Re: [OAUTH-WG] client_id in PAR and JAR

Filip Skokan <panva.ip@gmail.com> Tue, 30 June 2020 10:01 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 072AA3A115E for <oauth@ietfa.amsl.com>; Tue, 30 Jun 2020 03:01:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.086
X-Spam-Level:
X-Spam-Status: No, score=-1.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_FINANCIALSOLUTION=1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmxw47Np5RPq for <oauth@ietfa.amsl.com>; Tue, 30 Jun 2020 03:01:57 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 073143A115B for <oauth@ietf.org>; Tue, 30 Jun 2020 03:01:57 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id dm19so9335282edb.13 for <oauth@ietf.org>; Tue, 30 Jun 2020 03:01:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=fUgVd07ywz5HWNDWIBn5oYenhDOHgiZLbqgKfY/0Bxs=; b=dQnZjJq4q6Xm0JfbeCgbYgfdTayvTKGGPR/m5vijq/71UAxC8R2XKqXsG37GTIItok pJzPGYcCX72njAV45wcn15mAxGkWbmNSuLFaa2C90ye9S6FYoSfJh6Q8S121prfHObSw 59q+nsBpSVfxJwS+NhuUwLyrZImnsKClV0CGgmXNwRMoVhlqheAIYy5xIzCLIp200iVZ rGaKZb9iy14Vf9B+NieXFKum18eRxslensoI+bbO/gWpSOcdwnhxri0Z11aL15v49qKx OLx+BzmJCTmexeVnQ9ieXYaLFIYxZX+NHsjnYpfDp69tk4clVSBTYQfpJKQDtbvr5c5F ze6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=fUgVd07ywz5HWNDWIBn5oYenhDOHgiZLbqgKfY/0Bxs=; b=kj14LksgrbL1pZdUbAXLfqklytmzj7XhJgzGMLY8WYIoireAvobDTK9+TyOdL4+CXl veDN1nLjICCOgbSRUYpdl5IEs2CMMRzP6El+OocE/ouMJK+6aAVa9Eb0XVuVXzG/P6j9 ZZl2ZPmuLk14h5Tl5Nve+ShHyGabVQzBIuKBFEfXaFx1Qhomy7LPIOQwh6JefJWGIq86 JjRA6H6Xde490N5+K0T8LAVY0t839el1rqaMsSFSndImH7QbdhmML2pZPAiXnvA8WVT/ kDElr1mxeNUGPKE4AvWMGPxQNgOO8FqIOHTtnOGoTzf+kpglEMHrnGs3fFRiqYPckcFU 0jNQ==
X-Gm-Message-State: AOAM532e+1MLz5IXG5pCbFD0PUri9dsZ2GWHpG3vFqR+KREBvvTTICOh FcLEskgfdw6oQotQGVuVhw==
X-Google-Smtp-Source: ABdhPJz9cWsiv/IHoZ6cfeyNVtZIiTQqbUHdibqu4OYOxbD6z1PmpQvtRjKiFTyZ6nKPCYNojRsmWQ==
X-Received: by 2002:aa7:dad6:: with SMTP id x22mr10969634eds.310.1593511315498; Tue, 30 Jun 2020 03:01:55 -0700 (PDT)
Received: from [192.168.68.100] (173.c3.airnet.cz. [94.74.199.173]) by smtp.gmail.com with ESMTPSA id k23sm1609825ejo.120.2020.06.30.03.01.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 30 Jun 2020 03:01:54 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-C0F98BB7-4DB2-4A40-A51C-8BA76EB0C1D8"
Content-Transfer-Encoding: 7bit
From: Filip Skokan <panva.ip@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 30 Jun 2020 12:01:53 +0200
Message-Id: <3ACD016D-981D-42BE-957C-9472E68EFBA1@gmail.com>
References: <CAGObXPmEU4t+Ku9dVn21VmjbVQWgMAfGKSaZR=1j-tZ9Q8YP4w@mail.gmail.com>
Cc: oauth@ietf.org
In-Reply-To: <CAGObXPmEU4t+Ku9dVn21VmjbVQWgMAfGKSaZR=1j-tZ9Q8YP4w@mail.gmail.com>
To: Thiloshon Nagarajah <thiloshon@wso2.com>
X-Mailer: iPhone Mail (17F80)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hWbt4m20sT3uWzNmn8sbAyyijXc>
Subject: Re: [OAUTH-WG] client_id in PAR and JAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 10:01:59 -0000

It already is in the new revision of JAR, PAR will follow it too. 

Technically tho, since authorization requests can also use POST its not strictly a query string parameter, it may be contained in the request body too. Let’s call it authorization endpoint parameters and leave the “how its transferred” mechanism out. 

Odesláno z iPhonu

> 30. 6. 2020 v 10:15, Thiloshon Nagarajah <thiloshon@wso2.com>:
> 
> 
> Hi Filip,
> 
> So I'm assuming client_id will be mandated as a query param in PAR as well?
> 
> Regards 
> 
>> On Tue, Jun 30, 2020 at 1:09 PM Filip Skokan <panva.ip@gmail.com> wrote:
>> Hi Thiloshon,
>> 
>> Not quite the way it went down but we have this adressed in a future PAR draft. 
>> 
>> Thank you ;)
>> 
>> Filip
>> 
>> Odesláno z iPhonu
>> 
>>> 30. 6. 2020 v 9:25, Thiloshon Nagarajah <thiloshon=40wso2.com@dmarc.ietf.org>:
>>> 
>>> 
>>> Hi All,
>>> 
>>> In OAuth JAR specification, client_id is a required query parameter of authorisation call, in both request and request_uri flows [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-23#section-5].
>>> 
>>> But in OAuth PAR specification, which is a complimentary spec to JAR, it is specified "Clients are encouraged to use the request URI as the only parameter (in the authorisation call) in order to use the integrity and authenticity provided by the pushed authorization request." [https://tools.ietf.org/html/draft-ietf-oauth-par-01#section-4]
>>> 
>>> Taking into account these both are building upon OAuth spec, which also mandates client_id query param in authorisation call, it seems like PAR is not compatible with OAuth and JAR specs. 
>>> 
>>> Is this intentional? If it is may I know the rationale behind this decision? 
>>> 
>>> Regards,
>>> -- 
>>> Thiloshon Nagarajah
>>> Software Engineer,
>>> Financial Solutions
>>> WSO2
>>> +94774209947
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> -- 
> Thiloshon Nagarajah
> Software Engineer,
> Financial Solutions
> WSO2
> +94774209947
>