Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Mike Jones <Michael.Jones@microsoft.com> Sat, 17 March 2012 23:28 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79B0F21F8609 for <oauth@ietfa.amsl.com>; Sat, 17 Mar 2012 16:28:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.844
X-Spam-Level:
X-Spam-Status: No, score=-3.844 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmwY+zt+3PVc for <oauth@ietfa.amsl.com>; Sat, 17 Mar 2012 16:28:24 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe010.messaging.microsoft.com [216.32.180.30]) by ietfa.amsl.com (Postfix) with ESMTP id A1A5C21F85FF for <oauth@ietf.org>; Sat, 17 Mar 2012 16:28:23 -0700 (PDT)
Received: from mail28-va3-R.bigfish.com (10.7.14.243) by VA3EHSOBE010.bigfish.com (10.7.40.12) with Microsoft SMTP Server id 14.1.225.22; Sat, 17 Mar 2012 23:28:20 +0000
Received: from mail28-va3 (localhost [127.0.0.1]) by mail28-va3-R.bigfish.com (Postfix) with ESMTP id 89C414807BC; Sat, 17 Mar 2012 23:28:20 +0000 (UTC)
X-SpamScore: -46
X-BigFish: VS-46(zzbb2dI9371I542M1432N98dK1419M148cMzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail28-va3: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC104.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail28-va3 (localhost.localdomain [127.0.0.1]) by mail28-va3 (MessageSwitch) id 1332026897985595_25893; Sat, 17 Mar 2012 23:28:17 +0000 (UTC)
Received: from VA3EHSMHS013.bigfish.com (unknown [10.7.14.251]) by mail28-va3.bigfish.com (Postfix) with ESMTP id E63C42200F0; Sat, 17 Mar 2012 23:28:17 +0000 (UTC)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.8) by VA3EHSMHS013.bigfish.com (10.7.99.23) with Microsoft SMTP Server (TLS) id 14.1.225.23; Sat, 17 Mar 2012 23:28:14 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.237]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.02.0283.004; Sat, 17 Mar 2012 23:28:14 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer <eran@hueniverse.com>, "'Nat Sakimura (sakimura@gmail.com)'" <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Thread-Index: AQHNAgMKtRI52qb7tE6+kmeeW24qnZZqBiQAgAACNICAAA7JAIAABA0AgAADMYCAAACtcIAABZMAgAAVJQCAAAHFAIAAAp4AgAAE2YCAAAAhgIAAzdQAgABfgQCAACSSgIAAGvAAgAAF/oCAAAVjgIAABKqAgAAMGYCAABBtAIAAGYqAgAADHgCAAq4fAIAAB7GAgAAwLgCAACq3gIAAHR5A
Date: Sat, 17 Mar 2012 23:28:13 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366422F55@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAAJ++qFYrWR5HeV41C-miJY60g_QZ7xp5qgZRTyVUHjcM5rUeQ@mail.gmail.com> <CB879ABB.1658B%eran@hueniverse.com> <CAAJ++qH7nW-W+saqSiONDi6j_GMz8q8_Q2yfoaOune2xpmXRbg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08AC2@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qEjgzz0ELe3xDdYPTnujc6bgv6ZLseGJst0TPd+5FU4-A@mail.gmail.com> <CAGHdeD6zkxwD-1vA-aOdapd73-Mkeio+cG958ew_f_mzdhEQAw@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08C1C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGHdeD5ruZAD_SKr2V3vfPsViXeTVi=7GG98Noqx8_aN1vA+7A@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08C24@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF08C24@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Mar 2012 23:28:25 -0000
Much better. Thanks for working with Breno on the new wording. -- Mike -----Original Message----- From: Eran Hammer [mailto:eran@hueniverse.com] Sent: Saturday, March 17, 2012 2:43 PM To: Mike Jones; 'Nat Sakimura (sakimura@gmail.com)' Cc: OAuth WG Subject: RE: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23 Mike, Nat, Does the new text work for you? EH > -----Original Message----- > From: breno.demedeiros@gmail.com > [mailto:breno.demedeiros@gmail.com] On Behalf Of Breno > Sent: Saturday, March 17, 2012 12:10 PM > To: Eran Hammer > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23 > > That is much clearer. Thank you. > > On Sat, Mar 17, 2012 at 9:17 AM, Eran Hammer <eran@hueniverse.com> > wrote: > > How about we phrase it the other way: > > > > A clients may be implemented as a distributed set of components, > > each with a different client type and security context (e.g. a > > distributed client with both a confidential server-based component > > and a public browser-based component). If the authorization server > > does not provide support for such clients, or does not provide > > guidance with regard to their registration, the client