Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

William Denniss <wdenniss@google.com> Mon, 01 February 2016 20:25 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 722621B35CB for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 12:25:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4lquSQL8y7P for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 12:25:37 -0800 (PST)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00AA81B3619 for <oauth@ietf.org>; Mon, 1 Feb 2016 12:25:36 -0800 (PST)
Received: by mail-ob0-x233.google.com with SMTP id xk3so30058099obc.2 for <oauth@ietf.org>; Mon, 01 Feb 2016 12:25:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=htfjBQ7Jotazm2s0IzrMHkqwTmd7y3lznLUNXO5FM68=; b=IVu/N+TFfzWl68Kj9KLggJ9dGkrlth4F+0W0OFbeEUljCpNfBa8xjz48EaEqXG892s uPQf9dwCNDGnDqXWRg2e9SOnepCNAbL9IIl48wajfR3BS4Bfv4iMdiAMLQeEmw9OW0a2 FXPmMV9Ry8A6wyvH/QIZEtflFhkAvTJ6oYvcOeekE6M6jNUzi4+zIBCp32w17Px5/gwV 6jxrhuVa5NkIrztXQiD+mWW46bgPDNaaodFnWvKP3WLi1szZC7xoU8evI0s4s4s4H5Xx CinhT8pumgAd/FjH+M6pwODe9kbf0fCvQ9dNyF5gH83ismM33Ne8aj10fwljb2Lnb2Ex 8uaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=htfjBQ7Jotazm2s0IzrMHkqwTmd7y3lznLUNXO5FM68=; b=e9MqEAxXQQ76qtn6wcKZ7XfuXdmYZBHf0FagmHecyV1Qx4d7byfGABKVjgk5V51czb Ma5TTzWsRS4fS56mCHtQ7cBVEkkrmlg+rxhMdNybC+sQSHdJUiba6F7BuZkZjyH0ybpe CKs6GWVfwl2lenwL8M8YsO7Q1JSgweaM0Fkde9/dz2Y6No5VcolcooyZAHXeYQ2wkm0k TjIy1UD14ZRPWMFj+liqBsBZvJaRot2MuzzCRRUZNY8Bh1b1FA5pUA0tPATK/F6EjsT3 7tFpNmvYC+PvKE1xsNKvZ/8qDFHx0TO5+XOxZaYPqZ7RS/L0mmucdtYPj+TKzjK3ut8h IwEQ==
X-Gm-Message-State: AG10YOTcTTcnDVKwJxvwptV81WMdKNeegovpwWHwSzOnjqq5f1vOCyZK6hYoqEIYmvT3KFFCHjQtKWAoWfJsV6uW
X-Received: by 10.182.114.167 with SMTP id jh7mr19678631obb.70.1454358336274; Mon, 01 Feb 2016 12:25:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Mon, 1 Feb 2016 12:25:16 -0800 (PST)
In-Reply-To: <CAAP42hDSWPq+wdjEk1D=rFeUuccpc3rQbxJmAR2TS0sjVahA-w@mail.gmail.com>
References: <568D24DD.3050501@connect2id.com> <EA392E73-1C01-42DC-B21D-09F570239D5E@ve7jtb.com> <CAAP42hAA6SOvfxjfuQdjoPfSh3HmK=a7PCQ_sPXTmDg+AQ6sug@mail.gmail.com> <568D5610.6000506@lodderstedt.net> <CAAP42hA8SyOOkJ-D299VgvQUdQv6NXqxSt9R0TK7Zk7JaU56eQ@mail.gmail.com> <F9C0DF10-C067-4EEB-85C8-E1208798EA54@gmail.com> <CABzCy2A+Z86UCJXeK1mLPfyq9p1QQS=_dekbEz6ibP8Z8Pz87Q@mail.gmail.com> <CAAP42hCKRpEnS7zVL7C_jpaFXwXUjzkNUzxtDa9MUKAQw7gsAA@mail.gmail.com> <10631235-AF1B-4122-AEAE-D56BBF38F87E@ve7jtb.com> <CAAP42hB=1rudPCzrCgaUp3W8+K0jcfoAwq3gJG5=vNeK9pqjaA@mail.gmail.com> <6F32C1CF-EA2A-4A74-A694-F52FD19DBA5C@ve7jtb.com> <CAAP42hC1KbDF1oOLyY11ZBW-WyBQjaEQTzAyZLfKUvOS8fOQOQ@mail.gmail.com> <BY2PR03MB44214DF2BDECA8050E819F6F5C70@BY2PR03MB442.namprd03.prod.outlook.com> <CAAP42hDSWPq+wdjEk1D=rFeUuccpc3rQbxJmAR2TS0sjVahA-w@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 01 Feb 2016 12:25:16 -0800
Message-ID: <CAAP42hCC+nK2y-wjgAdpkzSzK03CoY09o8fKg-a4+_GwXtOO9g@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c2e2e602c27b052abb3046"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/QoUqZEaqDxLJMZIeGcTid470pIo>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2016 20:25:42 -0000

We are now live with this change:

https://accounts.google.com/.well-known/openid-configuration

I'm glad we all reached a consensus on how this param should work, and what
it should be called, and thank you Mike for revising the draft! My ask now
is that we don't revisit this decision, unless for extremely good reasons,
as we don't want to break clients who will start using this.

