IETF Logo Mail Archive

Re: [OAUTH-WG] Preliminary OAuth Core draft -29

Justin Richer <jricher@mitre.org> Mon, 09 July 2012 20:21 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABB2D11E80FC for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 13:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.538
X-Spam-Level:
X-Spam-Status: No, score=-6.538 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rm4NFTx0qssK for <oauth@ietfa.amsl.com>; Mon, 9 Jul 2012 13:21:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 913EC11E80E4 for <oauth@ietf.org>; Mon, 9 Jul 2012 13:21:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id DAD5421B1410 for <oauth@ietf.org>; Mon, 9 Jul 2012 16:21:59 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C43D121B13FD for <oauth@ietf.org>; Mon, 9 Jul 2012 16:21:59 -0400 (EDT)
Received: from [129.83.50.26] (129.83.31.51) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.283.3; Mon, 9 Jul 2012 16:21:59 -0400
Message-ID: <4FFB3D35.3080306@mitre.org>
Date: Mon, 09 Jul 2012 16:21:09 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <4E1F6AAD24975D4BA5B16804296739436657C93A@TK5EX14MBXC283.redmond.corp.microsoft.com> <6AD425FB-9453-489D-9282-6EC125D535D5@gmail.com>
In-Reply-To: <6AD425FB-9453-489D-9282-6EC125D535D5@gmail.com>
Content-Type: multipart/alternative; boundary="------------030907010009080005030107"
X-Originating-IP: [129.83.31.51]
Subject: Re: [OAUTH-WG] Preliminary OAuth Core draft -29
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 20:21:36 -0000

Implicit grant makes perfect sense when the user agent and client are 
collapsed into a single entity. In other words, if your client is inside 
the user agent then doing a code flow doesn't actually buy you any extra 
security. This is the driving design decision behind having it in there, 
and from my perspective that's clear from the current text.

In a similar manner, the client credentials flow came about from 
collapsing the client with the resource owner, effectively putting the 
resource owner inside the client. In this case the authorization step 
doesn't make any sense and doing a code flow doesn't buy you any greater 
security, either.

  -- Justin

On 07/09/2012 01:31 PM, Dick Hardt wrote:
> Hi Mike
>
> Reading over the spec, I think some more color in 4.2 on the risks of 
> the Implicit Grant and where it makes sense and where it does not is 
> in order.
> Also, this should be in Section 9.
>
> Thoughts?
>
> -- Dick
>
> On Jul 9, 2012, at 12:08 AM, Mike Jones wrote:
>
>> A preliminary version of OAuth core draft -29 is attached for the 
>> working group's consideration and discussion on today's call.  I 
>> believe that this addresses all issues that have been raised, 
>> including Julian's issues about the ABNF, character sets, and form 
>> encoding.  Changes are:
>>
>>   * Added "MUST" to "A public client that was not issued a client
>>     password MUST use theclient_idrequest parameter to identify
>>     itself when sending requests to the token endpoint" and added
>>     text explaining why this must be so.
>>   * Added that the authorization server MUST "ensure the
>>     authorization code was issued to the authenticated confidential
>>     client or to the public client identified by theclient_idin the
>>     request".
>>   * Added Security Considerations section "Misuse of Access Token to
>>     Impersonate Resource Owner at Public Client".
>>   * Deleted ";charset=UTF-8" from examples formerly using
>>     "Content-Type: application/x-www-form-urlencoded;charset=UTF-8".
>>   * Added the phrase "and a character encoding of UTF-8" when
>>     describing how to send requests using the HTTP request
>>     entity-body, per Julian Reschke's suggestion.
>>   * Added "The ABNF below is defined in terms of Unicode code points
>>     [UNICODE5]; these characters are typically encoded in UTF-8".
>>   * For symmetry when using HTTP Basic authentication, also apply
>>     theapplication/x-www-form-urlencodedencoding to the client
>>     password, just as was already done for the client identifier.
>>   * Reduced multiple blank lines around artwork elements to single
>>     blank lines.
>>   * Removed Eran Hammer's name from the author list, at his request.
>>     Dick Hardt is now listed as the editor.
>>
>> Best wishes,
>> -- Mike
>> <draft-ietf-oauth-v2-29 preliminary.txt><draft-ietf-oauth-v2-29 
>> preliminary.html><draft-ietf-oauth-v2-29 
>> preliminary.pdf><draft-ietf-oauth-v2-29 
>> preliminary.xml>_______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email