Re: [OAUTH-WG] Transaction Authorization with OAuth
Brian Campbell <bcampbell@pingidentity.com> Tue, 30 April 2019 16:56 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC4A31202CE for <oauth@ietfa.amsl.com>; Tue, 30 Apr 2019 09:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-K3xhL2UPpW for <oauth@ietfa.amsl.com>; Tue, 30 Apr 2019 09:56:02 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98D2C12029C for <oauth@ietf.org>; Tue, 30 Apr 2019 09:56:02 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id m14so1902669ion.13 for <oauth@ietf.org>; Tue, 30 Apr 2019 09:56:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cIdnW9q/HYynV5S1inGIDj9D331e71Y2TEC6BPfHcg4=; b=ejozrTSlYfbMWfCGetKVS3u7WiTtpw95OmGdB02Pr8cwGTu31dLTCxwxen0/gQhcaB BhGAM487pkPrSvP7b0AtgJvJ4MbfyvJuqn2qSucjgA67gUv/sUVoBOPnT2rEfyPT8EtN J5lS/ClOcMmLSYmuTmTLqbfSejMPlpHQkWkmw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cIdnW9q/HYynV5S1inGIDj9D331e71Y2TEC6BPfHcg4=; b=gGjRUrYCdGsf87RVolTT8iCfrp/AO5hlb3TdlXnpXV1AgIbSo5Z5YKVlgYb/k91qVg PLfAUsBv6NjDdrOtaAcJhXOyZRjQL0iH9vYsRyF1fepKcUSKzFgSOl+/p2wecm+towA3 USI2oRI6eFo0p7+5I4WTA8tKYGCQjzID2zFfq4SUISZ9vGpKfK0Glw54y2bypnzhYYU7 9HzNp+4ZbjEiRThJ2CZvGVLEQgedka9212kFN0xzcc4PtAimvqt9XpxoyQRd821/VPX7 V++XO4lMjq5dkWMBTCHPn8HNORQZX9cTeY5cnLJSNpqbGO/vtVfLMMAQGPPRUIRYg/hH hpdQ==
X-Gm-Message-State: APjAAAWEXBsFRf9A2OWM86DQ5uQgSr/9ELveyBsKoIadvpIwLSI1mtw1 aj8DL4p0ywv5WS/433mLufPTtbnAXaDofJH2lR+SPkRcbBDreBmzyJI7snuR6UN2FIVAkupVnKM ajFGo0GsaQQHvgg==
X-Google-Smtp-Source: APXvYqxzSnZJvHVa8s43ZBjw/7KIiRI4cvaMULN3zdyDxuAkMpA6lCfOb++ydAuLF219WohXFt2VlUlcmjv66/GYNuY=
X-Received: by 2002:a5d:9a05:: with SMTP id s5mr569172iol.238.1556643361638; Tue, 30 Apr 2019 09:56:01 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CA+k3eCTqwbXrePrac7UyPQ9VfqdpXtFFKMj7Ji0b-m8duL9MiQ@mail.gmail.com> <4303D8E2-DC2A-4359-B07D-6078E8FD6FFD@lodderstedt.net>
In-Reply-To: <4303D8E2-DC2A-4359-B07D-6078E8FD6FFD@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 30 Apr 2019 10:55:35 -0600
Message-ID: <CA+k3eCTjJTU6z04jFO2_CG4iEhS6_sjvBqCoAXiLVcmq5NKmyg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009cdb2a0587c246e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VHeGgSsLutV7sHnvJO7qRa0TEkw>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 16:56:05 -0000
On Tue, Apr 30, 2019 at 5:03 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > > > > On 26. Apr 2019, at 19:57, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > > > One thing that I think is missing from the article in the discussion of > pros and cons is that in many cases a large or even voluminous request can > be sent via auto submitting form post (like > https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html but > the other way around from client to AS with the auth request), which > doesn't then run into the same URI size problem. > > Thanks for pointing this out! Is the response mode often used in the wild > for OAuth? > It's not really a "response mode" for sending the request but the idea is basically the same just going the other direction. The possibility is implied by the text near the end of https://tools.ietf.org/html/rfc6749?#section-3.1 that says, 'The authorization server MUST support the use of the HTTP "GET" method [RFC2616] for the authorization endpoint and MAY support the use of the "POST" method as well.' I know our AS will happily accept POST at the authorization endpoint and I suspect many others will too. But I don't have any data how often it is used in the wild for OAuth. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Transaction Authorization with OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Jim Manico
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Pedro Igor Silva
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Sascha Preibisch
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Steinar Noem
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Brian Campbell
- Re: [OAUTH-WG] Transaction Authorization with OAu… Benjamin Kaduk
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt
- Re: [OAUTH-WG] Transaction Authorization with OAu… Takahiko Kawasaki
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Dave Tonge
- Re: [OAUTH-WG] Transaction Authorization with OAu… George Fletcher
- Re: [OAUTH-WG] Transaction Authorization with OAu… Nat Sakimura
- Re: [OAUTH-WG] Transaction Authorization with OAu… Torsten Lodderstedt