IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Nat Sakimura <sakimura@gmail.com> Wed, 23 July 2014 13:43 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B81C11B28FD for <oauth@ietfa.amsl.com>; Wed, 23 Jul 2014 06:43:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mcy8KFtTuJOa for <oauth@ietfa.amsl.com>; Wed, 23 Jul 2014 06:43:22 -0700 (PDT)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D27BD1A0AC9 for <oauth@ietf.org>; Wed, 23 Jul 2014 06:43:21 -0700 (PDT)
Received: by mail-la0-f52.google.com with SMTP id e16so938967lan.11 for <oauth@ietf.org>; Wed, 23 Jul 2014 06:43:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vigQlF5G7MpfWXurDQKoVhj5sYHksvrwR7zuTrZyoW4=; b=uI3HwzOMbDPiwvevImzOS3horVoOIYGCLFqDvvXrSAQOgUHzY7QvqPZvbR/SSJT43L BiGd1/+9PxCDN1/p6dIs7tki5ha8rJ2IsUsMVIxUClXYTdlRdR87GgYiLhIQZO3VfGrx dz1N8KdxnNiuelzk/WT/+tutBC/37h0fR+Mwvtyc7noGwOPGXDKD3owA8feya69D7xJu N0IgzqbNfDlqR4eKRHUoq5ZgBoViCfuwYXD5kirUFb0ENR05elMvNx09qVugvijaL8lI kBYVowTwWdIxSxJXTx3eU7WAXUsMfmyAKtoClSFrvWKI0cQ/Nk9KY7Qbdt2z1MjuceX5 uOhA==
MIME-Version: 1.0
X-Received: by 10.152.182.230 with SMTP id eh6mr1749076lac.44.1406123000082; Wed, 23 Jul 2014 06:43:20 -0700 (PDT)
Received: by 10.112.150.233 with HTTP; Wed, 23 Jul 2014 06:43:19 -0700 (PDT)
In-Reply-To: <DE16B8D3-3590-45B3-BE08-D1A7CF9EF0FB@oracle.com>
References: <201407221830.s6MIUYrf031075@outgoing.mit.edu> <CABzCy2CxNQ2d3=m9Bvc0+k6ikqZkwb940HwskvnAGvKoGnteSw@mail.gmail.com> <DE16B8D3-3590-45B3-BE08-D1A7CF9EF0FB@oracle.com>
Date: Wed, 23 Jul 2014 09:43:19 -0400
Message-ID: <CABzCy2B_iB1ZBskFJObKJjnftEH1STVyhx1-AE6Chrj76-se8g@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a11344428ee3a7804fedc8520"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/XF4X9RhE3Og44v7gF49SdgHu9vo
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2014 13:43:27 -0000

Reading back the RFC6749, I am not sure if there is a good way of
suppressing access token from the response and still be OAuth. It will
break whole bunch of implicit definitions like:

authorization server
      The server issuing access tokens to the client after successfully
      authenticating the resource owner and obtaining authorization.

After all, OAuth is all about issuing access tokens.

Also, I take back my statement on the grant type in my previous mail.

The definition of grant and grant_type are respectively:

grant
    credential representing the resource owner's authorization
grant_type
  (string representing the) type of grant sent to the token endpoint to
obtain the access token

Thus, the grant sent to the token endpoint in this case is still 'code'.

Response type on the other hand is not so well defined in RFC6749, but it
seems it is representing what is to be returned from the authorization
endpoint. To express what is to be returned from token endpoint, perhaps
defining a new parameter to the token endpoint, which is a parallel to the
response_type to the Authorization Endpoint seems to be a more symmetric
way, though I am not sure at all if that is going to be OAuth any more. One
straw-man is to define a new parameter called response_type to the token
endpoint such as:

response_type
    OPTIONAL. A string representing what is to be returned from the token
endpoint.

Then define the behavior of the endpoint according to the values as the
parallel to the multi-response type spec.
http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html

Nat





2014-07-23 7:21 GMT-04:00 Phil Hunt <phil.hunt@oracle.com>:

