Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-01.txt

Vladimir Dzhuvinov <vladimir@connect2id.com> Mon, 04 November 2019 07:34 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6601120232 for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2019 23:34:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N15V2IhSez_o for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2019 23:34:42 -0800 (PST)
Received: from p3plsmtpa08-02.prod.phx3.secureserver.net (p3plsmtpa08-02.prod.phx3.secureserver.net [173.201.193.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 516DF1200E0 for <oauth@ietf.org>; Sun, 3 Nov 2019 23:34:42 -0800 (PST)
Received: from [192.168.0.102] ([94.155.17.54]) by :SMTPAUTH: with ESMTPSA id RWsniawJ1SGDjRWspiHreP; Mon, 04 Nov 2019 00:34:40 -0700
x-spam-cmae: v=2.3 cv=R9595uZX c=1 sm=1 tr=0 p=_Y5QVBCcAAAA:8 a=FNQ4XmqxRr20pcroDK0mpg==:117 a=FNQ4XmqxRr20pcroDK0mpg==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=l1ntXry1AAAA:8 a=48vgC7mUAAAA:8 a=DVqm7IH0AAAA:8 a=LS6YZpeZAAAA:8 a=ISqk5ONUAAAA:8 a=pGLkceISAAAA:8 a=t9015xufTkz5GXrGAAEA:9 a=pILNOxqGKmIA:10 a=jezVBGK-lbQA:10 a=lJ8i9s0jXcYA:10 a=csNWAHJfSlAA:10 a=9oeUTK8yl2sA:10 a=ssyN7oLQum5f7eN7gWEA:9 a=2-35bgFUeLTu4nEI:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=qqYkSYq5RtzIiZrt3cAW:22 a=w1C3t2QeGrPiZgrLijVG:22 a=M6wP_kGduNurgptF5PJY:22 a=IRr2vCDBpksuBOXhfkKu:22 a=IdGyktwZ2tr74praB_5u:22 a=j012aKtm0j0zU2ly6LEW:22
x-spam-account: vladimir@connect2id.com
x-spam-domain: connect2id.com
To: oauth@ietf.org
References: <157279706304.13465.11272517425392766767.idtracker@ietfa.amsl.com> <E80E980E-1EA5-4C4F-8055-5B9344AD9986@lodderstedt.net>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Openpgp: preference=signencrypt
X-Enigmail-Draft-Status: N11100
Organization: Connect2id Ltd.
Message-ID: <ea7ba454-2ef3-bff0-553b-f8450d558532@connect2id.com>
Date: Mon, 4 Nov 2019 09:34:37 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <E80E980E-1EA5-4C4F-8055-5B9344AD9986@lodderstedt.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070407070905020107080900"
X-CMAE-Envelope: MS4wfLhtLltbwfbrCt7x8uBD9fRe5HSEuFElMkqa38Mx56Alu8HjW7JeePlr0/epvGvLnvOF8sedNk+WEem3Nsw3aOEAfQmxLypRl8R42+PQwSuqQ+Y7+e36 XEDoYU3yXCtZWc9bPpN+ahN7JaOlXNt0U1ypQPfoSwlGig1+MdCgMlgG
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WH_1tvTDgvCf1AM8OYvDc6w2g2E>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-par-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 07:34:45 -0000

+1 for WG adoption

I'm super pleased with how usable the spec already is and how easy it
was to explain to developers - you just take the regular authZ request
and POST it form-encoded, using whatever client auth is registered for
the token endpoint. PAR is significantly more versatile than the
original "request object endpoint" from FAPI, while keeping normative
stuff minimal by relying on existing specs - RFC 6749 and JAR. This
means existing OAuth clients and servers can be made to support it with
relatively little work because code reuse is facilitated.

The OAuth SDK was updated from PAR -00 to PAR -01 this morning to allow
for the authZ error codes:

https://www.javadoc.io/doc/com.nimbusds/oauth2-oidc-sdk/6.18/com/nimbusds/oauth2/sdk/PushedAuthorizationRequest.html

https://www.javadoc.io/doc/com.nimbusds/oauth2-oidc-sdk/6.18/com/nimbusds/oauth2/sdk/PushedAuthorizationResponse.html


Vladimir


On 03/11/2019 18:11, Torsten Lodderstedt wrote:
> Hi all, 
>
> revision of draft-lodderstedt-oauth-par (Pushed Authorization
> Requests) was just published. 
>
> Here is the list of changes:
>
>   * List client_id as one of the basic parameters
>   * Explicitly forbid request_uri in the processing rules
>   * Clarification regarding client authentication and that public
>     clients are allowed
>   * Added option to let clients register per-authorization request
>     redirect URIs
>   * General clean up and wording improvements
>
> I will present this draft in Singapore and would be happy if the
> working group would consider adoption of this joint work (Co-authors:
> David Tonge, Nat Sakimura, Brian Campbell, Filip Skokan) as WG draft.
>
> best regards,
> Torsten. 
>
>> Begin forwarded message:
>>
>> *From: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>> *Subject: **New Version Notification for
>> draft-lodderstedt-oauth-par-01.txt*
>> *Date: *3. November 2019 at 17:04:23 CET
>> *To: *"Nat Sakimura" <nat@sakimura.org <mailto:nat@sakimura.org>>,
>> "Brian Campbell" <bcampbell@pingidentity.com
>> <mailto:bcampbell@pingidentity.com>>, "Torsten Lodderstedt"
>> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>, "Dave
>> Tonge" <dave@tonge.org <mailto:dave@tonge.org>>, "Filip Skokan"
>> <panva.ip@gmail.com <mailto:panva.ip@gmail.com>>
>>
>>
>> A new version of I-D, draft-lodderstedt-oauth-par-01.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to the
>> IETF repository.
>>
>> Name:draft-lodderstedt-oauth-par
>> Revision:01
>> Title:OAuth 2.0 Pushed Authorization Requests
>> Document date:2019-11-02
>> Group:Individual Submission
>> Pages:14
>> URL:
>>            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-par-01.txt
>> Status:
>>         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-par/
>> Htmlized:
>>       https://tools.ietf.org/html/draft-lodderstedt-oauth-par-01
>> Htmlized:
>>       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-par
>> Diff:
>>           https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-par-01
>>
>> Abstract:
>>   This document defines the pushed authorization request endpoint,
>>   which allows clients to push the payload of an OAuth 2.0
>>   authorization request to the authorization server via a direct
>>   request and provides them with a request URI that is used as
>>   reference to the data in a subsequent authorization request.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org
>> <http://tools.ietf.org>;.
>>
>> The IETF Secretariat
>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth