[OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow
Mike Jones <Michael.Jones@microsoft.com> Tue, 10 March 2020 00:11 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83F463A0AA4 for <oauth@ietfa.amsl.com>; Mon, 9 Mar 2020 17:11:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06wJd4RDH3sM for <oauth@ietfa.amsl.com>; Mon, 9 Mar 2020 17:11:45 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640126.outbound.protection.outlook.com [40.107.64.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7864B3A0ABF for <oauth@ietf.org>; Mon, 9 Mar 2020 17:11:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cvXAxbInm5Ki8QwvCBC2J8mtoyFlQW3/+5e5Ht+FTF1P0sGl7c8Bowaf6BmoFR8AxgdJX5pSZedSYuEQMpyzvQ1uiIUkNIfNWx8lP1a6A/hWQThqziD2BAEdrk/J1Tsccvn2JejOIzzvKWH5JhsW7E4wvOEM5qPJb44XW2lIXMExABLS/ft0s9874mNr5SlU8TutrJCp9OWblj8U/R15/FdS061WBNeZzsKVytp/CAUScThr949JBjS6wVtxeFHIUc3mh69Db3bXNLQqRUuO/ff5a7qFd1UO6CdsAicZeREKKFWjQrt1aIPDWjblIgSNb604UOQZWmWgaCx7rNC7vw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=g5GGr0OqkmXSaylRujce06P/yx88IBNbzAw1QkYenP0=; b=VUgYMo4hJssf/m5AauPqKd4jRkkL6xbwSQhAUH9S5jDLzxQp+P44ppQaCOJFTF9dNsR8HVg4zmMwGoSeMgDaUelSAp5uQFS2TJvxcGc/H2CYS/sQNnFTOTxyp1aUvZ9Np2VxrB6Le6ujRe6ZHCY76pH3zr3eMxQZX0UAvCyYk82+DjFI7PgosomiT26sWHKWDv7yZLDwfGQ2oQTHXNMOhyfSZ68MV1onY6c93USjqx3Amr4lJAad0zMyzOzsPHqWEL/WXJRrj7NfC0bNVOIFh03PPjlxxznxCBha2ioJnkJAeL6EeAFGIcMpQGbqhh76JepWbHDMO+uh11nqGyFUrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=g5GGr0OqkmXSaylRujce06P/yx88IBNbzAw1QkYenP0=; b=Mkcyd/ojUhTilmVAC9g57IDkHxZm48LuVyyNP075+GGhWuQuS0/G2VN8sS6wGZrx4UxKj8nWNDZkLbbtihjc09ToCex35cFgL3VAq3yzqQFS/Y4/ZDK/MoyssDqivLdJH4iBYRwyo4pxVVl8+iBovThnkTMeh9PkSJO2ZnIulUY=
Received: from CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23) by CH2PR00MB0827.namprd00.prod.outlook.com (2603:10b6:610:6f::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2849.0; Tue, 10 Mar 2020 00:11:43 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::9544:f123:1e65:f212]) by CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::9544:f123:1e65:f212%9]) with mapi id 15.20.2848.000; Tue, 10 Mar 2020 00:11:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth 2.0 DPoP for the Implicit Flow
Thread-Index: AdX2agUBQrAxPoALSxyQHW5s38krKg==
Date: Tue, 10 Mar 2020 00:11:43 +0000
Message-ID: <CH2PR00MB06784BE1BB83918ABC652C7AF5FF0@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=8a45df92-df4d-4c1f-8648-0000f55fffa6; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-03-09T23:25:24Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.83.137]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: a7a43797-ccbf-444b-d27f-08d7c4879d77
x-ms-traffictypediagnostic: CH2PR00MB0827:
x-microsoft-antispam-prvs: <CH2PR00MB082772FA9CC97DBD286E099DF5FF0@CH2PR00MB0827.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 033857D0BD
x-forefront-antispam-report: SFV:NSPM; SFS:(10001)(10019020)(4636009)(366004)(39860400002)(376002)(396003)(136003)(346002)(199004)(189003)(7696005)(186003)(81156014)(8676002)(55016002)(81166006)(6916009)(52536014)(21615005)(71200400001)(10290500003)(86362001)(76116006)(26005)(8990500004)(64756008)(66476007)(66556008)(66446008)(66946007)(8936002)(6506007)(316002)(966005)(478600001)(5660300002)(33656002)(2906002)(9686003)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CH2PR00MB0827; H:CH2PR00MB0678.