Re: [OAUTH-WG] PKCE & Hybrid Flow

Dominick Baier <dbaier@leastprivilege.com> Wed, 27 January 2016 07:10 UTC

Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 428E81B2C45 for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 23:10:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUdRxax2yKr5 for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 23:10:33 -0800 (PST)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C79A41B2C3C for <oauth@ietf.org>; Tue, 26 Jan 2016 23:10:32 -0800 (PST)
Received: by mail-lf0-x230.google.com with SMTP id 17so21238lfz.1 for <oauth@ietf.org>; Tue, 26 Jan 2016 23:10:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version:content-type; bh=Yvvrmr4aBP8FchzTqyU8gbXzisTm7m6jmUC9f4vh9wo=; b=swe/Uk6jfG/3IoDSbKwatGhJpJ/rIjasXT6Sjs1XtiZsD49WUcC9SacgsXlnOSQqT4 Z4nh6xsK+15FaFT06HuVn/2H8TtFXiFmpT58KrTv0RZHym80fkDy8/P0wviBIXiu8uDr xOFOS/0yh9l9Re0Fij9IS5IGwcRQf0OAVIh1ml/kvYPVBTpMHaGHs7KJFjry6HNN1qWc jEsML00CRzDk9ypFpXcUvhoe+yfx8Ei0ZajeWm2+j1+IVPZZNAu5UKrYcW0fPqbA18F/ clsfLF1Qu/Ba6vYp/OSh5dnR8ynDLa7iKShCf58O3QIJRsrnOh21l1f6dgMe2xFHLyZh sITw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version:content-type; bh=Yvvrmr4aBP8FchzTqyU8gbXzisTm7m6jmUC9f4vh9wo=; b=hdxUuq69Qf/LvLSPzg0WO4zikXrRmmu3w9XJMevfryDSjFHI5IF/4EWFk0OG2NQTsr kwiqWj3Eg7bd8wYK5sAcDSBGn9bqXbbbf6NcOvDgyCHWHlftPz2n1R3XCPsf6fYlJHvd PtO5fXaIVtTfx+3k2TDle3kFEENeAfCnFCuXVc603okWxyldQLdvhLa4bsM0wPdPvez7 Yhe/YNXSMafAtn06xZG42843qvDVBpJFtUEOC5SEENWYfuvAjcuX7hh5OVnxusjaUWM6 S0ThDtR8TO1f1++15xdNFSK5tRidH5OCZtyEUcSMx8BeSXPms1W0ozbfslDQ+EEsZE19 awTg==
X-Gm-Message-State: AG10YOSKltiEVgIPf7KlTbl7F192EaYOi5sg51NrEtovCAOXTOPNujqr+VIlQVvOT8R8Qw==
X-Received: by 10.25.4.214 with SMTP id 205mr8073047lfe.90.1453878630867; Tue, 26 Jan 2016 23:10:30 -0800 (PST)
Received: from dombp.local ([80.232.78.190]) by smtp.gmail.com with ESMTPSA id i192sm630310lfb.14.2016.01.26.23.10.29 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 26 Jan 2016 23:10:29 -0800 (PST)
Date: Wed, 27 Jan 2016 08:10:28 +0100
From: Dominick Baier <dbaier@leastprivilege.com>
To: Nat Sakimura <sakimura@gmail.com>, John Bradley <ve7jtb@ve7jtb.com>
Message-ID: <etPan.56a86d65.9ac2ddf.289@dombp.local>
In-Reply-To: <CABzCy2DcwvLvk2Z6oZrEK8mbhb3M0eaLYidq8djOC_EfEt+V-Q@mail.gmail.com>
References: <etPan.56a7d2ec.b71f1ef.289@dombp.local> <8A68406E-0C0F-4CDB-A510-3C139CEE3AF4@ve7jtb.com> <CABzCy2DcwvLvk2Z6oZrEK8mbhb3M0eaLYidq8djOC_EfEt+V-Q@mail.gmail.com>
X-Mailer: Airmail (351)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="56a86d65_7bb00ece_289"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/eZg3vasGz1ZsYdVsImOkcZLMUMI>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] PKCE & Hybrid Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 07:10:35 -0000

Thanks!

we are almost done implementing PKCE in identity server.

And yea - a comment that PKCE applies to whenever a code is involved would be probably helpful for other implementers. Even if that makes total sense, it is not obvious.

— 
cheers
Dominick Baier


On 27 January 2016 at 03:11:28, Nat Sakimura (sakimura@gmail.com) wrote:

To the end, perhaps amending RFC6749 so that the response type is treated as a space separated value would be a better way to go? 

2016年1月27日(水) 5:20 John Bradley <ve7jtb@ve7jtb.com>:
Yes it also applies to the “code id_token” response_type.   It would also apply to “code token” , “code token id_token” response types as well though I can’t think of why a native app would use those.

We can look at a errata to clarify.  It is a artifact of resonse_type being treated as a single string as opposed to being space separated values as most people would expect.

John B.

On Jan 26, 2016, at 5:11 PM, Dominick Baier <dbaier@leastprivilege.com> wrote:

Hi, 

PKCE only mentions OAuth 2.0 code flow - but wouldn’t that also apply to OIDC hybrid flow e.g. code id_token?

— 
cheers
Dominick Baier

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth