Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

Phil Hunt <phil.hunt@oracle.com> Mon, 25 January 2016 18:34 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 701D31B38B3 for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:34:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TYSJ6ycwrNO0 for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 10:34:09 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2F01B38B2 for <oauth@ietf.org>; Mon, 25 Jan 2016 10:34:09 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u0PIY2nf031834 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 25 Jan 2016 18:34:03 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u0PIY1uM002116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 25 Jan 2016 18:34:02 GMT
Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u0PIY10J000878; Mon, 25 Jan 2016 18:34:01 GMT
Received: from [192.168.1.22] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 25 Jan 2016 10:34:00 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail=_AD66F3AF-BAA0-4FB5-B010-BD6304ADBD89"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CABzCy2B5AAMLPj+R2-qUC0X06Ny+j9ctORnt0w36YYzuZTNzrA@mail.gmail.com>
Date: Mon, 25 Jan 2016 10:33:58 -0800
Message-Id: <C3691C3C-DB00-4F23-9094-D3308C85083A@oracle.com>
References: <568D24DD.3050501@connect2id.com> <EA392E73-1C01-42DC-B21D-09F570239D5E@ve7jtb.com> <CAAP42hAA6SOvfxjfuQdjoPfSh3HmK=a7PCQ_sPXTmDg+AQ6sug@mail.gmail.com> <568D5610.6000506@lodderstedt.net> <CAAP42hA8SyOOkJ-D299VgvQUdQv6NXqxSt9R0TK7Zk7JaU56eQ@mail.gmail.com> <F9C0DF10-C067-4EEB-85C8-E1208798EA54@gmail.com> <CABzCy2A+Z86UCJXeK1mLPfyq9p1QQS=_dekbEz6ibP8Z8Pz87Q@mail.gmail.com> <CAAP42hCKRpEnS7zVL7C_jpaFXwXUjzkNUzxtDa9MUKAQw7gsAA@mail.gmail.com> <10631235-AF1B-4122-AEAE-D56BBF38F87E@ve7jtb.com> <CABzCy2B5AAMLPj+R2-qUC0X06Ny+j9ctORnt0w36YYzuZTNzrA@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.3112)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/axHieNznv8S3FF8E7WpA29leTms>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 18:34:11 -0000

+1

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>





> On Jan 21, 2016, at 6:26 AM, Nat Sakimura <sakimura@gmail.com>; wrote:
> 
> +1. Even as the main editor of the spec., I tend to forget the history ;-)
> 
> 2016年1月21日(木) 23:17 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>:
> The code_challenge and code_challenge_method parameter names predate calling the spec PKCE.  
> 
> Given that some of us deployed early versions of PKCE in products and opensource to mitigate the problem before the spec was completed we decided not to rename the parameter names from code_verifier_method to pkce_verifier_method.  
> 
> For consistency we should stick with code_verifier_methods_supported in discovery.
> 
> John B.
> 
>> On Jan 21, 2016, at 3:12 AM, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote:
>> 
>> "code_challenge_methods_supported" definitely works for me.
>> 
>> Any objections to moving forward with that? I would like to update our discovery doc shortly.
>> 
>> On Thu, Jan 21, 2016 at 1:37 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
>> Ah, OK. That's actually reasonable. 
>> 
>> 2016年1月21日(木) 9:31 nov matake <matake@gmail.com <mailto:matake@gmail.com>>:
>> I prefer “code_challenge_methods_supported”, since the registered parameter name is “code_challenge_method”, not “pkce_method".
>> 
>>> On Jan 19, 2016, at 11:58, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote:
>>> 
>>> Seems like we agree this should be added. How should it look?
>>> 
>>> Two ideas:
>>> 
>>> "code_challenge_methods_supported": ["plain", "S256"]
>>> 
>>> or
>>> 
>>> "pkce_methods_supported": ["plain", "S256"]
>>> 
>>> 
>>> 
>>> On Wed, Jan 6, 2016 at 9:59 AM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>> +1
>>> 
>>> 
>>> Am 06.01.2016 um 18:25 schrieb William Denniss:
>>>> +1
>>>> 
>>>> On Wed, Jan 6, 2016 at 6:40 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>> Good point.  Now that PKCE is a RFC we should add it to discovery.
>>>> 
>>>> John B.
>>>> > On Jan 6, 2016, at 9:29 AM, Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote:
>>>> >
>>>> > I just noticed PKCE support is missing from the discovery metadata.
>>>> >
>>>> > Is it a good idea to add it?
>>>> >
>>>> > Cheers,
>>>> >
>>>> > Vladimir
>>>> >
>>>> > --
>>>> > Vladimir Dzhuvinov
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > OAuth mailing list
>>>> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth