Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?

Brian Campbell <bcampbell@pingidentity.com> Sat, 07 March 2020 23:35 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D1A13A1CA6 for <oauth@ietfa.amsl.com>; Sat, 7 Mar 2020 15:35:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s08fNzq-eBQX for <oauth@ietfa.amsl.com>; Sat, 7 Mar 2020 15:35:51 -0800 (PST)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C16C3A1CA3 for <oauth@ietf.org>; Sat, 7 Mar 2020 15:35:50 -0800 (PST)
Received: by mail-lj1-x22d.google.com with SMTP id h18so6141802ljl.13 for <oauth@ietf.org>; Sat, 07 Mar 2020 15:35:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3WVhPJCO8Ver/hsMvv60r0aJKmOxUgl6A2MujmgouLI=; b=SPGEIMmx/5RlG0289SDOCTrnC/hDzLeD6C4nHOrJj1clI13mfN2e6pU3wyurpAG1rR B58kEu/tk7slPq5ZLt0LLJ61rT6AW8u/Nw73lOwHeOtvzEO2lsMjNnAHtssL7YqM7bns /5UbdS+o1feb3DPvSJnYHj0Nn44Uoz2jOP+ymJbdBzdca13BMA8PBVEfn4ZunvMsyNZv Kb04ZY2kdet9pXb41sn8U2128I6BABzG+isnmXPcQmpl6mVliF5wUlVCg6G2sH+Yfkkc inInB7QhDpP3Cz8jzM2x0FgRAJXCz54WJxwVaMWu0IlY4CRkf0Wv85WoHvvNV1Zcz7Js xjaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3WVhPJCO8Ver/hsMvv60r0aJKmOxUgl6A2MujmgouLI=; b=tPQLdIO+LBK7PIzU1fd9sgFyVT2lgKubFhFy5QqnJYGNTYDtvr3O+zaCokV6K6zHoE EXawMrf2GklzC/Yq7hqGA+kp/yQCpIR2VaPG6g6GuaJ9K7+DKYM9JkIALMoKxm2aCIKO xgrDJSZvJ/sxIexJ0WsWpkIvO01lfIm6Phv8FRe2VOeR6NjBwSDp0ZYcStZ1BC99shu/ 9GSfU6FT/3xBsFk1ksjGeh1Lz3RnWd8/X+KVULN1q3fyaW9T3ighHRjFre3aSy6a5uuD LZUS8uLLYNIDIRt3Qu574IgNif8aex06LHNRAXQPS4VTYmkWFy8UDyjsixN+WkXPORk3 EHBA==
X-Gm-Message-State: ANhLgQ1eIp0rDsFIhyOTf4tHVBp7lGU33/yvLGrBdhuZ7YkJZZRIS+MW 94lN71NIPX68xTCXvSkqyAObY6cIVz+kCOKqyKsPQi1HoutFitn1lZ0YS23S9hFoLwiHu/36jho Vdhqi7OnTGkwkjA==
X-Google-Smtp-Source: =?utf-8?q?ADFU+vvkzXEodcc1/i90l89lJoXo/89Mj/I01CjLFGBP?= =?utf-8?q?jfLxRFuzyW25OQm42M/qZuPpTAZGqzfLHBoR9DHto8on0ho=3D?=
X-Received: by 2002:a2e:98c1:: with SMTP id s1mr5951117ljj.0.1583624149058; Sat, 07 Mar 2020 15:35:49 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-s9HT=9MKPK+GpVngZc+9QMxHS6KL-Sfq-UPQz2VQ3ioA@mail.gmail.com> <3F805BA8-8ABB-4939-96CC-FD2FEC811322@lodderstedt.net> <CAD9ie-sZOG0=pbFW72fZR3XtzsNFRFCyFmF5xeEPFUzHzdmHaQ@mail.gmail.com> <CA+k3eCRJMtAstvrNKPE4qAqU7TCFytrCZC8tHtupWno_J0xKbQ@mail.gmail.com> <CAD9ie-uiLS=f1QrHyQAAaq2YP=gPVFCtOawbKXwh4xG8adw=vQ@mail.gmail.com>
In-Reply-To: <CAD9ie-uiLS=f1QrHyQAAaq2YP=gPVFCtOawbKXwh4xG8adw=vQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sat, 7 Mar 2020 16:35:37 -0700
Message-ID: <CA+k3eCQGqduvcOi_S6cp49NUkr4Rt1ws7Lb6t3SvVgceaHKbOQ@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dcd99605a04c3a31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jdB7fBw59HN03hL0CJCGNlaoH7M>
Subject: Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2020 23:35:54 -0000

Sorry, was replying i. my phone on the weekend and trying to keep it quick.
I meant that I thought Torsten's suggestion was good.

