Re: [OAUTH-WG] draft-ietf-oauth-v2
John Bradley <ve7jtb@ve7jtb.com> Wed, 18 July 2012 00:18 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56CEE11E80EB for <oauth@ietfa.amsl.com>; Tue, 17 Jul 2012 17:18:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-ZBKWE6kqSC for <oauth@ietfa.amsl.com>; Tue, 17 Jul 2012 17:18:14 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7940911E80F1 for <oauth@ietf.org>; Tue, 17 Jul 2012 17:18:14 -0700 (PDT)
Received: by obbwc20 with SMTP id wc20so1493516obb.31 for <oauth@ietf.org>; Tue, 17 Jul 2012 17:19:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=oL+O49R5QCQQEqqiBm/aqxU27cZCtao1qBBVTn/AuIU=; b=HScWQYgLmwIyIJcm3EBIDwlRZ6zHaF/YVe29LNwDtK49FLILeKO78ROvK+Om0r5/Jq mPiKFvHNnCfe64O1a0sX0okB5m9YRSRfxqcMuwF3U8T/fq/ePhKON/4zs3Izww0ohrZA L1aYfuu7sTnXKjUuJkLXxXOsdE1sdKGxPhL7HBcLGqz/CqCC1p6uDqCcjYE9UPfZz4Dk n0+g/0/nH/h8SaO9L4Chg7Et9kS/YaHHO5HqNZ377GE3gjPZd/MAs3mZiK7Gli1tARox VuEarBaw85IS8wPEmLf+f/U7ELRn8p4kuwrJiEj/UGcB4RrWk0TxLCBVOwQMjwmwrda9 PFIg==
Received: by 10.182.8.6 with SMTP id n6mr6259554oba.39.1342570742848; Tue, 17 Jul 2012 17:19:02 -0700 (PDT)
Received: from [172.17.10.233] ([66.110.180.66]) by mx.google.com with ESMTPS id o4sm12523755oef.11.2012.07.17.17.19.00 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 17 Jul 2012 17:19:02 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D7071F89-2F13-49BB-8D62-925C00FF84EB"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <FE714B15-40C0-45C4-883A-C19179872C7B@gmail.com>
Date: Tue, 17 Jul 2012 18:18:58 -0600
Message-Id: <67223838-8A20-45FB-B9A9-427732A4D05F@ve7jtb.com>
References: <CA+NzUBvPO4jVLqdzNXF8MQXZew262G3Ashs-vvqF2pAbh8bukg@mail.gmail.com> <6C34F5DD-9CA7-40B0-B2DE-FB5E0A0D94D4@gmail.com> <CA+NzUBuBo5shGWV+Ca=uEztV69c3EhyY2QpFVny=_tvJjdDNog@mail.gmail.com> <FE714B15-40C0-45C4-883A-C19179872C7B@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQmwBCbcxqoAcBonXsR3tPKH9ef18KH7H0K6GvymNSsOIDqPk2Q5PKb3Lbgzk0Qku3umLqRr
Cc: Michael Scalia <michael.scalia@gmail.com>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-v2
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 00:18:15 -0000
I think mentioning it when code is first described is sufficient. The token endpoint is normally part of a Authorization server and must both produce and consume the code. I understand the request, but duplicating text for every step in a flow that parameter is used would cause the spec to be much larger. I don't see a need for a change at this point in the process. Regards John Bradley On 2012-07-17, at 4:56 PM, Dick Hardt wrote: > Thanks for the implementation feedback Michael. > > -- Dick > > On Jul 17, 2012, at 3:46 PM, Michael Scalia wrote: > >> Thanks for your response, Dick, and for pointing out that this is RECOMMENDED. I'll just say one more thing about this. While implementing the token endpoint of an authorization server, I naturally looked for the things I needed to account for in the request under 4.1.3 Access Token Request. I missed this because it wasn't with the other information about access token requests. Others may miss it as well, for the same reason. Just happened to notice this today under 4.1.2 while re-reading the spec. >> >> Regards, >> Michael >> >> On Tue, Jul 17, 2012 at 6:09 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >> Thanks for the feedback Michael. >> >> 4.1.2 is where the authorization code is first talked about, and it makes sense to discuss how it is generated and used at that point. I can see how it might also be useful to put it in 4.1.3. Note that this is this is RECOMMENDED as opposed to MUST so it does not flow into "The authorization server MUST" list of points. >> >> Personally, I don't see a need to change. Anyone else have an opinion on this? >> >> -- Dick >> >> On Jul 17, 2012, at 2:22 PM, Michael Scalia wrote: >> >> > Dear OAuth Authors, >> > >> > I'm not sure if this is the right way to suggest an edit to the current OAuth draft. Please let me know if I should use a different route. >> > >> > Section 4.1.2 Authorization Response includes the text, "If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI." >> > >> > I believe this text is in the wrong place. A client does not supply the authorization code to the authorization endpoint. It supplies it to the token endpoint. This should move to 4.1.3. Access Token Request, in the list of bulleted items under "The authorization server MUST". >> > >> > Thanks for all your work on this protocol. >> > >> > Regards, >> > Michael Scalia >> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] draft-ietf-oauth-v2 Dick Hardt
- Re: [OAUTH-WG] draft-ietf-oauth-v2 Dick Hardt
- Re: [OAUTH-WG] draft-ietf-oauth-v2 John Bradley