On Mon, Jan 25, 2016 at 4:08 PM, William Denniss <wdenniss@google.com>
wrote:

> Thanks Mike, looking forward to the update. I reviewed the other thread.
>
> On Mon, Jan 25, 2016 at 2:49 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:
>
>> I'll add it to the discovery draft in the next day or so.  Also, please
>> see my questions in the message "[OAUTH-WG] Discovery document updates
>> planned". I was waiting for that feedback before doing the update.
>>
>> Thanks,
>> -- Mike
>> ------------------------------
>> From: William Denniss <wdenniss@google.com>
>> Sent: ‎1/‎25/‎2016 2:29 PM
>> To: John Bradley <ve7jtb@ve7jtb.com>
>> Cc: Nat Sakimura <sakimura@gmail.com>; oauth@ietf.org; Mike Jones
>> <Michael.Jones@microsoft.com>
>> Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery
>> (draft-jones-oauth-discovery-00)
>>
>> OK great! It seems that we have consensus on this. So this is what we
>> plan to add to our discovery doc, based on this discussion:
>>
>> "code_challenge_methods_supported": ["plain","S256"]
>>
>> What are the next steps? Can we we add it to
>> https://tools.ietf.org/html/draft-jones-oauth-discovery directly? I see
>> that the IANA registry created by that draft is "Specification
>> Required", but PKCE is already an RFC without this param being registered.
>>
>>
>> On Mon, Jan 25, 2016 at 2:11 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>>> Yes sorry.   code_challenge_method is the query parameter so
>>> code_challenge_methods_supported
>>>
>>>
>>> On Jan 25, 2016, at 6:12 PM, William Denniss <wdenniss@google.com>
>>> wrote:
>>>
>>>
>>>
>>> On Thu, Jan 21, 2016 at 6:17 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>
>>>> The code_challenge and code_challenge_method parameter names predate
>>>> calling the spec PKCE.
>>>>
>>>> Given that some of us deployed early versions of PKCE in products and
>>>> opensource to mitigate the problem before the spec was completed we decided
>>>> not to rename the parameter names from code_verifier_method to
>>>> pkce_verifier_method.
>>>>
>>>> For consistency we should stick with code_verifier_methods_supported in
>>>> discovery.
>>>>
>>>
>>> To clarify, did you mean "code_challenge_methods_supported"?  That is,
>>> building on the param name "code_challenge_method" from Section 4.3
>>> <https://tools.ietf.org/html/rfc7636#section-4.3>?
>>>
>>>
>>>>
>>>> John B.
>>>>
>>>> On Jan 21, 2016, at 3:12 AM, William Denniss <wdenniss@google.com>
>>>> wrote:
>>>>
>>>> "code_challenge_methods_supported" definitely works for me.
>>>>
>>>> Any objections to moving forward with that? I would like to update our
>>>> discovery doc shortly.
>>>>
>>>> On Thu, Jan 21, 2016 at 1:37 PM, Nat Sakimura <sakimura@gmail.com>
>>>> wrote:
>>>>
>>>>> Ah, OK. That's actually reasonable.
>>>>>
>>>>> 2016年1月21日(木) 9:31 nov matake <matake@gmail.com>:
>>>>>
>>>>>> I prefer “code_challenge_methods_supported”, since the registered
>>>>>> parameter name is “code_challenge_method”, not “pkce_method".
>>>>>>
>>>>>> On Jan 19, 2016, at 11:58, William Denniss <wdenniss@google.com>
>>>>>> wrote:
>>>>>>
>>>>>> Seems like we agree this should be added. How should it look?
>>>>>>
>>>>>> Two ideas:
>>>>>>
>>>>>> "code_challenge_methods_supported": ["plain", "S256"]
>>>>>>
>>>>>> or
>>>>>>
>>>>>> "pkce_methods_supported": ["plain", "S256"]
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jan 6, 2016 at 9:59 AM, Torsten Lodderstedt <
>>>>>> torsten@lodderstedt.net> wrote:
>>>>>>
>>>>>>> +1
>>>>>>>
>>>>>>>
>>>>>>> Am 06.01.2016 um 18:25 schrieb William Denniss:
>>>>>>>
>>>>>>> +1
>>>>>>>
>>>>>>> On Wed, Jan 6, 2016 at 6:40 AM, John Bradley <ve7jtb@ve7jtb.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Good point.  Now that PKCE is a RFC we should add it to discovery.
>>>>>>>>
>>>>>>>> John B.
>>>>>>>> > On Jan 6, 2016, at 9:29 AM, Vladimir Dzhuvinov <
>>>>>>>> vladimir@connect2id.com> wrote:
>>>>>>>> >
>>>>>>>> > I just noticed PKCE support is missing from the discovery
>>>>>>>> metadata.
>>>>>>>> >
>>>>>>>> > Is it a good idea to add it?
>>>>>>>> >
>>>>>>>> > Cheers,
>>>>>>>> >
>>>>>>>> > Vladimir
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > Vladimir Dzhuvinov
>>>>>>>> >
>>>>>>>> >
>>>>>>>> > _______________________________________________
>>>>>>>> > OAuth mailing list
>>>>>>>> > OAuth@ietf.org
>>>>>>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>
>>>
>>
>