> The draft is very clear.
>
> Phil
>
> On Jul 23, 2014, at 0:46, Nat Sakimura <sakimura@gmail.com> wrote:
>
> The new grant type that I was talking about was
> "authorization_code_but_do_not_return_access_nor_refresh_token", so to
> speak.
> It does not return anything per se, but an extension can define something
> on top of it.
>
> Then, OIDC can define a binding to it so that the binding only returns ID
> Token.
> This binding work should be done in OIDF. Should there be such a grant
> type,
> it will be an extremely short spec.
>
> At the same time, if any other specification wanted to define
> other type of tokens and have it returned from the token endpoint,
> it can also use this grant type.
>
> If what you want is to define a new grant type that returns ID Token only,
> then, I am with Justin. Since "other response than ID Token" is only
> theoretical, this is a more plausible way forward, I suppose.
>
> Nat
>
>
> 2014-07-22 14:30 GMT-04:00 Justin Richer <jricher@mit.edu>:
>
>> So the draft would literally turn into:
>>
>> "The a4c response type and grant type return an id_token from the token
>> endpoint with no access token. All parameters and values are defined in
>> OIDC."
>>
>> Seems like the perfect mini extension draft for OIDF to do.
>>
>> --Justin
>>
>> /sent from my phone/
>>
>> On Jul 22, 2014 10:29 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>> >
>> > What about just defining a new grant type in this WG?
>> >
>> >
>> > 2014-07-22 12:56 GMT-04:00 Phil Hunt <phil.hunt@oracle.com>:
>> >>
>> >> That would be nice. However oidc still needs the new grant type in
>> order to implement the same flow.
>> >>
>> >> Phil
>> >>
>> >> On Jul 22, 2014, at 11:35, Nat Sakimura <sakimura@gmail.com> wrote:
>> >>
>> >>> +1 to Justin.
>> >>>
>> >>>
>> >>> 2014-07-22 9:54 GMT-04:00 Richer, Justin P. <jricher@mitre.org>:
>> >>>>
>> >>>> Errors like these make it clear to me that it would make much more
>> sense to develop this document in the OpenID Foundation. It should be
>> something that directly references OpenID Connect Core for all of these
>> terms instead of redefining them. It's doing authentication, which is
>> fundamentally what OpenID Connect does on top of OAuth, and I don't see a
>> good argument for doing this work in this working group.
>> >>>>
>> >>>>  -- Justin
>> >>>>
>> >>>> On Jul 22, 2014, at 4:30 AM, Thomas Broyer <t.broyer@gmail.com>
>> wrote:
>> >>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Mon, Jul 21, 2014 at 11:52 PM, Mike Jones <
>> Michael.Jones@microsoft.com> wrote:
>> >>>>>>
>> >>>>>> Thanks for your review, Thomas.  The “prompt=consent” definition
>> being missing is an editorial error.  It should be:
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> consent
>> >>>>>>
>> >>>>>> The Authorization Server SHOULD prompt the End-User for consent
>> before returning information to the Client. If it cannot obtain consent, it
>> MUST return an error, typically consent_required.
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> I’ll plan to add it in the next draft.
>> >>>>>
>> >>>>>
>> >>>>> It looks like the consent_required error needs to be defined too,
>> and you might have forgotten to also import account_selection_required from
>> OpenID Connect.
>> >>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>> I agree that there’s no difference between a response with
>> multiple “amr” values that includes “mfa” and one that doesn’t.  Unless a
>> clear use case for why “mfa” is needed can be identified, we can delete it
>> in the next draft.
>> >>>>>
>> >>>>>
>> >>>>> Thanks.
>> >>>>>
>> >>>>> How about "pwd" then? I fully understand that I should return "pwd"
>> if the user authenticated using a password, but what "the service if a
>> client secret is used" means in the definition for the "pwd" value?
>> >>>>>
>> >>>>> (Nota: I know you're at IETF-90, I'm ready to wait 'til you come
>> back ;-) )
>> >>>>>
>> >>>>> --
>> >>>>> Thomas Broyer
>> >>>>> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>> >>>>> _______________________________________________
>> >>>>> OAuth mailing list
>> >>>>> OAuth@ietf.org
>> >>>>> https://www.ietf.org/mailman/listinfo/oauth
>> >>>>
>> >>>>
>> >>>>
>> >>>> _______________________________________________
>> >>>> OAuth mailing list
>> >>>> OAuth@ietf.org
>> >>>> https://www.ietf.org/mailman/listinfo/oauth
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Nat Sakimura (=nat)
>> >>> Chairman, OpenID Foundation
>> >>> http://nat.sakimura.org/
>> >>> @_nat_en
>> >>>
>> >>> _______________________________________________
>> >>> OAuth mailing list
>> >>> OAuth@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/oauth
>> >
>> >
>> >
>> >
>> > --
>> > Nat Sakimura (=nat)
>> > Chairman, OpenID Foundation
>> > http://nat.sakimura.org/
>> > @_nat_en
>>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email