Re: [OAUTH-WG] Your opinion about draft-ideskog-assisted-token
Brian Campbell <bcampbell@pingidentity.com> Fri, 19 February 2021 21:09 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A6393A0786 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 13:09:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lclG7d190r39 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2021 13:09:33 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B3973A0652 for <oauth@ietf.org>; Fri, 19 Feb 2021 13:09:33 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id a17so28333728ljq.2 for <oauth@ietf.org>; Fri, 19 Feb 2021 13:09:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=V6sJNE6E8pjYflineTVy7A1FnvpBARKudTAC0Qqvoy4=; b=Cf2pBHYfKsZlc0N90KNCa+svcsTs1tqmGyMEfBWyvY2IMtynSK0p2QX6GUTpBDq2H6 lgP5xj9W20fCyjpXyk83GSEMruwnVZGFlQdWQ3Ov+QUueA/Kb1NPwiN5GHM+zVlpbN5I I+01IkKAKY4GQ9D8MOB4kEdv/Lkf5+4nf9i8gYDKKny1oFabSe0ualBCLBY9gNmOslEE TX8LDzgHCnr3nvbJ4dC8wiDoNNEZLya1fRCKiblIPB0F9WHJer/jUtFJptII4aON3s+1 DVzvmNhRILNyx2rHLSK13FEQXFhTGNGRlXOHlnsJWZLTwPO+ITsvC5EX48SYzlxXFYY1 ehMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=V6sJNE6E8pjYflineTVy7A1FnvpBARKudTAC0Qqvoy4=; b=RpqS8xKc7SfTFaCHSY6k4OWn7MI3p78Ez/+APatU2uaXE7GBhyFegsFZbNVtB3Ensc fZ9QvSyYxKcfS88HdrWoGtnTqbhqb4VM7QhGAGCqxfCr+siBC6X3cbTH1jv4HQN2nOca eTCULhtJMWItMPHgbgOJ6ksA0+tLzzl8CXCUVSk4gnxdmQaGfFORBdcENIZbzvS+IuiS f/ueuArl8yM3LmFOfHLm4r3Kn4Ef/Z/N+m9ZciF+HMqcv9wbR9TlOD+uexIPNJnbsJwM tpKfMuA2VlgzdA6y2nxR6sNnmKmiFoi6MTwcu+aGicd8A6sFWKaIvuF4Bcbs1o9g4CCl eXLw==
X-Gm-Message-State: AOAM531WYk8F4o0y0C2/6VMMarYO0W60JEtRxYyB+1UWgCc9uGDr6JHa yMW5jw2T1pvHUtoi207YHG9kKPIZTWUZVX0vUpFuBIpfWhOehrGtk7Q1AemyT/wV9RF5mC5y4Hw QkGcWPXu1JLY8+g==
X-Google-Smtp-Source: ABdhPJx0sQNvyN/QKrcTv2bqQb0v3yMt4iuAPZHTy0zFtpDM60OW6jMLJ0E266Knay1T/4SQ0JR/VHyKy04JrrEc9uE=
X-Received: by 2002:a2e:8852:: with SMTP id z18mr7006148ljj.36.1613768970663; Fri, 19 Feb 2021 13:09:30 -0800 (PST)
MIME-Version: 1.0
References: <1e5f0e825a2580f68c92aa5a1d798090.squirrel@www.rfc-editor.org> <702cf2e8d762ba733becdb5c735f72a9.squirrel@www.rfc-editor.org>
In-Reply-To: <702cf2e8d762ba733becdb5c735f72a9.squirrel@www.rfc-editor.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 19 Feb 2021 14:09:03 -0700
Message-ID: <CA+k3eCRAUGoxM=pvHj2p+TUf1iVYfkVMi97oLzVo1rD8CgQzaA@mail.gmail.com>
To: rfc-ise@rfc-editor.org
Cc: draft-ideskog-assisted-token@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003f0e5e05bbb6dec6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZWr-L0T_6SBIJF57emyUqD0YV94>
Subject: Re: [OAUTH-WG] Your opinion about draft-ideskog-assisted-token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2021 21:09:37 -0000
Hi Adrian, I believe this work was presented briefly to the WG in London during IETF 101. As far as I can recall, the general reaction/thinking at that time was that the WG really should be working on a document about OAuth and single page applications (that may or may not include something like the functionality in draft-ideskog-assisted-token). Since that time the WG adopted and is actively working on 'OAuth 2.0 for Browser-Based Apps' https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/ which is intended as a BCP for single page applications acting as OAuth clients. The prospective BCP details security considerations and best practices around leveraging existing features of OAuth for single page apps. Whereas draft-ideskog-assisted-token introduces a new grant, new authorization server endpoint, and really a whole new interaction model between client and authorization server. Publishing an independent stream RFC that runs contrary to the BCP coming out of the WG does seem potentially harmful. On Mon, Feb 15, 2021 at 11:59 AM RFC ISE (Adrian Farrel) < rfc-ise@rfc-editor.org> wrote: > Hi OAuth, > > The authors of draft-ideskog-assisted-token [1] have approached me > requesting that the draft be published as an Informational RFC in the > Independent Submission Stream [2]. > > The draft extends the OAuth 2.0 framework to include an additional > authorization flow for single page applications called the assisted token > flow. It is intended to enable OAuth clients that are written in > scripting languages (such as JavaScript) to request user authorization > using a simplified method. Communication leverages HTML's iframe element, > child windows, and the postMessage interface. This communication is done > using an additional endpoint, the assisted token endpoint. > > It is clear to me that this work could be in scope for OAuth and I want to > be sure that both: > - there is no interest within the WG in pursuing this approach > - there is no perceived harm to existing OAuth work if this goes ahead > > I'd appreciate any opinions. > > Many thanks, > Adrian > -- > Adrian Farrel (Independent Submissions Editor), > rfc-ise@rfc-editor.org > > [1] https://datatracker.ietf.org/doc/draft-ideskog-assisted-token/ > [2] https://www.rfc-editor.org/about/independent/ > > > > > > > -- > Adrian Farrel (ISE), > rfc-ise@rfc-editor.org > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] (no subject) RFC ISE (Adrian Farrel)
- [OAUTH-WG] Your opinion about draft-ideskog-assis… RFC ISE (Adrian Farrel)
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… Brian Campbell
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… Travis Spencer
- Re: [OAUTH-WG] Your opinion about draft-ideskog-a… George Fletcher