Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
Vladimir Dzhuvinov <vladimir@connect2id.com> Tue, 27 November 2018 15:00 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BB12130EB5 for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 07:00:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PALUuKa1N6Mg for <oauth@ietfa.amsl.com>; Tue, 27 Nov 2018 07:00:35 -0800 (PST)
Received: from p3plsmtpa06-06.prod.phx3.secureserver.net (p3plsmtpa06-06.prod.phx3.secureserver.net [173.201.192.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E27130E90 for <oauth@ietf.org>; Tue, 27 Nov 2018 07:00:35 -0800 (PST)
Received: from [192.168.0.105] ([78.130.190.73]) by :SMTPAUTH: with ESMTPSA id Reqngc9GiVguCReqng7mzt; Tue, 27 Nov 2018 08:00:34 -0700
To: oauth@ietf.org
References: <VI1PR0801MB211266BA6F6E06FFB3081425FAD80@VI1PR0801MB2112.eurprd08.prod.outlook.com> <5494f764-2d14-089a-8fe8-132a65e32d5e@manicode.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Openpgp: preference=signencrypt
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= xsBNBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAHNLFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+wsB+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1NdzsBNBFQZaoEB CADbPPN2c9iyif1rIiA3i+OAL2+jWlUwyM1hcfvA9zzYgQCFblNZk3lzkGukkCdSgyE3dibB 7TrP/7cPuSVp4sZ//PdSeYSP0NpURIi9Oqj4r3DlR1waR4g1pVPwXAhYvhsVD19RDdMasYBq enu+FXTvRKVB3erXBoXkBphhW4ekMh+E+21Cp2kaIf3VE4eK9565qFVem57CtTCqbpM8ElLb yQeHEl07bTrU8BCnmBJr9bg+h0Gp6s02PgebwXkiR5iGdANDrYHEmDj3XYdV8VFln4LRJeuj dGsZQpC9aQuFMhD5696iicelqHddNLZ0SOLnb8IxcTnU7HIjxMpgPBhPABEBAAHCwGUEGAEC AA8FAlQZaoECGwwFCQlmAYAACgkQGdL1Mjqq4kKPMwf+P+zfHt1/L+la1OszU8MXlarCHtRw qf0ROwUVB5PmLqGYqXSUN8qXFY38nIGNhxD/HAx8IZrlZ34FT9HH62hB3wmwvzO+JDl63yq0 0OJnywAaRUTSIwc6SnTQTgu0QSHidOG4yEXTNXDME14kO5Fvdlp6d2/vRDZ7oBcv6bX7g31H Ue5nai5/jXqQBikkgII6mst4GL803WLaNVvAUbLge25gvgdBdPgMpckNya0yzo9vHMQDDAhN oL1eAZ9MqG1qt2IVVE4dgHdNGUbREZ28Wur//gNTpama6eRrx7bOuVxf4euKbMxTMvHAP6bJ dIuenZiT6SZJLbpchHh+rgZ2rQ==
Organization: Connect2id Ltd.
Message-ID: <8935ff0f-aeab-c773-5e2d-6fedcc29119d@connect2id.com>
Date: Tue, 27 Nov 2018 17:00:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <5494f764-2d14-089a-8fe8-132a65e32d5e@manicode.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-CMAE-Envelope: MS4wfM1aXRWfGP36Lpufq/0tw4RqJk7FLkFddQGMk2wnr5Aj1NmisPXEaZLXhk5mY1tSeyUCeRsiic1VBdNya/4ZaA2hVqCv8cVXyrig+RGOEZNzdCqQHw5x axdNr1F9lMjU+fchh/2Lc7dQmKnVUQyyL62d+0NvUKG9eQkQ1YLhAuR9
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hnMKP1scM76OFA4i_6LVcnM54Rc>
Subject: Re: [OAUTH-WG] OAuth Security Topics -- Recommend authorization code instead of implicit
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 15:00:53 -0000
+1 to recommend the deprecation of implicit. I don't see a compelling reason to keep implicit when there is an established alternative that is more secure. Our duty as WG is to give developers the best and most sensible practice. CORS adoption is currently at 94% according to https://caniuse.com/#feat=cors Vladimir
- [OAUTH-WG] OAuth Security Topics -- Recommend aut… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Mike Jones
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hans Zandbelt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Antonio Sanso
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… George Fletcher
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… William Denniss
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Torsten Lodderstedt
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… Nat Sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] [Openid-specs-ab] OAuth Security T… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Richard Backman, Annabelle
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Petteri Stenius
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… William Denniss
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dave Tonge
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Neil Madden
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Willeke
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Aaron Parecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… n-sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Daniel Fett
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dominick Baier
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… John Bradley
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brian Campbell
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Dick Hardt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Marius Scurtescu
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nat Sakimura
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Tomek Stojecki
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Justin Richer
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Nov Matake
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Jim Manico
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Brock Allen
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… David Waite
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth Security Topics -- Recommend… Phil Hunt