Re: [OAUTH-WG] Confusion on Implicit Grant flow

Brian Campbell <bcampbell@pingidentity.com> Tue, 10 February 2015 12:07 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ECC11A019B for <oauth@ietfa.amsl.com>; Tue, 10 Feb 2015 04:07:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBIT4oAY0FeE for <oauth@ietfa.amsl.com>; Tue, 10 Feb 2015 04:07:28 -0800 (PST)
Received: from na3sys009aog105.obsmtp.com (na3sys009aog105.obsmtp.com [74.125.149.75]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697C61A01AE for <oauth@ietf.org>; Tue, 10 Feb 2015 04:07:18 -0800 (PST)
Received: from mail-ig0-f173.google.com ([209.85.213.173]) (using TLSv1) by na3sys009aob105.postini.com ([74.125.148.12]) with SMTP ID DSNKVNn0bS2sVDkGCdLnlLA7LwTdNXc1rykI@postini.com; Tue, 10 Feb 2015 04:07:18 PST
Received: by mail-ig0-f173.google.com with SMTP id a13so23099404igq.0 for <oauth@ietf.org>; Tue, 10 Feb 2015 04:07:09 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=4I3rPIpRfb/Ac6QqPXGp9OKgIPCzvkyU8+GbatI+2X4=; b=JdGnMyEScL/pDAplV13HnYgrNYGdcJJtS8ZWucm7+grPbJr/X6rhYdcDVN2jF0RM1c wzStFXBCHPjSlDGDqGscQmdmU/bvyKDWPFs/YPW7xr55Yt7y+LifYtbwWuRJujQQ8R0S B2L7PbItovP8Jf7l3XnxphdKD8wzlboHrriCTq9vcSVdbADpxxioPUTig61pYo45Gfxp DwC9eZ2Er56H40TvY1ho2XnDvEwDMw7X+c48sF3hZ2/0gSAIP/wmLzyyMfiyb4dDF0IJ ITn7bD/CTkI2dJE4aYaROWEz2eEnunF8cKE896msFN7BtziroCQxdvN36GQgHUsNMD9C SCuA==
X-Gm-Message-State: ALoCoQnwHnzn7je52rvBUVsdROWyKV1heWgTHpKE8MSLtJhPuQQruv551KtV6bpsCzp8QFy87ySF9D7VA+sEw2x2LUEOmWihK36cmG257BaECSznw2fX9TO5l6Uc7r/JNWmG2mZRA7jL
X-Received: by 10.43.67.3 with SMTP id xs3mr30005121icb.39.1423570029539; Tue, 10 Feb 2015 04:07:09 -0800 (PST)
X-Received: by 10.43.67.3 with SMTP id xs3mr30005109icb.39.1423570029402; Tue, 10 Feb 2015 04:07:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.33.75 with HTTP; Tue, 10 Feb 2015 04:06:39 -0800 (PST)
In-Reply-To: <61E85A1A-E52C-4709-A1A4-791E4141B8B1@ve7jtb.com>
References: <BLUPR04MB6918C7701D0DB90B0FA6B0D95380@BLUPR04MB691.namprd04.prod.outlook.com> <CANSMLKFMUQsBfOo=i0ki8PF_8PjRf7W3t=PiPo7qnftN9gUyWg@mail.gmail.com> <54D91317.9010101@redhat.com> <1E340378-2D34-4AC8-906C-415EF025068E@ve7jtb.com> <54D91D87.8040303@redhat.com> <FD337176-C292-4688-9CFA-A3C7DF40FCA2@ve7jtb.com> <54D92A3C.4060106@redhat.com> <32B26B45-FB75-47DF-8E34-42943B13F0E0@ve7jtb.com> <54D93578.9050105@redhat.com> <61E85A1A-E52C-4709-A1A4-791E4141B8B1@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 10 Feb 2015 05:06:39 -0700
Message-ID: <CA+k3eCSvm41d3ChDqWnnzsxKUbRewYVHDPyP-0xW_kaRDs+T5w@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a11c2162eea7676050ebab9e2
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/TQ0DWB-i5JLhqHMInyLeXs4yBPg>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confusion on Implicit Grant flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 12:07:42 -0000

On Mon, Feb 9, 2015 at 3:59 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> Connect has a response_mode that allows the response to be form encoded
> rather than fragment.
> I read RFC 5849 as only allowing code to be query encoded.   The
> response_mode was intended for the new response types we defined in
> http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
>

Actually response_mode is defined in that spec itself in section 2.1
<http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes>.



>
> The spec for response mode is here
> http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
>

And that spec is actually to define a new response mode, form_post, which
encodes authorization response parameters as HTML form values that are
auto-submitted (via javascript) by the user agent and transmitted via HTTP
POST to the Client’s redirect URI.