1agyXWTG/3YxpuHxFYFxv5eDk0p+yIbQ5anGF2nx sTnQsxPO+jbu0ILVLa7xC0m4B1IAQD/KF7/xtz/DkDAA+k4iOgzPuDhNLgSYRNHvho0t BJ14FvJq40huUSlfjmbomutWiO2cKZOx0qFPfGcC3BuEfYcI1a2l+0c8ijM2psrh5ceQ zsrhl1oy0a6j/fMwgG1+CQ8PbNXL4H8uLre3CHbSjyrKFfvM+7idtobNqZiiDZNz8HkG nQNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version:date :subject:message-id:cc:to; bh=qkpl7rv+Wp8rYAMDm1oITB07MZh9CGhkEntx8dLGJi8=; b=WZJdfv6yq782v90navKxaykCO1QdhiO2Zf0R3jeapiAZodLlVSjzXrnFurrn5cFSeY WGj7u0EdiLugq37S7JOp0wdALCgjEwnVzp3tlptRhm2f1BkKgHkW7AaGlRMUQDgcob8E ipSTjPqln6M+1mnWEwG+noOyzNn3qXPrZXz0bDCGpUmRpBktaOrVkmIS/YHsKsKqlw4w 0B1Xu+WhtuEV6Rm0Io8r5bvleEnUdnfl+LK5+Yfr2mi9vxhF/OQUsIi650lJxizqj8f0 NTtiM4ks+ASkfUhhHV40fZP/3gkvQowZrT6Zxn6x6I/BpMA+HGe3VooS6Etbww40GSh4 rc+w==
X-Gm-Message-State: APjAAAXJRvMypIAg5uyXWjz/4NEwcLXLFx+ZpoNnDlCbvXsojwSeioei RWmq4Xc+68o1N+dIkNuIklfPS3ctUZ9vnqek
X-Google-Smtp-Source: APXvYqwfVrfxgf7rQSgXo6ztRhfDriAlDWow3Tr/u+SX9T1T+vFsePsRu8Da4/lHo65sMOqqcBZ2Hw==
X-Received: by 2002:a7b:c847:: with SMTP id c7mr7818609wml.3.1582097122041; Tue, 18 Feb 2020 23:25:22 -0800 (PST)
Received: from [192.168.71.107] (p5B0D992E.dip0.t-ipconnect.de. [91.13.153.46]) by smtp.gmail.com with ESMTPSA id x21sm1687228wmi.30.2020.02.18.23.25.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 Feb 2020 23:25:21 -0800 (PST)
Content-Type: multipart/signed; boundary=Apple-Mail-CD6DEDE7-AAF6-4207-8610-02B511BD9941; protocol="application/pkcs7-signature"; micalg=sha-256
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Wed, 19 Feb 2020 08:25:19 +0100
Message-Id: <3FB0EFA8-318A-4CB0-957B-CDCCE9C267B0@lodderstedt.net>
Cc: oauth@ietf.org
To: Bruno Brito <bhdebrito@gmail.com>
X-Mailer: iPhone Mail (17C54)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Jnie1HykL6uyoTAf4tjltbJk1eo>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 136, Issue 7
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 07:25:26 -0000

Hi Bruno,

thanks for your insights.

The recommendation is not only based on security considerations but just utility. As soon as one wants to integrate federated login or multi factor authentication,  ROPG reaches its limits.

Moreover, how do those teams implement user registration and user account recovery? In my experience, implementing this in a native experience will significantly increase cost of the implementation.

Two reasons to go with the code flow.

best regards,
Torsten.

> Am 19.02.2020 um 01:49 schrieb Bruno Brito <bhdebrito@gmail.com>om>:
>