Re: [OAUTH-WG] PKCE & Hybrid Flow

Roland Hedberg <roland@catalogix.se> Wed, 27 January 2016 12:58 UTC

Return-Path: <roland@catalogix.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C26251A894C for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 04:58:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vrsl_JGBxFF for <oauth@ietfa.amsl.com>; Wed, 27 Jan 2016 04:58:30 -0800 (PST)
Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [208.79.240.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B48591A8949 for <oauth@ietf.org>; Wed, 27 Jan 2016 04:58:30 -0800 (PST)
Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id C08922801007; Wed, 27 Jan 2016 04:58:25 -0800 (PST)
Received: from [193.10.94.166] (unknown [193.10.94.166]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Wed, 27 Jan 2016 04:58:25 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_B9AA6263-A542-4FD3-9F69-45C976EB8BD7"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Roland Hedberg <roland@catalogix.se>
In-Reply-To: <70953000-628C-4C82-A759-859E547A2D74@ve7jtb.com>
Date: Wed, 27 Jan 2016 13:58:23 +0100
Message-Id: <3E59AF5A-6A39-4B31-A59D-CB7FFA4FDBA1@catalogix.se>
References: <etPan.56a7d2ec.b71f1ef.289@dombp.local> <8A68406E-0C0F-4CDB-A510-3C139CEE3AF4@ve7jtb.com> <CABzCy2DcwvLvk2Z6oZrEK8mbhb3M0eaLYidq8djOC_EfEt+V-Q@mail.gmail.com> <70953000-628C-4C82-A759-859E547A2D74@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.3112)
X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://www.rollernet.us/policy
X-Rollernet-Submit: Submit ID 7e3f.56a8bef1.27c1b.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/cYQi2ZiD0bEWO66GBlInzSjlv94>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] PKCE & Hybrid Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 12:58:33 -0000

> 27 jan. 2016 kl. 13:51 skrev John Bradley <ve7jtb@ve7jtb.com>;:
> 
> It is confusing that the value is a string that is order independent based on space breaks, rather than a space separated list of responses requested.

Absolutely, I’ve always found that completely broken.

> Changing it now may be more trouble than it is worth, if it may break deployments.   The editor at the time really didn’t want multiple response types, so that was a way to have them but not really.
> 
> John B.
> 
>> On Jan 26, 2016, at 11:11 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote:
>> 
>> To the end, perhaps amending RFC6749 so that the response type is treated as a space separated value would be a better way to go? 
>> 
>> 2016年1月27日(水) 5:20 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>:
>> Yes it also applies to the “code id_token” response_type.   It would also apply to “code token” , “code token id_token” response types as well though I can’t think of why a native app would use those.
>> 
>> We can look at a errata to clarify.  It is a artifact of resonse_type being treated as a single string as opposed to being space separated values as most people would expect.
>> 
>> John B.
>> 
>>> On Jan 26, 2016, at 5:11 PM, Dominick Baier <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com>> wrote:
>>> 
>>> Hi, 
>>> 
>>> PKCE only mentions OAuth 2.0 code flow - but wouldn’t that also apply to OIDC hybrid flow e.g. code id_token?
>>> 
>>> — 
>>> cheers
>>> Dominick Baier
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth