Re: [OAUTH-WG] Clarifying the scope of the OAuth 2.1 spec

Dick Hardt <dick.hardt@gmail.com> Mon, 16 March 2020 01:50 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5395C3A0496 for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2020 18:50:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uWcJ6B8Csm2a for <oauth@ietfa.amsl.com>; Sun, 15 Mar 2020 18:50:33 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F3B33A052C for <oauth@ietf.org>; Sun, 15 Mar 2020 18:50:33 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id b13so12588538lfb.12 for <oauth@ietf.org>; Sun, 15 Mar 2020 18:50:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UqQQBLkBM/YkbytEJgf/R/NMsr9xaftjmxDfJC7qf/U=; b=DXwj8vBZG9/poNDZ1HWNt49CFyB96XYVRYy8Gb4DbaeFrcSAUmsXsyPR1/sE2eq47E PLFxKpPPgE4lEKOcjo/Z/fj3iSFP8ydZU2oEnJ8Dho7UvM1butIb2yCjHnbi1iknrHKD i3O8MLRr4aE73ZjbFpoIMQ/WbHYi5W5f32DY6zG/BnflCgVXoZmqztYEvwOr2aLQlpPC IKlnfBkezRwjIN1bAvAU1w9O0ER845f9hwz+V6YE5xJ9OXr3veO8CziGfkW0Ff9eu2R6 AZGRxj6yrnuJESJeQYMtjyErBxdij/ZSNECo8RRu8xD1pyjfPNMFdKJFr0F2TpUUWmAQ jqKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UqQQBLkBM/YkbytEJgf/R/NMsr9xaftjmxDfJC7qf/U=; b=VGoDdYJh4KhOxnTPeWHmHlq7cXgVq79kQXzZgyZINrXJGZW8eqeCIzYuBYDoqTa+/U SbLOpocTTroCNfT7VJ6qsbiJu1BLS7YzB8on0RPz8E92Ek0JHjjfwKOv2kBtRDDFV6et THFlWF4nUbTWkJErWT7rtKDvYoi6Wladg4qOUx8QuOaKsRw9Dbu+6hPTRGXjlVn16HCX exXkQoLtviKyFnk6IC4u6oZi/DImmDOOVfz3pWxSCcq4S4V8As/8KmWECVIiLFDySLm2 m09OCUab+my514dkhmJWEBcGGwmXIB3QSBlwQ+TKRiaRALRGbkdi29vxDAOYDtqlXBma WXiQ==
X-Gm-Message-State: ANhLgQ38COPdikHVp8SSpzyPwImnfRlrI3wq4Tj29sDMF8vhry63okaC Ao4LkTk9JnQmyjeUrQ4ROBWhUpRT0TDslXLtShx3lZdl
X-Google-Smtp-Source: =?utf-8?q?ADFU+vsgx6lnx8Doz9O+ujGn3pWeP4I4nZQxVVS/eaia?= =?utf-8?q?AoOYgB+5OlCo08p867YoWdhAVRBNN+cH1dywRGVYqBISU3c=3D?=
X-Received: by 2002:a05:6512:3044:: with SMTP id b4mr7426813lfb.10.1584323431471; Sun, 15 Mar 2020 18:50:31 -0700 (PDT)
MIME-Version: 1.0
References: =?utf-8?q?=3CDM6PR00MB0684B029182673EADC9E0288F5F80=40DM6PR00MB0?= =?utf-8?q?684=2Enamprd00=2Eprod=2Eoutlook=2Ecom=3E?=
In-Reply-To: =?utf-8?q?=3CDM6PR00MB0684B029182673EADC9E0288F5F80=40DM6PR00MB?= =?utf-8?q?0684=2Enamprd00=2Eprod=2Eoutlook=2Ecom=3E?=
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 15 Mar 2020 18:50:05 -0700
Message-ID: <CAD9ie-s6BYhFUH0qg=gggRqbEK+RRKNEOm0VTgwS0hduTK5yDw@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: "aaron@parecki.com" <aaron@parecki.com>, "torsten@lodderstedt.net" <torsten@lodderstedt.net>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000579e7e05a0ef0bab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Y-oDhJ3HobFVsQy0FZtDRq4b05U>
Subject: Re: [OAUTH-WG] Clarifying the scope of the OAuth 2.1 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 01:50:35 -0000

Hi Mike

I like where you are going with this, but what do we mean when we say OAuth
2.0? Is it RFC 6749? What is the OAuth 2.0 set of protocols?

OAuth 2.1 includes features that are not in RFC 6749, so it is not a subset
of that specification.
ᐧ

On Sun, Mar 15, 2020 at 2:34 PM Mike Jones <Michael.Jones@microsoft.com>
wrote:

> The abstract of draft-parecki-oauth-v2-1 concludes with this text:
>
>    This specification replaces and obsoletes the OAuth 2.0 Authorization
> Framework described in RFC 6749 <https://tools.ietf.org/html/rfc6749>.
>
>
>
> While accurate, I don’t believe that this text captures the full intent of
> the OAuth 2.1 effort – specifically, to be a recommended subset of OAuth
> 2.0, rather than to introduce incompatible changes to it.  Therefore, I
> request that these sentences be added to the abstract, to eliminate
> confusion in the marketplace that might otherwise arise:
>
>
>
>     OAuth 2.1 is a compatible subset of OAuth 2.0, removing features that
> are not currently considered to be best practices.  By design, it does not
> introduce any new features to what already exists in the OAuth 2.0 set of
> protocols.
>
>
>
>                                                        Thanks,
>
>                                                        -- Mike
>
>
>
> P.S.  I assert that any incompatible changes should be proposed as part of
> the TxAuth effort and not as part of OAuth 2.1.
>
>
>