SHOULD > > register each > component as a separate client. > > > > This does two thing: put the server's policy first instead of as the > > exception, > and uses SHOULD instead of MUST which seems to be too strong for many > people. > > > > Better? > > > > EH > > > > > >> -----Original Message----- > >> From: breno.demedeiros@gmail.com > >> [mailto:breno.demedeiros@gmail.com] On Behalf Of Breno > >> Sent: Saturday, March 17, 2012 8:50 AM > >> To: Eran Hammer > >> Cc: OAuth WG > >> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23 > >> > >> To summarize, I am weary of registration normative language that > >> appears to disallow common practice implemented by servers to > >> securely support multi- component applications. If these common > >> practices will be non-compliant (or at least it appears to be so on > >> first reading by many different people with detailed knowledge of > >> the spec), isn't it incumbent on this spec to provide guidance on > >> _how_ different components of an application will interoperate > >> under different registration? At least for the very common case of > >> a webserver + browser component, the importance of which is already > enshrined in the spec by the definition of two response_types and flows? > >> > >> On Thu, Mar 15, 2012 at 3:54 PM, Breno de Medeiros > <breno@google.com> > >> wrote: > >> > On Thu, Mar 15, 2012 at 15:43, Eran Hammer <eran@hueniverse.com> > >> wrote: > >> >> I don't know how to better explain myself. Forget about the text > >> >> you > >> have issue with. Just answer this: > >> >> > >> >> Reading the specification (with that text removed), what happens > >> >> when a > >> hybrid client wants to register? What client type does it provide? > >> How should the server handle this case? > >> > > >> > In the example case of the webserver + browser-based client > >> > components, I think the server should just allow it. The browser > >> > does not need to expose the client_secret since it requires no > >> > authentication credentials. The webserver should use the client > >> > credentials acquired during registration to authenticate itself > >> > when using the code flow. > >> > > >> > It's more interesting when mobile applications and webserver want > >> > to share credentials. The mitigation strategy of limiting > >> > lifetime of tokens may not work in this case. In general the > >> > registration server should not allow the use of a single > >> > registration in this case. This case is different from the above > >> > in the sense that installed applications are typically _also_ > >> > using the 'code' flow, but from a different security context. A > >> > server could allow both clients to share the same registration > >> > information, but segregate the set of redirect URLs and tie the > >> > code to each security context and apply different client > >> > authentication requirements to each. Or the server could require > >> > separate client registration for each > component. > >> > > >> >> > >> >> EH > >> >> > >> >>> -----Original Message----- > >> >>> From: Breno de Medeiros [mailto:breno@google.com] > >> >>> Sent: Thursday, March 15, 2012 2:12 PM > >> >>> To: Eran Hammer > >> >>> Cc: Nat Sakimura; OAuth WG > >> >>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. > >> >>> 23 > >> >>> > >> >>> On Thu, Mar 15, 2012 at 13:13, Eran Hammer > <eran@hueniverse.com> > >> >>> wrote: > >> >>> > Ok. That's much better than my guess that you wanted to drop > >> >>> > all the registration text from the specification. > >> >>> > > >> >>> > What I'm looking for is a simple text that answers the question: > >> >>> > > >> >>> > "What to do if my client isn't simply public or confidential?" > >> >>> > > >> >>> > If we just drop the current text, the answer is implicitly > >> >>> > "you can't have such a client" because there is no way to > >> >>> > register a client of any other type. > >> >>> > > >> >>> > So let's try this again, and focus exclusively on answering > >> >>> > this > question. > >> >>> > My text takes a position which is, "you can't - unless". Your > >> >>> > suggestion is more of a vague discussion of the topic. I'd > >> >>> > like to see clear, normative answer to this question. > >> >>> > >> >>> The current version is normative but far from clear. In fact, > >> >>> the most natural