On Sat, Mar 7, 2020, 4:25 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> Would you clarify what text works Brian?
>
> On Sat, Mar 7, 2020 at 3:24 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> Yeah, that works for me.
>>
>> On Sat, Mar 7, 2020, 9:37 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> Brian: does that meet your requirements?
>>>
>>> If not, how about if we refer to OIDC as an example extension without
>>> saying it is implicit?
>>> ᐧ
>>>
>>> On Sat, Mar 7, 2020 at 8:29 AM Torsten Lodderstedt <
>>> torsten@lodderstedt.net> wrote:
>>>
>>>> I think keeping the response type as extension point and not mentioning
>>>> implicit at all is sufficient to support Brian’s objective.
>>>>
>>>> Am 07.03.2020 um 17:06 schrieb Dick Hardt <dick.hardt@gmail.com>om>:
>>>>
>>>> 
>>>> How about if we add in a nonnormative reference to OIDC as an explicit
>>>> example of an extension:
>>>>
>>>> "For example, OIDC defines an implicit grant with additional security
>>>> features."
>>>>
>>>> or similar language
>>>> ᐧ
>>>>
>>>> On Sat, Mar 7, 2020 at 5:27 AM Brian Campbell <
>>>> bcampbell@pingidentity.com> wrote:
>>>>
>>>>> The name implicit grant is unfortunately somewhat misleading/confusing
>>>>> but, for the case at hand, the extension mechanism isn't grant type so much
>>>>> as response type and even response mode.
>>>>>
>>>>> The perspective shared during the office hours call was, paraphrasing
>>>>> as best I can, that there are legitimate uses of implicit style flows in
>>>>> OpenID Connect (that likely won't be updated) and it would be really nice
>>>>> if this new 2.1 or whatever it's going to be document didn't imply that
>>>>> they were disallowed or problematic or otherwise create unnecessary FUD or
>>>>> confusion for the large population of existing deployments.
>>>>>
>>>>> On Fri, Feb 28, 2020 at 1:56 PM Dick Hardt <dick.hardt@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I'm looking to close out this topic. I heard that Brian and Vittorio
>>>>>> shared some points of view in the office hours, and wanted to confirm:
>>>>>>
>>>>>> + Remove implicit flow from OAuth 2.1 and continue to highlight that
>>>>>> grant types are an extension mechanism.
>>>>>>
>>>>>> For example, if OpenID Connect were to be updated to refer to OAuth
>>>>>> 2.1 rather than OAuth 2..0, OIDC could define the implicit grant type with
>>>>>> all the appropriate considerations.
>>>>>>
>>>>>>
>>>>>> ᐧ
>>>>>>
>>>>>> On Tue, Feb 18, 2020 at 10:49 PM Dominick Baier <
>>>>>> dbaier@leastprivilege.com> wrote:
>>>>>>
>>>>>>> No - please get rid of it.
>>>>>>>
>>>>>>> ———
>>>>>>> Dominick Baier
>>>>>>>
>>>>>>> On 18. February 2020 at 21:32:31, Dick Hardt (dick.hardt@gmail.com)
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hey List
>>>>>>>
>>>>>>> (I'm using the OAuth 2.1 name as a placeholder for the doc that
>>>>>>> Aaron, Torsten, and I are working on)
>>>>>>>
>>>>>>> Given the points Aaron brought up in
>>>>>>>
>>>>>>>
>>>>>>> https://mailarchive.ietf.org/arch/msg/oauth/hXEfLXgEqrUQVi7Qy8X_279DCNU
>>>>>>>
>>>>>>>
>>>>>>> Does anyone have concerns with dropping the implicit flow from the
>>>>>>> OAuth 2.1 document so that developers don't use it?
>>>>>>>
>>>>>>> /Dick
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>>>>
>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>> review, use, distribution or disclosure by others is strictly prohibited..
>>>>> If you have received this communication in error, please notify the sender
>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>> your computer. Thank you.*
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._