IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Eran Hammer <eran@hueniverse.com> Wed, 14 March 2012 17:08 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E840D21E8010 for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 10:08:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.243
X-Spam-Level:
X-Spam-Status: No, score=-2.243 tagged_above=-999 required=5 tests=[AWL=-0.244, BAYES_00=-2.599, J_CHICKENPOX_45=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4mdLzjfscWY for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 10:08:41 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 3C32921F87B0 for <oauth@ietf.org>; Wed, 14 Mar 2012 10:08:41 -0700 (PDT)
Received: (qmail 23898 invoked from network); 14 Mar 2012 17:08:40 -0000
Received: from unknown (HELO p3plex2out02.prod.phx3.secureserver.net) (184.168.131.14) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 14 Mar 2012 17:08:40 -0000
Received: from P3PW5EX1HT004.EX1.SECURESERVER.NET ([72.167.180.46]) by p3plex2out02.prod.phx3.secureserver.net with bizsmtp id lV8g1i00410TkE001V8gE3; Wed, 14 Mar 2012 10:08:40 -0700
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT004.EX1.SECURESERVER.NET ([72.167.180.134]) with mapi; Wed, 14 Mar 2012 10:08:40 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Marius Scurtescu <mscurtescu@google.com>, OAuth WG <oauth@ietf.org>
Date: Wed, 14 Mar 2012 10:08:32 -0700
Thread-Topic: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Thread-Index: Ac0CAwqOQWdEeLV9SIu6J20RRRxhhAAATcQw
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com>
In-Reply-To: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Breno de Medeiros <breno@google.com>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 17:08:42 -0000

This was already raised and addressed on this list last week.

When someone defines and registers code+token, that specification must define how such a client is registered in light of the text below. This might mean defining a new client type, choosing the confidential client type with other normative text limiting the use of the secret in the public component, etc.

IOW, this section doesn't break anything because there is nothing else defined to break. There is no way to avoid explicitly defining these requirements for a code+token response type, or any other new response type for that matter. The text below is required to ensure that the authorization server can properly enforce the rest of the normative security language in the specification.

EH


> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Marius Scurtescu
> Sent: Wednesday, March 14, 2012 9:53 AM
> To: OAuth WG
> Cc: Breno de Medeiros
> Subject: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
> 
> Hi,
> 
> Nat Sakimura started a thread on the OpenID Connect list about a breaking
> change introduced by rev 2.3
> 
> The paragraph in question is in section 2.1:
> 
> "A client application consisting of multiple components, each with its own
> client type (e.g. a distributed client with both a confidential server-based
> component and a public browser-based component), MUST register each
> component separately as a different client to ensure proper handling by the
> authorization server.  The authorization server MAY provider tools to manage
> such complex clients through a single administration interface."
> 
> http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-oauth-v2-
> 23.txt
> 
> You can see the thread here:
> http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-
> 20120312/001672.html
> 
> This paragraph basically prevents response_type=code+token which is
> already implemented by many providers and also relied on by OpenID
> Connect.
> 
> The intent, I think, was to prevent clients from embedding the client secret
> meant for a confidential client into a public client.
> JavaScript based clients using the token flow do not need the client secret, so
> this concern does not apply.
> 
> Thoughts?
> 
> Thanks,
> Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email