IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Breno de Medeiros <breno@google.com> Wed, 14 March 2012 17:16 UTC

Return-Path: <breno@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AB7721F86AD for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 10:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.377
X-Spam-Level:
X-Spam-Status: No, score=-102.377 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vTHnam27OWVj for <oauth@ietfa.amsl.com>; Wed, 14 Mar 2012 10:16:31 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1349C21F8617 for <oauth@ietf.org>; Wed, 14 Mar 2012 10:16:30 -0700 (PDT)
Received: by eeke51 with SMTP id e51so1222813eek.31 for <oauth@ietf.org>; Wed, 14 Mar 2012 10:16:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=2Tm8D7/Oi/YP2QD9VklZRfaW1p1ZjXizwwnkO66Xb6w=; b=feqGl1BSRBxMDeQ0hEWt1r517z5UNx9nsrXjfl3wLGIPzqu0LTJnKLHkTePU1U8zAX 3CFAw6+5GAw9eNy5S6S0uAwULXHd0RKcBWe4oN06fp6VeMG2h+XMYYVd0/f9eY9fL18J VmwVGC0ztgC7Y2+/I2NuhhCkG9wYidgjY9cfCWE4mZkB1g/w1BpEbruqCJi0EbzKsZha cV/zDyc/BjtZHZHFQfVTbJDYjvFKRT/0mzurWWEaQCjU2oPVzNdtd5yuNTVQO8Ytw6Ft 2x2BIy8ywvuySdpU+8uJC0wU6ZjiRuSZFgmgRwty2kITx/8zfHHnAyv2RkKpkjo/PlJz RbhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=2Tm8D7/Oi/YP2QD9VklZRfaW1p1ZjXizwwnkO66Xb6w=; b=gH8Umc8tnuZiXjYh6w8lScGZfXCAgdJ/NBou/r5S19HTj+p+yH8P62qGon8heqUpj0 n4xHPNIeXsjQ+ZDZIg6iHqwRS7FxmmJCINF3glSC/fdG6WIycx4wtrRCg1+7pctGjMKy sBSG4d/4TY5IhQxtN2gcMIeJh1KO+z9LUsfxE3oQuzibUD3mRvcXo9kRFj9fhcvxVyya GxgV1Ch7VyW7JjfhEEH5d+Mvwqg4TqzYykLJhME4gR2C5nuV8Ay/91HDcWKbJ8lH5vve CRxmv25t4JvAqbz9J1ZUXusOAlGaWn9sHo1HNd8dBVyS/24MEy7jeDcs9dx9YFatfSa1 KaBw==
Received: by 10.50.6.138 with SMTP id b10mr5891699iga.21.1331745389230; Wed, 14 Mar 2012 10:16:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.6.138 with SMTP id b10mr5891360iga.21.1331745385372; Wed, 14 Mar 2012 10:16:25 -0700 (PDT)
Received: by 10.231.41.137 with HTTP; Wed, 14 Mar 2012 10:16:25 -0700 (PDT)
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Date: Wed, 14 Mar 2012 10:16:25 -0700
Message-ID: <CAAJ++qE3KcFgJey7xXzW8dkTPzvtcu_ke7abkOEMS4hwi93yEg@mail.gmail.com>
From: Breno de Medeiros <breno@google.com>
To: Eran Hammer <eran@hueniverse.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQlPqGd3pMFYlgmkBS5WQBghjcKcNynEpcR+gKZCIUFTzutyrxJSRsbWWisRfljYx3OD4V/2YqmYER4EzkRUzC2CLTb8FbsLZI/Q3Uwh7gykxUfPCPXvhB67FXbaafrYf/QkoUvH
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2012 17:16:32 -0000

Can you explain to me why response_type is necessary at all after this change.

If a javascript client (candidate for token usage) and the web server
component (candidate for code usage) cannot share registration (since
they are different components with different security contexts of the
same application) then there is no need to specify response_type. The
server can infer the response type from the client and its security
context.

My objection has nothing to do with code+token flow. I think the
change makes response_types irrelevant and is essentially a new
protocol.

As far as I understand it, the introduction of different code and
token flows was precisely to allow different security-context
components of the same client to securely operate under the same
registration. I think if we change this we need to specify a lot more
behavior, such as how a client can request authorization on behalf of
several components simultaneously.

On Wed, Mar 14, 2012 at 10:08, Eran Hammer <eran@hueniverse.com> wrote:
> This was already raised and addressed on this list last week.
>
> When someone defines and registers code+token, that specification must define how such a client is registered in light of the text below. This might mean defining a new client type, choosing the confidential client type with other normative text limiting the use of the secret in the public component, etc.
>
> IOW, this section doesn't break anything because there is nothing else defined to break. There is no way to avoid explicitly defining these requirements for a code+token response type, or any other new response type for that matter. The text below is required to ensure that the authorization server can properly enforce the rest of the normative security language in the specification.
>
> EH
>
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Marius Scurtescu
>> Sent: Wednesday, March 14, 2012 9:53 AM
>> To: OAuth WG
>> Cc: Breno de Medeiros
>> Subject: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>
>> Hi,
>>
>> Nat Sakimura started a thread on the OpenID Connect list about a breaking
>> change introduced by rev 2.3
>>
>> The paragraph in question is in section 2.1:
>>
>> "A client application consisting of multiple components, each with its own
>> client type (e.g. a distributed client with both a confidential server-based
>> component and a public browser-based component), MUST register each
>> component separately as a different client to ensure proper handling by the
>> authorization server.  The authorization server MAY provider tools to manage
>> such complex clients through a single administration interface."
>>
>> http://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-oauth-v2-
>> 23.txt
>>
>> You can see the thread here:
>> http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-
>> 20120312/001672.html
>>
>> This paragraph basically prevents response_type=code+token which is
>> already implemented by many providers and also relied on by OpenID
>> Connect.
>>
>> The intent, I think, was to prevent clients from embedding the client secret
>> meant for a confidential client into a public client.
>> JavaScript based clients using the token flow do not need the client secret, so
>> this concern does not apply.
>>
>> Thoughts?
>>
>> Thanks,
>> Marius
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth



-- 
--Breno

v2.23.0 | Report a Bug | By Email