Re: [OAUTH-WG] PKCE & Hybrid Flow
John Bradley <ve7jtb@ve7jtb.com> Tue, 26 January 2016 20:19 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BCD91B2CC1 for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 12:19:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iM0B2WgfG3DL for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 12:19:52 -0800 (PST)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EAE31B2CC7 for <oauth@ietf.org>; Tue, 26 Jan 2016 12:19:51 -0800 (PST)
Received: by mail-qg0-x230.google.com with SMTP id 6so148533064qgy.1 for <oauth@ietf.org>; Tue, 26 Jan 2016 12:19:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=PLLDIsrbCFrmWlfcQ8V76DVOeEhaEJHYBBLgX15+VzE=; b=kC0lS9DwQiV92h8QN6ZVZPrN3Vmr4VFjudxKMkv6zY1k9BhnC7Za6GF80gKNNo9xpj Ql/8OF2i/irPOA203ShdsHFVjKANF2TiswOs4LHTvcRQvphi2kcovW03/9KXZvYppztB PIlwZ+5ubquXqaAjRQeC4qzTppgG2nZeh/urgcdqFzf6355Zde9Sz39CAO7SLeLVdy0t Cj912k6YdYfi7VnGgaMI07IlPfk0P3/JiwRFXFhvBxeEa3k5YGyO4nPJViUjoALl/Sk2 NjpfMgU0f3KKokV82wP4Zya9ao2NK/8T/1WbfpWOzPOwBCNF/QGixxxd4MkM19IPnoD8 YYJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=PLLDIsrbCFrmWlfcQ8V76DVOeEhaEJHYBBLgX15+VzE=; b=DYYgBuNY56I3Lw5DTjC5vAin3WLYaz003b+h2z6zup+zpAyIRTKpKkxxcQzyMyN/cP 0GAXKuO0twVhWpFShqUoeHJWbY/rVJGs0UwzHFSlG3hjsFvGeAsQUOJ5+L8kfedvT8fc oYV6JOx2c1fJipLjsc8AnJH86MDkcfX9mFwp+wHbtW3+f96Gmgbkov2KqiI2EWgOV07P 68uc7EiJFMX4NpJUJQFzL1scst9CvEHdwHvBaWmdMBefa/k40XeDLM3diHntNvMI8BT2 1FT/MxkPaO27ONIw4ViApU3Whg/0AAKvFg9HNwQ4E/uGV229lBXy7vIhY+WDZO1QwoWw djcg==
X-Gm-Message-State: AG10YOSgzJyRaR/qbJe+hJyzWgbLYSPY1KkughZ/qpajiPq2ba8/kme6fOyxOjJWJjcW1g==
X-Received: by 10.140.30.102 with SMTP id c93mr30613295qgc.80.1453839590818; Tue, 26 Jan 2016 12:19:50 -0800 (PST)
Received: from [192.168.8.100] ([181.202.129.132]) by smtp.gmail.com with ESMTPSA id c49sm1174622qge.20.2016.01.26.12.19.49 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 26 Jan 2016 12:19:49 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_5988A686-0802-417E-8DBB-680C0B1421B9"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <etPan.56a7d2ec.b71f1ef.289@dombp.local>
Date: Tue, 26 Jan 2016 17:19:46 -0300
Message-Id: <8A68406E-0C0F-4CDB-A510-3C139CEE3AF4@ve7jtb.com>
References: <etPan.56a7d2ec.b71f1ef.289@dombp.local>
To: Dominick Baier <dbaier@leastprivilege.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/iml4GX5fHb7jc7TYae_cwlt4iC0>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] PKCE & Hybrid Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2016 20:19:54 -0000
Yes it also applies to the “code id_token” response_type. It would also apply to “code token” , “code token id_token” response types as well though I can’t think of why a native app would use those. We can look at a errata to clarify. It is a artifact of resonse_type being treated as a single string as opposed to being space separated values as most people would expect. John B. > On Jan 26, 2016, at 5:11 PM, Dominick Baier <dbaier@leastprivilege.com> wrote: > > Hi, > > PKCE only mentions OAuth 2.0 code flow - but wouldn’t that also apply to OIDC hybrid flow e.g. code id_token? > > — > cheers > Dominick Baier > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
- [OAUTH-WG] PKCE & Hybrid Flow Dominick Baier
- Re: [OAUTH-WG] PKCE & Hybrid Flow John Bradley
- Re: [OAUTH-WG] PKCE & Hybrid Flow Nat Sakimura
- Re: [OAUTH-WG] PKCE & Hybrid Flow Dominick Baier
- Re: [OAUTH-WG] PKCE & Hybrid Flow John Bradley
- Re: [OAUTH-WG] PKCE & Hybrid Flow Roland Hedberg