Re: [OAUTH-WG] client_id in PAR and JAR

Filip Skokan <panva.ip@gmail.com> Tue, 30 June 2020 07:39 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A17D3A08CF for <oauth@ietfa.amsl.com>; Tue, 30 Jun 2020 00:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.318
X-Spam-Level:
X-Spam-Status: No, score=0.318 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_FINANCIALSOLUTION=1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CbjGNDUZJbNJ for <oauth@ietfa.amsl.com>; Tue, 30 Jun 2020 00:39:33 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 041453A0889 for <oauth@ietf.org>; Tue, 30 Jun 2020 00:39:33 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id dm19so8960120edb.13 for <oauth@ietf.org>; Tue, 30 Jun 2020 00:39:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=bc1orOES0ldas8Fz8EJUptNhS7UPhhJog+sA4Ua4sC0=; b=LADZhrfBia5J/oJT7dUsinY4sibTT6kadepY7bwZenBYXeEaALwPmFVq1Fmu5TnEFQ MjiqhK2bYB1IUFMo/umycc8p2R1BP4eXKArR9BAGvs7tYno6E2jG3NAyjpx9f+GoIyPi 5Dv8vMZIQbgt6baIQl7j8FNizsIK06XGIrPKIk4oHuJYW5ZBy5d+pHFvrVqb8sgVxkif OrRf2p+u0V1RHrptVAYUU+JgLWMgzKVP0yABwe4YI99AAMRI1ljY3iG5Vsh6Ch4Q47no nJ/+KaH/Lkzjn41oDEsqURwSYsW0sgNcYNjb5uLxN/d/zU5SYG8QNToTHjxCuxWDGEsq EPzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=bc1orOES0ldas8Fz8EJUptNhS7UPhhJog+sA4Ua4sC0=; b=lwr1y2J/DgngJUiRVX1EfswR0elnv3+8fDH1HgHmLQ0MB3zBvGMbsDXJv/hKZ9u9nD +CNdVNzyoghtJ8XH4VL9k1jiloEAI+lvhclHdiMxiq7MObO9rf2QTKK4CS5+3H7kQ5ho BJWLoYxrGnz/nU/YLAPg9T4i8cFZo+WicvVLGI+uEds/Q710eujHljm7PZv3jhAARpXW uyicAbtS97eodyGmjIGDR+vFxSZ7oYvsVGd+ls08htE9yxrWoawArVJxLT/I6FPHAGWu frISC2WqsH1FvXXe7kTfKOZfNzTRngCtiUnua/Dm2gzYTentet7Gc9+sgBAhwiblDh2V UFaA==
X-Gm-Message-State: AOAM533r2kwXJmv5npHN69MzpJZF07GpIzk8l5I02TcNDh5uzWI+Jl+U fdUdZhhpgyibjJDa5BhgmZlkWM+pJw==
X-Google-Smtp-Source: ABdhPJxOV4M1Fkie+rMNlTjO7ywDiL5P8luT6lbXkn4ql2JOPjVZRlW6J913B4o3L6z8hgJxDixgYQ==
X-Received: by 2002:a05:6402:1b94:: with SMTP id cc20mr21182015edb.177.1593502771239; Tue, 30 Jun 2020 00:39:31 -0700 (PDT)
Received: from [192.168.68.100] (173.c3.airnet.cz. [94.74.199.173]) by smtp.gmail.com with ESMTPSA id d23sm1359160eja.27.2020.06.30.00.39.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 Jun 2020 00:39:30 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-B3AB47AA-B506-41FB-AF13-93B088382792"
Content-Transfer-Encoding: 7bit
From: Filip Skokan <panva.ip@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 30 Jun 2020 09:39:29 +0200
Message-Id: <A2FA66BD-C352-4279-90C4-91663FB61BAE@gmail.com>
References: <CAGObXPnr5tG6NXmhgOv_iKpjk+piXDiR+ZBse0ZYEuk1=3tRVQ@mail.gmail.com>
Cc: oauth@ietf.org
In-Reply-To: <CAGObXPnr5tG6NXmhgOv_iKpjk+piXDiR+ZBse0ZYEuk1=3tRVQ@mail.gmail.com>
To: Thiloshon Nagarajah <thiloshon=40wso2.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (17F80)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UCLR-yUcTNZCuxN5TIInH2V93GM>
Subject: Re: [OAUTH-WG] client_id in PAR and JAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 07:39:35 -0000

Hi Thiloshon,

Not quite the way it went down but we have this adressed in a future PAR draft. 

Thank you ;)

Filip

Odesláno z iPhonu

> 30. 6. 2020 v 9:25, Thiloshon Nagarajah <thiloshon=40wso2.com@dmarc.ietf.org>:
> 
> ´╗┐
> Hi All,
> 
> In OAuth JAR specification, client_id is a required query parameter of authorisation call, in both request and request_uri flows [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-23#section-5]
> 
> But in OAuth PAR specification, which is a complimentary spec to JAR, it is specified "Clients are encouraged to use the request URI as the only parameter (in the authorisation call) in order to use the integrity and authenticity provided by the pushed authorization request." [https://tools.ietf.org/html/draft-ietf-oauth-par-01#section-4]
> 
> Taking into account these both are building upon OAuth spec, which also mandates client_id query param in authorisation call, it seems like PAR is not compatible with OAuth and JAR specs. 
> 
> Is this intentional? If it is may I know the rationale behind this decision? 
> 
> Regards,
> -- 
> Thiloshon Nagarajah
> Software Engineer,
> Financial Solutions
> WSO2
> +94774209947
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth