Re: [OAUTH-WG] PKCE & Hybrid Flow

Nat Sakimura <sakimura@gmail.com> Wed, 27 January 2016 02:11 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902441B339F for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 18:11:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPB7k92vWdCG for <oauth@ietfa.amsl.com>; Tue, 26 Jan 2016 18:11:29 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CD851A00B0 for <oauth@ietf.org>; Tue, 26 Jan 2016 18:11:29 -0800 (PST)
Received: by mail-qg0-x229.google.com with SMTP id 6so154355243qgy.1 for <oauth@ietf.org>; Tue, 26 Jan 2016 18:11:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=SC5h7GRd82rc8K7oAWVVdrJ/DnKKN/Orcj9RzdPn4aE=; b=cHCL2IqD5ZlXBTMVuX1+MacrziyAKjnGJF5uvODLwbC7jzdmiYckUZ5OgdtUwGgpii sTf09/OQ/F0U2xIMywXxjP0qMvtk1sl0Q5uGSOG0wOe86GrT1XbudJVTnHbZp+P/kcfb VYx4/+5Y/aZsW02BHDxgfF6kp/UwgOvLePDWHAlbGt46dmU4EN59vevpzwAvhQ+5400O ldkYd6qm0vc/V1cw+aPGbFR8hhMSXMeL6IEL+ZHDefLyHKiKy0y7ORX1gFycmI9/sV56 eQ9s+c0c/ssURN7IoCB5JGuI5YQrY6wOC8xCuzLeXvyx4M5lVotocGsGvpj5DeIUavbS wQiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=SC5h7GRd82rc8K7oAWVVdrJ/DnKKN/Orcj9RzdPn4aE=; b=hqpIZSDJD/YQ0aBg1//GPnaSsl6gT7tsF5uhUdow1g9Uvw2A5leLpogSWo/MphIoS5 Bc/cF6vqYO8JqB02H8ZoX5MoH6in1naGXXmCdDvvO+BKK88h6JPRONwkbHKDHoT04x6C Rufvk7LdwOZv/lNxqy+fcVSLl2ny8MzL1UmN4fx6MwynI/8rUbE7uOuUpfU4qKOypqBB 2sSq/Cssy433MY6Zkf7hl88vfz1PdXyi+e2QUznsRPu4/vdDDjdyiAJO2p7XOWUkdTUz HNjKlSZTfZT+JljdcYxuIPKxGsU6i6Gs51clUVOndWP2Tf4hLliY3/NMg740BPJ17i7j d7Vg==
X-Gm-Message-State: AG10YOSzPO6YdWYcj87i27waprOsI7x5IkHUS/oqbHLXVfDJoXDoPHQYU+IJbqWuiaVVXnXbEFF1xoWiohbjIg==
X-Received: by 10.140.101.201 with SMTP id u67mr32659209qge.33.1453860688721; Tue, 26 Jan 2016 18:11:28 -0800 (PST)
MIME-Version: 1.0
References: <etPan.56a7d2ec.b71f1ef.289@dombp.local> <8A68406E-0C0F-4CDB-A510-3C139CEE3AF4@ve7jtb.com>
In-Reply-To: <8A68406E-0C0F-4CDB-A510-3C139CEE3AF4@ve7jtb.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Wed, 27 Jan 2016 02:11:19 +0000
Message-ID: <CABzCy2DcwvLvk2Z6oZrEK8mbhb3M0eaLYidq8djOC_EfEt+V-Q@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Dominick Baier <dbaier@leastprivilege.com>
Content-Type: multipart/alternative; boundary=001a11c16e6ae77b60052a4751b4
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lTf6EQqHF2UZ2RO1gf8pHAWlHNQ>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] PKCE & Hybrid Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 02:11:31 -0000

To the end, perhaps amending RFC6749 so that the response type is treated
as a space separated value would be a better way to go?

2016年1月27日(水) 5:20 John Bradley <ve7jtb@ve7jtb.com>;:

> Yes it also applies to the “code id_token” response_type.   It would also
> apply to “code token” , “code token id_token” response types as well though
> I can’t think of why a native app would use those.
>
> We can look at a errata to clarify.  It is a artifact of resonse_type
> being treated as a single string as opposed to being space separated values
> as most people would expect.
>
> John B.
>
> On Jan 26, 2016, at 5:11 PM, Dominick Baier <dbaier@leastprivilege.com>;
> wrote:
>
> Hi,
>
> PKCE only mentions OAuth 2.0 code flow - but wouldn’t that also apply to
> OIDC hybrid flow e.g. code id_token?
>
> —
> cheers
> Dominick Baier
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>