interpretation is that it bans normal practice > >> >>> and throws away the work that was done in defining different > >> >>> flow types to > >> support normal practice. > >> >>> > >> >>> 1. I don't see the need or desirability to put normative > >> >>> language on registration practices. > >> >>> 2. The contents of said normative language are harmful. > >> >>> > >> >>> I suggest two alternatives: > >> >>> > >> >>> 1. Remove the language. > >> >>> 2. Substitute the language by non-normative informative discussion. > >> >>> > >> >>> You can also do other things, like introduce normative language > >> >>> that makes sense. But I have not yet seen proposed language > >> >>> that would be > >> acceptable. > >> >>> > >> >>> > > >> >>> > EH > >> >>> > > >> >>> > > >> >>> > On 3/15/12 12:30 PM, "Breno de Medeiros" <breno@google.com> > >> wrote: > >> >>> > > >> >>> >>I am proposing the entire removal of: > >> >>> >> > >> >>> >>"A client application consisting of multiple components, each > >> >>> >>with its own client type (e.g. a distributed client with both > >> >>> >>a confidential server-based component and a public > >> >>> >>browser-based component), MUST register each component > >> >>> >>separately as a different client to ensure proper handling by > >> >>> >>the authorization > server." > >> >>> >> > >> >>> >>In particular the example of a server-side component versus > >> >>> >>browser-based components is particularly unhelpful since it > >> >>> >>violates the entire principle of why two response_type 'code' > >> >>> >>and 'token' were defined, and how OAuth2 is typically > implemented. > >> >>> >>That's when I claim this normative language is redefining the > protocol. > >> >>> >> > >> >>> >> > >> >>> >>On Thu, Mar 15, 2012 at 12:13, Eran Hammer > >> >>> >><eran@hueniverse.com> > >> >>> wrote: > >> >>> >>> Which text in -25 are you proposing we remove exactly? I > >> >>> >>>can't judge the text below without the full context of > >> >>> >>>where and how it is proposed in the current document. > >> >>> >>> > >> >>> >>> Also, you are ignoring my detailed analysis of the current > >> >>> >>>facts. We have two client types and the issue here is what > >> >>> >>>to do with other, undefined types. > >> >>> >>> > >> >>> >>> EH > >> >>> >>> > >> >>> >>> > >> >>> >>> On 3/15/12 11:54 AM, "Breno de Medeiros" > <breno@google.com> > >> >>> wrote: > >> >>> >>> > >> >>> >>>>My proposal is to remove any reference to registration > >> >>> >>>>(which is a red herring and has raised all the problems we > >> >>> >>>>refer > >> >>> >>>>here) and refer to client authentication instead. > >> >>> >>>> > >> >>> >>>>Proposal: > >> >>> >>>> > >> >>> >>>>"Clients may be implemented as a distributed set of > >> >>> >>>>components that run in different security contexts. For > >> >>> >>>>instance, a single client may include a webserver component > >> >>> >>>>and a script component in a browser. It is not appropriate > >> >>> >>>>for the different components to utilize the same client > >> >>> >>>>authentication mechanisms, since client authentication > >> >>> >>>>credentials that are held securely in one context cannot be > deployed securely in another. > >> >>> >>>> > >> >>> >>>>Servers MUST mitigate security threats from client > >> >>> >>>>components that cannot hold client credentials as securely > >> >>> >>>>by distinguishing them from client components that can. > >> >>> >>>>Example of > >> suitable measures are: > >> >>> >>>> > >> >>> >>>>- Requiring separate registration of components such as web > >> >>> >>>>server and a mobile application. > >> >>> >>>>- Restricting the time validity of tokens issued to clients > >> >>> >>>>that hold no authentication credentials, such as browser > >> >>> >>>>script-based components." > >> >>> >>>> > >> >>> >>>>Please don't truncate explanations in the interest of space > >> >>> >>>>if the resulting text is confusing and possibly misleading. > >> >>> >>>>Better to say nothing instead. > >> >>> >>>> > >> >>> >>>>On Thu, Mar 15, 2012 at 11:32, Eran Hammer > >> <eran@hueniverse.com> > >> >>> wrote: > >> >>> >>>>> Here are the facts: > >> >>> >>>>> > >> >>> >>>>> The authorization server must know the client type in > >> >>> >>>>>order to enforce many of the requirements in the specification. > >> >>> >>>>> The requirement to