Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
Vittorio Bertocci <Vittorio@auth0.com> Thu, 12 March 2020 18:14 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09E5C3A0EF7 for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 11:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WatiY3xDKoMK for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 11:14:55 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 932463A0EF2 for <oauth@ietf.org>; Thu, 12 Mar 2020 11:14:55 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id t26so6673372ios.11 for <oauth@ietf.org>; Thu, 12 Mar 2020 11:14:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8Ae0zzf9jNgNUcCgAtJ7d4pkDLDwmd2//V0u5/qI1qs=; b=gvn3rclyb9nq5pYwJjPWQSV4L+fg1L7owUkaiiFRZLXAVCUVtwmOh8DnUZDhyur05p uI3inu8hfitMNZbsYqrDmN+f97dN/nQT5ReaYzN9KieyvlgoDAf90mD/tY8blLh6NSPf w8eO6JVILfaurd2BRIRovSd+i3DTgSHRVFURvsxLHULWT4EMh3dl0EmZGlKVtnrPHA5K 0jZUx4+YM3x9H8mWIqsZASye4WOfzYctSVVPZxrVBRHtQ83o5ouoLsfCtwvIbP7gNp9e lVm70bpPkn/rmZ85usnUheOJD0hJtlhJ1HVRxpRenzKziicyy63ao87qqESBoT00k67U Bwlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8Ae0zzf9jNgNUcCgAtJ7d4pkDLDwmd2//V0u5/qI1qs=; b=V3HV9akJ9C08Ey7Wq1vHg+PpHpwdMxuihALu25g4XOcwG/PPFJQuvZtidzSNM3tLK9 Gd4MKkKV2GDlv1u7MIHC3SFDKJ6rZ6v3qfiA8v7inFIqP8E74UoiiKT8b0gHtOzI+Oca 61wtWucIX0R7VfGA6vFiEEwVYPz8agqYQarfaonUC7trzbGmOFgfN1J9RYdaKAPvl/h4 ESP9lWH5wp6gIvrN2zWnZd7ItOKFDCTQ8pT9xs4mLYtBXOI3BukdXGWWqN4DkokBvNe8 2qEZKqL1+uIfQDyfgRQ1BDsPeDccdkTs/q7YDqUaOQ01Il62wkb9hP30sJg0oeFMysi+ ftwg==
X-Gm-Message-State: ANhLgQ0Jwu43Uq7aF0pDHV1R1iZO9AlCF1QU5PrrYRvBvpz6ulduLaTD gFKK6z6pbmwJEOiSWZ0Tb2ROsSLNzPurM/nhq3oa6A==
X-Google-Smtp-Source: ADFU+vt973XtlkWIw8QtywLSm6+VhApKi2wr0Gif4sg8EtRfWc+NVn7X+zjv5EtvnnthXUEOzLQa7HszM0h1Bwdzmnk=
X-Received: by 2002:a6b:f718:: with SMTP id k24mr8762458iog.186.1584036894290; Thu, 12 Mar 2020 11:14:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s9HT=9MKPK+GpVngZc+9QMxHS6KL-Sfq-UPQz2VQ3ioA@mail.gmail.com> <3F805BA8-8ABB-4939-96CC-FD2FEC811322@lodderstedt.net> <CAD9ie-sZOG0=pbFW72fZR3XtzsNFRFCyFmF5xeEPFUzHzdmHaQ@mail.gmail.com> <CA+k3eCRJMtAstvrNKPE4qAqU7TCFytrCZC8tHtupWno_J0xKbQ@mail.gmail.com> <CAD9ie-uiLS=f1QrHyQAAaq2YP=gPVFCtOawbKXwh4xG8adw=vQ@mail.gmail.com> <CA+k3eCQGqduvcOi_S6cp49NUkr4Rt1ws7Lb6t3SvVgceaHKbOQ@mail.gmail.com>
In-Reply-To: <CA+k3eCQGqduvcOi_S6cp49NUkr4Rt1ws7Lb6t3SvVgceaHKbOQ@mail.gmail.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Thu, 12 Mar 2020 11:14:43 -0700
Message-ID: <CAO_FVe4B45fQjOtUtFw+nthLn3RtaivPik9jHkC8Fqu1C3ovZg@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Dick Hardt <dick.hardt@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000065537905a0ac5465"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ywoo1-rZoE_3xAfhEVJuhZ96Lpg>
Subject: Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 18:14:58 -0000
Sorry for the delay here. >From the formal perspective, Torsten's language works for me as well. Thanks for taking the feedback into account. I still worry that without an explicit reference to OIDC implicit+form_post, I will have the conversation "but can we still do this in OIDC now that implicit has been deprecated in OAuth?" countless times with customers, but I'm resigned to that anyway :) On Sat, Mar 7, 2020 at 3:36 PM Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org> wrote: > Sorry, was replying i. my phone on the weekend and trying to keep it > quick. I meant that I thought Torsten's suggestion was good. > > On Sat, Mar 7, 2020, 4:25 PM Dick Hardt <dick.hardt@gmail.com> wrote: > >> Would you clarify what text works Brian? >> >> On Sat, Mar 7, 2020 at 3:24 PM Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >>> Yeah, that works for me. >>> >>> On Sat, Mar 7, 2020, 9:37 AM Dick Hardt <dick.hardt@gmail.com> wrote: >>> >>>> Brian: does that meet your requirements? >>>> >>>> If not, how about if we refer to OIDC as an example extension without >>>> saying it is implicit? >>>> ᐧ >>>> >>>> On Sat, Mar 7, 2020 at 8:29 AM Torsten Lodderstedt < >>>> torsten@lodderstedt.net> wrote: >>>> >>>>> I think keeping the response type as extension point and not >>>>> mentioning implicit at all is sufficient to support Brian’s objective. >>>>> >>>>> Am 07.03.2020 um 17:06 schrieb Dick Hardt <dick.hardt@gmail.com>: >>>>> >>>>> >>>>> How about if we add in a nonnormative reference to OIDC as an explicit >>>>> example of an extension: >>>>> >>>>> "For example, OIDC defines an implicit grant with additional security >>>>> features." >>>>> >>>>> or similar language >>>>> ᐧ >>>>> >>>>> On Sat, Mar 7, 2020 at 5:27 AM Brian Campbell < >>>>> bcampbell@pingidentity.com> wrote: >>>>> >>>>>> The name implicit grant is unfortunately somewhat >>>>>> misleading/confusing but, for the case at hand, the extension mechanism >>>>>> isn't grant type so much as response type and even response mode. >>>>>> >>>>>> The perspective shared during the office hours call was, paraphrasing >>>>>> as best I can, that there are legitimate uses of implicit style flows in >>>>>> OpenID Connect (that likely won't be updated) and it would be really nice >>>>>> if this new 2.1 or whatever it's going to be document didn't imply that >>>>>> they were disallowed or problematic or otherwise create unnecessary FUD or >>>>>> confusion for the large population of existing deployments.. >>>>>> >>>>>> On Fri, Feb 28, 2020 at 1:56 PM Dick Hardt <dick.hardt@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> I'm looking to close out this topic. I heard that Brian and Vittorio >>>>>>> shared some points of view in the office hours, and wanted to confirm: >>>>>>> >>>>>>> + Remove implicit flow from OAuth 2.1 and continue to highlight that >>>>>>> grant types are an extension mechanism. >>>>>>> >>>>>>> For example, if OpenID Connect were to be updated to refer to OAuth >>>>>>> 2.1 rather than OAuth 2..0, OIDC could define the implicit grant type with >>>>>>> all the appropriate considerations. >>>>>>> >>>>>>> >>>>>>> ᐧ >>>>>>> >>>>>>> On Tue, Feb 18, 2020 at 10:49 PM Dominick Baier < >>>>>>> dbaier@leastprivilege.com> wrote: >>>>>>> >>>>>>>> No - please get rid of it. >>>>>>>> >>>>>>>> ——— >>>>>>>> Dominick Baier >>>>>>>> >>>>>>>> On 18. February 2020 at 21:32:31, Dick Hardt (dick.hardt@gmail.com) >>>>>>>> wrote: >>>>>>>> >>>>>>>> Hey List >>>>>>>> >>>>>>>> (I'm using the OAuth 2.1 name as a placeholder for the doc that >>>>>>>> Aaron, Torsten, and I are working on) >>>>>>>> >>>>>>>> Given the points Aaron brought up in >>>>>>>> >>>>>>>> >>>>>>>> https://mailarchive.ietf.org/arch/msg/oauth/hXEfLXgEqrUQVi7Qy8X_279DCNU >>>>>>>> >>>>>>>> >>>>>>>> Does anyone have concerns with dropping the implicit flow from the >>>>>>>> OAuth 2.1 document so that developers don't use it? >>>>>>>> >>>>>>>> /Dick >>>>>>>> _______________________________________________ >>>>>>>> OAuth mailing list >>>>>>>> OAuth@ietf.org >>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>> >>>>>>>> >>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>>>> privileged material for the sole use of the intended recipient(s). Any >>>>>> review, use, distribution or disclosure by others is strictly >>>>>> prohibited... If you have received this communication in error, please >>>>>> notify the sender immediately by e-mail and delete the message and any file >>>>>> attachments from your computer. Thank you.* >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited.. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth 2.1 - drop implicit flow? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Dominick Baier
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Brian Campbell
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Dick Hardt
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Vittorio Bertocci
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Jared Jennings
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Justin Richer
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Jared Jennings
- Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow? Dick Hardt