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: iNkf2An8oIbhPzJNJtX4WSuFyuCdNkudl/GyXGmuuk7cM9bHhwo4KvlFC7bPJEminAKNQIdYthXU1HmIDtEYQ90Rlso09zaZlr1SHZ2RXZ6J0yhBYZoHEjU38KKlMiOb00kokbYqvzQL7unPzla4sfHyXcOab8JtrmE+8N2xKJFkv7vTdZG07p01Yj8xV95pfkCdBvPy2AOcm7+Jvle7iqcXUp1KdJ/IQn24F1jQngsKaCBkgJD6ldv/u9f4CSvPEaRixVNw80fUKnpQ7NayIwHBcXiCdS5nqsp2YyOZLXnnKaPB2cfII5Kv/3YrHWWO4RzRXYx17W6c6dVfrgOdIa/aRFf4qdL0QLpaH6kCLfIjVjlEH/2hk6F8JxoujZzvdtrqswInKMM1cblH5gbUwTPTLRMx8IiRe+KbbLzuyvX+fDxzHUHutbIs85ZrihQAFz3kJhKq2uyIzsYS6+gatS7JZIdCOWZVuWZ5vFMAo/xTwmuKiLHMFImmvRsvhgpBTmVIgSdysVwGpSCbRmbTSbupMMG0VtQpVUVNYlGiQQaH1BFayWjdSkqPqfTPEvUkU8CP/D+aIKyneSYbaM5JV+T39fh4PlhDQae2xuzvIta0Oh8ArWg0Bon6Z7l0mHHPWl70jHv2GpOQkx8l3MU14Q==
x-ms-exchange-antispam-messagedata: 7rA4Ke0YOwOF5eTtXxM1kXepWXpje7Y07qRgt/a390GnD81GSY9Zj2X0O7kU+1pPxBNE50RTmlKizSpqgD30Q36uR+AjIS376dC+HUUlMdUICPX3veo1hlh1wIjHduWBVH3dC1aIdsWyE4dMgsTMEw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB06784BE1BB83918ABC652C7AF5FF0CH2PR00MB0678namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a7a43797-ccbf-444b-d27f-08d7c4879d77
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2020 00:11:43.6136 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HvLBaS+VgA/+k0F2qByghNIJ9jS6yZHE8fjVnyRdGD7glFuvnfHj2uKSwg5pDx2MCehb/EIAdR8Cs4BdwFQF1g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0827
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5xuPrSdHTLFpps6hkPRimnsNNy8>
Subject: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 00:11:52 -0000
As I previously described<https://self-issued.info/?p=1967>, members of the OAuth working group have developed a simplified approach to providing application-level proof-of-possession protections for OAuth 2.0 access tokens and refresh tokens. This approach is called OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP). Among other benefits, it does not require a complicated and error-prone procedure for signing HTTP requests, as some past approaches have. However, the DPoP specification to date has assumed that the client is using the OAuth authorization code flow. As promised at the last IETF meeting, we've now published a simple companion specification that describes how DPoP can be used with the OAuth implicit flow - in which access tokens are returned directly from the authorization endpoint. The specification is mercifully brief because very little had to be added to supplement the existing DPoP spec to enable use of DPoP with the implicit flow. Thanks to Brian Campbell and John Bradley for whiteboarding this solution with me. Finally, in a related development, it was decided during the OAuth virtual interim meeting today to call for working group adoption of the core DPoP draft. That's an important step on the journey towards making it a standard. The specification is available at: * https://tools.ietf.org/html/draft-jones-oauth-dpop-implicit-00 An HTML-formatted version is also available at: * https://self-issued.info/docs/draft-jones-oauth-dpop-implicit-00.html -- Mike P.S. This notice was also posted at https://self-issued.info/?p=2063 and as @selfissued<https://twitter.com/selfissued>.
- [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Fl… Filip Skokan
- Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Fl… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Fl… Justin Richer
- Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Fl… Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.0 DPoP for … Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.0 DPoP for … Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.0 DPoP for … Brian Campbell