provide a client type is not decorated > >> >>> >>>>>with a MUST or SHALL but that is implied. > >> >>> >>>>> The specification only defines two client types: public > >> >>> >>>>>and confidential. > >> >>> >>>>> There is no client type defined for a hybrid client. > >> >>> >>>>> The specification needs to address the very common use > >> >>> >>>>>case of clients with both public and private components. > >> >>> >>>>> > >> >>> >>>>> I don't want to discuss in the specification how client > >> >>> >>>>>identifiers are provisioned, nor do I want to discuss the > >> >>> >>>>>potential binding of response types to client types. But > >> >>> >>>>>we do need to provide some guidance to clients and > >> >>> >>>>>authorization servers what to do with clients that do not > >> >>> >>>>>fit the current type definitions. > >> >>> >>>>> > >> >>> >>>>> It is far too late for us to define a new client type, > >> >>> >>>>>along with all the security considerations that such type > >> >>> >>>>>imply. Our entire security consideration section and > >> >>> >>>>>protocol design are based on have a well defined client type. > >> >>> >>>>> > >> >>> >>>>> Requiring separate registration for each component is the > >> >>> >>>>> most straight-forward solution. Allowing the > >> >>> >>>>> authorization server to offer alternatives is the > >> >>> >>>>> backdoor to enable > extensibility. > >> >>> >>>>> > >> >>> >>>>> Within these constraints, I am open to other prose or > >> >>> >>>>>creative solutions. > >> >>> >>>>> But the add-ons proposed are all ugly hacks. They clarify > >> >>> >>>>>specific questions raised which I do not believe > >> >>> >>>>>represent the core confusion here which is what is the > >> >>> >>>>>right way to handle hybrid clients. > >> >>> >>>>> > >> >>> >>>>> The best way to move forward is to take a minute and ask > >> >>> >>>>>the group to share how they handle such cases or how they > >> >>> >>>>>think they should be handled. > >> >>> >>>>>Based > >> >>> >>>>> on that we can come up with a clear solution. > >> >>> >>>>> > >> >>> >>>>> EH > >> >>> >>>>> > >> >>> >>>>> From: Breno de Medeiros <breno@google.com> > >> >>> >>>>> Date: Thu, 15 Mar 2012 09:56:13 -0700 > >> >>> >>>>> To: Eran Hammer-Lahav <eran@hueniverse.com> > >> >>> >>>>> Cc: Nat Sakimura <sakimura@gmail.com>, OAuth WG > >> >>> <oauth@ietf.org> > >> >>> >>>>> > >> >>> >>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 > rev. > >> >>> >>>>> 23 > >> >>> >>>>> > >> >>> >>>>> > >> >>> >>>>> > >> >>> >>>>> On Thu, Mar 15, 2012 at 07:45, Eran Hammer > >> >>> >>>>><eran@hueniverse.com> > >> >>> >>>>>wrote: > >> >>> >>>>>> > >> >>> >>>>>> This add-on is unnecessary. It already says the > >> >>> >>>>>>authorization server can handle it any way it wants. The > >> >>> >>>>>>fact that other registration options are possible > >> >>> >>>>>>clearly covers the client identifier reuse case. As for > >> >>> >>>>>>the response type, that¹s not an issue but more of an > optimization for an edge case raised. > >> >>> >>>>> > >> >>> >>>>> > >> >>> >>>>> It still feels like a horse by committee to me. "unless > >> >>> >>>>>the authorization server provides other registration > >> >>> >>>>>options to specify such complex clients." seems a very > >> >>> >>>>>round about way to say that the core spec already > >> >>> >>>>>provides for such arrangements in the most common > >> >>> >>>>>scenario. It is a bit of a stretch to say that the server > >> >>> >>>>>provides "other registration options" by simply following > >> >>> >>>>>strategy already laid out in the > spec. > >> >>> >>>>> > >> >>> >>>>> In particular, I feel that this wording will be harmful > >> >>> >>>>>to register extended behavior, e.g., alternative > >> >>> >>>>>response_types by leading to fruitless conversations > >> >>> >>>>>about spec compliance in the absence of real security risks. > >> >>> >>>>> > >> >>> >>>>> I do not believe the current text is the best > >> >>> >>>>>representation of the spirit in which the spec was > >> >>> >>>>>written (in particular the effort to specify two flows in > >> >>> >>>>>detail to deal with precisely this issue) and possibly > >> >>> >>>>>lead to > harmful future interpretation. > >> >>> >>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> EH > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> From: