IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization with OAuth

Brian Campbell <bcampbell@pingidentity.com> Tue, 30 April 2019 16:56 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC4A31202CE for <oauth@ietfa.amsl.com>; Tue, 30 Apr 2019 09:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-K3xhL2UPpW for <oauth@ietfa.amsl.com>; Tue, 30 Apr 2019 09:56:02 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98D2C12029C for <oauth@ietf.org>; Tue, 30 Apr 2019 09:56:02 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id m14so1902669ion.13 for <oauth@ietf.org>; Tue, 30 Apr 2019 09:56:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cIdnW9q/HYynV5S1inGIDj9D331e71Y2TEC6BPfHcg4=; b=ejozrTSlYfbMWfCGetKVS3u7WiTtpw95OmGdB02Pr8cwGTu31dLTCxwxen0/gQhcaB BhGAM487pkPrSvP7b0AtgJvJ4MbfyvJuqn2qSucjgA67gUv/sUVoBOPnT2rEfyPT8EtN J5lS/ClOcMmLSYmuTmTLqbfSejMPlpHQkWkmw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cIdnW9q/HYynV5S1inGIDj9D331e71Y2TEC6BPfHcg4=; b=gGjRUrYCdGsf87RVolTT8iCfrp/AO5hlb3TdlXnpXV1AgIbSo5Z5YKVlgYb/k91qVg PLfAUsBv6NjDdrOtaAcJhXOyZRjQL0iH9vYsRyF1fepKcUSKzFgSOl+/p2wecm+towA3 USI2oRI6eFo0p7+5I4WTA8tKYGCQjzID2zFfq4SUISZ9vGpKfK0Glw54y2bypnzhYYU7 9HzNp+4ZbjEiRThJ2CZvGVLEQgedka9212kFN0xzcc4PtAimvqt9XpxoyQRd821/VPX7 V++XO4lMjq5dkWMBTCHPn8HNORQZX9cTeY5cnLJSNpqbGO/vtVfLMMAQGPPRUIRYg/hH hpdQ==
X-Gm-Message-State: APjAAAWEXBsFRf9A2OWM86DQ5uQgSr/9ELveyBsKoIadvpIwLSI1mtw1 aj8DL4p0ywv5WS/433mLufPTtbnAXaDofJH2lR+SPkRcbBDreBmzyJI7snuR6UN2FIVAkupVnKM ajFGo0GsaQQHvgg==
X-Google-Smtp-Source: APXvYqxzSnZJvHVa8s43ZBjw/7KIiRI4cvaMULN3zdyDxuAkMpA6lCfOb++ydAuLF219WohXFt2VlUlcmjv66/GYNuY=
X-Received: by 2002:a5d:9a05:: with SMTP id s5mr569172iol.238.1556643361638; Tue, 30 Apr 2019 09:56:01 -0700 (PDT)
MIME-Version: 1.0
References: <8E2628D6-282A-4284-97E3-94466D71A75A@lodderstedt.net> <CA+k3eCTqwbXrePrac7UyPQ9VfqdpXtFFKMj7Ji0b-m8duL9MiQ@mail.gmail.com> <4303D8E2-DC2A-4359-B07D-6078E8FD6FFD@lodderstedt.net>
In-Reply-To: <4303D8E2-DC2A-4359-B07D-6078E8FD6FFD@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 30 Apr 2019 10:55:35 -0600
Message-ID: <CA+k3eCTjJTU6z04jFO2_CG4iEhS6_sjvBqCoAXiLVcmq5NKmyg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009cdb2a0587c246e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VHeGgSsLutV7sHnvJO7qRa0TEkw>
Subject: Re: [OAUTH-WG] Transaction Authorization with OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 16:56:05 -0000

On Tue, Apr 30, 2019 at 5:03 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

>
>
> > On 26. Apr 2019, at 19:57, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
> >
> > One thing that I think is missing from the article in the discussion of
> pros and cons is that in many cases a large or even voluminous request can
> be sent via auto submitting form post (like
> https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html but
> the other way around from client to AS with the auth request), which
> doesn't then run into the same URI size problem.
>
> Thanks for pointing this out! Is the response mode often used in the wild
> for OAuth?
>

It's not really a "response mode" for sending the request but the idea is
basically the same just going the other direction. The possibility is
implied by the text near the end of
https://tools.ietf.org/html/rfc6749?#section-3.1 that says,

  'The authorization server MUST support the use of the HTTP "GET"
   method [RFC2616] for the authorization endpoint and MAY support the
   use of the "POST" method as well.'

I know our AS will happily accept POST at the authorization endpoint and I
suspect many others will too. But I don't have any data how often it is
used in the wild for OAuth.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email