Re: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1

Dick Hardt <dick.hardt@gmail.com> Thu, 30 July 2020 17:24 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 917BC3A0FC9 for <oauth@ietfa.amsl.com>; Thu, 30 Jul 2020 10:24:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LRJj8NKBGjId for <oauth@ietfa.amsl.com>; Thu, 30 Jul 2020 10:24:05 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76023A0C41 for <oauth@ietf.org>; Thu, 30 Jul 2020 10:24:04 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id q6so29705985ljp.4 for <oauth@ietf.org>; Thu, 30 Jul 2020 10:24:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vnMcUyzMhzK/1LObXWMtcDr2WiIklOK5QGtpuclaEd4=; b=TDsOPagL9mEdSntKkGk77A7obY6Af//k2aIYgCozTG+sGWQEfxcFYqXc6k62pGM9P9 mVyvFw0JEaR55QEAbJ1oEMBzVVu3ZzHMePWndIzS41Nz4aCi8rWUvEZ04s1EV4+rrtWe qn6ZrDrO5k6xKWp3GwlR789S869Sb11+6fwmKQdm75ijBmNcWEm7ylYzCAecShekMKxp ODS5N7sjTM0DCoIbseQD4we/SEcmupKEOZ8ePthbYmm4AzTx57/8ydWx2FZ49prl86Kq acEhddLoHnOxbWVRBaIgNkvbEKShl2TSIjh4BjqZ0wmPrQjcMGjTetqNMJ4jLDRDHoNh 40Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vnMcUyzMhzK/1LObXWMtcDr2WiIklOK5QGtpuclaEd4=; b=XydBoBmH3dFk3aQ0g/VSZd8im2vBnTgTr0UvwW8dFvNXVP4ag4S6MyEXjQc3FCfWts BcKFBKIjyw+bKjpRy+Rif+jX/KNC3R1pDQsDPsP+jG4+6bTVUkjb4yvKRL0RS1NYb7R4 9OS01KmKdzs8XWWgOdVsC+psd79f7V72FoFD9NDmbIRUTxswQ47EM/VyZh/JXXQejp1Y fxVMHwYyyRW1Us9PNfEZrC5f2yHUe56ey6u9xZs+mzvL6fuzEitXlouar16JHf3dzLWo ciXjXuHHdYYwzT+s5thmNgOU75qpShZJL8D+NGhhkzA/lj19hWRbE8eVCXk2pDSf8L5D yC7Q==
X-Gm-Message-State: AOAM5330IhVOa/I/73sZhFvkmBwomz2tLRe8fZmvyT36XFouxnCaDgik p8VztsQnpRB7G7PJV0zL7Ow/5iyAx55jvoQoiFI=
X-Google-Smtp-Source: ABdhPJxLeZ7AC7dzDAphRiJb3BvK6t6UFDb/F8dL9xyMML1pRvaBoP+BbHXjZh9ksCK5Acz0O18ip6mSaymY5l1u3wg=
X-Received: by 2002:a2e:581c:: with SMTP id m28mr131891ljb.5.1596129842599; Thu, 30 Jul 2020 10:24:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAJot-L0pNWox1aX5GOkD=QVJakRVVtn=PvysciB2Wak6ijG+Dw@mail.gmail.com> <CAGBSGjo_w5+fOE0bQeeiuQLt0-Xkt+Gdu01C3BHZeuOZNh4Taw@mail.gmail.com> <CAJot-L0XmQ2wbmXPDjhwT4tT8nihmEXxc-N3orfeV21EKyYCPA@mail.gmail.com>
In-Reply-To: <CAJot-L0XmQ2wbmXPDjhwT4tT8nihmEXxc-N3orfeV21EKyYCPA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 30 Jul 2020 10:23:26 -0700
Message-ID: <CAD9ie-sf+yxQaL-a1jVm=XyVCTkm2v9rc_8fWZOJsd62rCRQYQ@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="00000000000049430705ababf0eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Vf9fzo7jLtDlxEOHeaJT5hKfhsQ>
Subject: Re: [OAUTH-WG] Authorization Code Grant diagram Improvement OAuth 2.1 draft-ietf-oauth-v2-1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 17:24:08 -0000

The (A), (B), and (C) label the same flow that bounces through the
User-Agent. See note below the diagram.

Note the tails and arrows at each end of (A) and (C), and the arrows at
both ends of (B) to indicate an interaction between the RO and the AS. (in
my original version, I had the User instead of the RO).

The (A) and (C) flows are shown to go through the User-Agent to make it
clear it is a redirect flow in contrast to (D) and (E) in which the Client
directly talks to the AS.


ᐧ

On Thu, Jul 30, 2020 at 9:57 AM Warren Parad <wparad@rhosys.ch> wrote:

> From the OAuth RFC, these were actually letters. I don't see a necessary
> association between the left side of the diagram and the right side, it
> just seems unnecessarily confusing.
> [image: image.png]
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress <https://bit.ly/37SSO1p>.
>
>
> On Thu, Jul 30, 2020 at 5:49 PM Aaron Parecki <aaron@parecki.com> wrote:
>
>> These numbers in the diagram correspond to the numbered steps in the
>> paragraphs below the diagram. Perhaps using non-duplicated numbers would
>> help, such as "1a" and "1b" instead of two instances of "1"? Although I'm
>> not sure how that would work exactly because the "1/2/3" are really just a
>> single action as described by the "Note" below the diagram in your
>> screenshot.
>>
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>> https://oauth2simplified.com
>>
>> On Thu, Jul 30, 2020 at 8:43 AM Warren Parad <wparad@rhosys.ch> wrote:
>>
>>>
>>> https://www.ietf.org/id/draft-ietf-oauth-v2-1-00.html#name-authorization-code-grant
>>>
>>> Can we avoid using (1, 2, 3) on the left side of the diagram to
>>> describe, I'm not even sure what they are supposed to represent, not to
>>> mention the RO in the diagram doesn't really provide value (for me)
>>> relevant to the code grant flow. It's confusing to see these numerical
>>> identifiers twice in the same picture. But maybe there is something hidden
>>> in this that I'm missing, still 3a and 3b could be used to identify
>>> different legs of the same code path.
>>> [image: image.png]
>>>
>>>
>>> *Warren Parad*
>>> Secure your user data and complete your authorization architecture.
>>> Implement Authress <https://bit..ly/37SSO1p>.
>>> <https://rhosys.ch>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>