oauth-bounces@ietf.org [mailto:oauth- > >> bounces@ietf.org] > >> >>> >>>>>>On Behalf Of Nat Sakimura > >> >>> >>>>>> Sent: Thursday, March 15, 2012 2:04 AM > >> >>> >>>>>> To: Breno de Medeiros; OAuth WG > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 > rev. > >> >>> >>>>>> 23 > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> So, Eran's first proposal: > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> A client application consisting of multiple > >> >>> >>>>>>components, each with its > >> >>> >>>>>> own client type (e.g. a distributed client with both a > >> >>> >>>>>>confidential > >> >>> >>>>>> server-based component and a public browser-based > >> >>> >>>>>>component), MUST > >> >>> >>>>>> register each component separately as a different > >> >>> >>>>>>client to ensure > >> >>> >>>>>> > >> >>> >>>>>> proper handling by the authorization server, unless > >> >>> >>>>>>the authorization > >> >>> >>>>>> server provides other registration options to specify > >> >>> >>>>>>such complex clients. > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> kind of meets my concern. There seems to be another > >> >>> >>>>>>issue around the usefulness of return_type in such case > >> >>> >>>>>>raised by Breno, and if I understand it correctly, > >> >>> >>>>>>Eran's answer was that these separate components may have > >> >>> >>>>>>the same client_id > >> so > >> >>> >>>>>>that return_type is a valid parameter to be sent at > the request. > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> So, to clarify these, perhaps changing the above text > >> >>> >>>>>> slightly to the following solves the problem? > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> A client application consisting of multiple > >> >>> >>>>>>components, each with its > >> >>> >>>>>> own client type (e.g. a distributed client with both a > >> >>> >>>>>>confidential > >> >>> >>>>>> server-based component and a public browser-based > >> >>> >>>>>>component), MUST > >> >>> >>>>>> register each component separately as a different > >> >>> >>>>>>client to ensure > >> >>> >>>>>> > >> >>> >>>>>> proper handling by the authorization server, unless > >> >>> >>>>>>the authorization > >> >>> >>>>>> server provides other registration options to specify > >> >>> >>>>>>such complex clients. > >> >>> >>>>>> > >> >>> >>>>>> Each component MAY have the same client_id, in which > >> >>> >>>>>>case the server > >> >>> >>>>>> > >> >>> >>>>>> judges the client type and the associated security > >> >>> >>>>>>context based on > >> >>> >>>>>> the response_type parameter in the request. > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> Would it solve your problem, Breno? > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> Best, > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>>> =nat > >> >>> >>>>>> > >> >>> >>>>>> > >> >>> >>>>> > >> >>> >>>>> > >> >>> >>>>> > >> >>> >>>>> > >> >>> >>>>> -- > >> >>> >>>>> --Breno > >> >>> >>>> > >> >>> >>>> > >> >>> >>>> > >> >>> >>>>-- > >> >>> >>>>--Breno > >> >>> >>> > >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >>-- > >> >>> >>--Breno > >> >>> > > >> >>> > >> >>> > >> >>> > >> >>> -- > >> >>> --Breno > >> > > >> > > >> > > >> > -- > >> > --Breno > >> > _______________________________________________ > >> > OAuth mailing list > >> > OAuth@ietf.org > >> > https://www.ietf.org/mailman/listinfo/oauth > >> > >> > >> > >> -- > >> Breno de Medeiros > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > -- > Breno de Medeiros
- [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. … Marius Scurtescu
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Marius Scurtescu
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Richer, Justin P.
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Barry Leiba
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Nat Sakimura
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… John Bradley
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno de Medeiros
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Breno
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Eran Hammer
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Mike Jones
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… Nat Sakimura
- Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 r… John Bradley