Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Response Type Encoding Practices
Takahiko Kawasaki <daru.tk@gmail.com> Mon, 26 June 2017 12:16 UTC
Return-Path: <daru.tk@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6149129B39 for <oauth@ietfa.amsl.com>; Mon, 26 Jun 2017 05:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.077
X-Spam-Level:
X-Spam-Status: No, score=-1.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URI_HEX=1.122, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4yo9xtHIO08e for <oauth@ietfa.amsl.com>; Mon, 26 Jun 2017 05:16:34 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BBA9129B30 for <oauth@ietf.org>; Mon, 26 Jun 2017 05:16:34 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id t127so24916834ywc.3 for <oauth@ietf.org>; Mon, 26 Jun 2017 05:16:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kXnNsJBWeeC42dnk4vDAsvyyMQw98AYNbM+vpx3PDGc=; b=bVOKk08uzyrUPcenhltqB/hke30SU+tvr3rK9KMV2xMRBGcERMc9+KowEggcLw5yd/ Imln2S9aUAavLg6PoFxfqA6ak9ykez+Yj3eAJTQpCk+J/Iqmbbvtf3dp0oT348UOawXr Ygo/fqNVmZl5yOdLYBJBVswPGiMhK2Z2trBJ1ZOMHzr4A8gjwkQBpdGd2am9t3YKr/nV aTwyBRx2tA4jE1XRm63OkzpkzQCVgtbfzfq870HhOLRYXx/Y2GnWUa2jsLIvVfbZeWQH dK0cIUSBl8B6MIIqf9Y+d3DudaMt6uKAHNFy6wvorJF/VnJcUwjLc5D4+Ye6fxjCZ6qI Hw/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kXnNsJBWeeC42dnk4vDAsvyyMQw98AYNbM+vpx3PDGc=; b=dBIXJtrgyXMR6xkKw1RYM3sxEVWrgy+sz6be1/Qufbjz4EhqFQ3U+EORqANT5M2lGk wnnFp/SficsqUdbH++KGSbQzLiA8mFnyQqAjf8/7X4WtbP6f2xeWCwopJSoxBDNNbvUn zLTBtZtxnTSgVNKSuP/XwsTnMVkmyst4rH64A/DUwkhyfJISPv7Y2Zz+okevWln3fxii T/vr2mo8KU2b/4iw0M7VTRe1GRRj3YK+XJc3X/54Na4aQFm3Fc2sYselUUaCefG+q4Wo hiKhnneyaZNTmd/BHms2xWJxYWdvMYyOytNFMsxw8cJsLKjfUd/X0VI1HiprquqxPBrt 39EQ==
X-Gm-Message-State: AKS2vOwwGIqE2m854tMNILyRQFcBIOF4HoS5xmKcAXSfFN3va0y1dk/l //x3MbZ3nL5lOlfvTMKxOQpRWjGcDQ==
X-Received: by 10.129.104.215 with SMTP id d206mr1866461ywc.31.1498479393398; Mon, 26 Jun 2017 05:16:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.77.67 with HTTP; Mon, 26 Jun 2017 05:16:32 -0700 (PDT)
In-Reply-To: <MWHPR21MB05107E7AC708F55FE45B0EFAE1DF0@MWHPR21MB0510.namprd21.prod.outlook.com>
References: <CAGpwqP85MS0mQn0wmUVxea3ZnUJdWEgGb09vUOM+SKZ+B+2Zcg@mail.gmail.com> <MWHPR21MB05107E7AC708F55FE45B0EFAE1DF0@MWHPR21MB0510.namprd21.prod.outlook.com>
From: Takahiko Kawasaki <daru.tk@gmail.com>
Date: Mon, 26 Jun 2017 21:16:32 +0900
Message-ID: <CAGpwqP8ednQD1G55e-yxa4p2--VhBCC=2V=ANC1pE5biyxOE-A@mail.gmail.com>
To: Philippe Signoret <Philippe.Signoret@microsoft.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1149018af266b60552dbebca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gYvEyqYMT8qnIHNqTZjqA3yuDJU>
Subject: Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Response Type Encoding Practices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2017 12:16:36 -0000
The response_type of the example includes id_token and it is the reason I've brought it up. id_token triggers Authentication Request. # The response_type in the example in Appendix A <http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#FragmentExample> does not include id_token and so I've not mentioned it. Best, Taka 2017-06-26 17:09 GMT+09:00 Philippe Signoret < Philippe.Signoret@microsoft.com>: > scope=openid is required for OpenID Connect Authentication Requests (e.g. > "3.3.2.1. Authentication Request > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23HybridAuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=HO6gAigTdBjgxOhsS41bKLbbl1cUyUugvXBjJ4hwmKE%3D&reserved=0>" > in "OpenID Connect Core 1.0 > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=FrFLKpyHVfZbRw1OsOs7QH%2F2bSrJbJluKnny0X%2FiJxw%3D&reserved=0>"), > but not for an OAuth 2.0 Authorization Request (e.g. "4.1.1. > Authorization Request <https://tools.ietf.org/html/rfc6749#section-4.1.1>" > in "RFC6749 The OAuth 2.0 Authorization Framework > <https://tools.ietf.org/html/rfc6749>"). > > > > OpenID Connect is “an identity layer on top of the OAuth 2.0 protocol”. > OpenID Connect specs will often refer to aspects of the OAuth 2.0 protocol, > but the OAuth 2.0 specs will generally not refer to the OpenID Connect > constructs. (Because OpenID Connect is a specific case of OAuth 2.0.) > > > > Philippe > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Takahiko > Kawasaki > *Sent:* Monday, June 26, 2017 7:46 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] Example in OAuth 2.0 Multiple Response Type > Encoding Practices > > > > Hello, > > > > I'm not so sure that this is the right place to ask, but I'm wondering > whether it is correct or not that the following non-normative example found > in "5. Definitions of Multi-Valued Response Type Combinations > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html%23Combinations&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=A2%2F5R%2FFDSMUN8lthoex%2BAnF3h%2FouQHjXBPhW3Yv5D7M%3D&reserved=0>" > in "OAuth 2.0 Multiple Response Type Encoding Practices > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=oax1ui3n46P2n67Mqx14t0458TZjrcw9IUsdCoGsmho%3D&reserved=0>" > does not include "scope=openid". > > > > GET /authorize? > > response_type=id_token%20token > > &client_id=s6BhdRkqt3 > > &redirect_uri=https%3A%2F%2Fclient.example.org <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F2Fclient.example.org&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=%2BaCAvhV9qt75Cqajdrr84BVG6MRS3747Ux5CsjJtgQE%3D&reserved=0>%2Fcb > > &state=af0ifjsldkj HTTP/1.1 > > Host: server.example.com <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fserver.example.com&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=PoXzHooKqVnYx4pzWD%2B4THUElRZjsUC2TNdMlTrhfiY%3D&reserved=0> > > > > The reason I'm wondering is that "3.3.2.1. Authentication Request > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23HybridAuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=HO6gAigTdBjgxOhsS41bKLbbl1cUyUugvXBjJ4hwmKE%3D&reserved=0>" > in "OpenID Connect Core 1.0 > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=FrFLKpyHVfZbRw1OsOs7QH%2F2bSrJbJluKnny0X%2FiJxw%3D&reserved=0>" > requires Authentication Requests be made as defined in "3.1.2.1. > Authentication Request > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23AuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=WoKMDXrFJDmvaGHGY8ry8Nn7iG5qliNjqNw8UamnHHg%3D&reserved=0>" > and "3.1.2.1" requires the scope request parameter contain openid. > > > > > > Best Regards, > > Takahiko Kawasaki > > >
- [OAUTH-WG] Example in OAuth 2.0 Multiple Response… Takahiko Kawasaki
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… Takahiko Kawasaki
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… Takahiko Kawasaki
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… George Fletcher
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… Takahiko Kawasaki