IETF Logo Mail Archive

Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

Mike Jones <Michael.Jones@microsoft.com> Mon, 25 January 2016 22:49 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E49031A1B7F for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 14:49:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0LyB3KS9Nr9k for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 14:49:24 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0111.outbound.protection.outlook.com [65.55.169.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5DBE1A1B87 for <oauth@ietf.org>; Mon, 25 Jan 2016 14:49:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mt+qm3MLhwfrSMJG5pkywfGZIDtNgU04pgPzAndwfsU=; b=Au2M/raExirB0+lBFUMuoF1R4ua/Tz7SivkUqqAYSEuHKlVGXYBwvssXbXsWvxfgPmivvuNwsyjmilFT5ewSHdEX593VoLDYZUHsMG5M1GscCS6yq1PnWHkDLR2Xh7PxYM6mywYAZM1V0a25RQNm5KRCIWhG2XLEjJ14jCnp4T0=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.365.19; Mon, 25 Jan 2016 22:49:18 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0365.024; Mon, 25 Jan 2016 22:49:18 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
Thread-Index: AQHRSI65X4CzZd1mF0OC0DV6nH1wn57uj0gAgAAuDYCAAAmZAIATcoqAgAL7boCAAFXCgIAACbMAgACHgYCABr0aAIAAEIyAgAAFCoCAAAWVcw==
Date: Mon, 25 Jan 2016 22:49:18 +0000
Message-ID: <BY2PR03MB44214DF2BDECA8050E819F6F5C70@BY2PR03MB442.namprd03.prod.outlook.com>
References: <568D24DD.3050501@connect2id.com> <EA392E73-1C01-42DC-B21D-09F570239D5E@ve7jtb.com> <CAAP42hAA6SOvfxjfuQdjoPfSh3HmK=a7PCQ_sPXTmDg+AQ6sug@mail.gmail.com> <568D5610.6000506@lodderstedt.net> <CAAP42hA8SyOOkJ-D299VgvQUdQv6NXqxSt9R0TK7Zk7JaU56eQ@mail.gmail.com> <F9C0DF10-C067-4EEB-85C8-E1208798EA54@gmail.com> <CABzCy2A+Z86UCJXeK1mLPfyq9p1QQS=_dekbEz6ibP8Z8Pz87Q@mail.gmail.com> <CAAP42hCKRpEnS7zVL7C_jpaFXwXUjzkNUzxtDa9MUKAQw7gsAA@mail.gmail.com> <10631235-AF1B-4122-AEAE-D56BBF38F87E@ve7jtb.com> <CAAP42hB=1rudPCzrCgaUp3W8+K0jcfoAwq3gJG5=vNeK9pqjaA@mail.gmail.com> <6F32C1CF-EA2A-4A74-A694-F52FD19DBA5C@ve7jtb.com>, <CAAP42hC1KbDF1oOLyY11ZBW-WyBQjaEQTzAyZLfKUvOS8fOQOQ@mail.gmail.com>
In-Reply-To: <CAAP42hC1KbDF1oOLyY11ZBW-WyBQjaEQTzAyZLfKUvOS8fOQOQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [166.170.47.127]
x-ms-office365-filtering-correlation-id: 8a21c8af-3b58-4726-1ca6-08d325d9c22b
x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:LBVG/vCKQMxkV+zFeKqHdhT4ix+vylNG3UGE4oZHSD5aK6k2sGERI2VGb7DJ2xd7L56ljp9F5ZR/LeixsN8FUNhOxwn98GMKkRrrCm+GVL/sSzLuziaq2y/nj2g+c7dx3rXcasXc6YZKa+OohiYUkQ==; 24:yF4WisrqrYgGfcT6ph7lVLHaukc7evWMdGkmXZGBtHBZy/yQNW10IVvezZ5CxzCDNmTcnGU+IHb9nVRA/SBoPzIMPj9dnKBmqkIcBDuJDTk=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444; UriScan:;
x-microsoft-antispam-prvs: <BY2PR03MB444BA494776B4F4047C50C1F5C70@BY2PR03MB444.namprd03.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(520078)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444;
x-forefront-prvs: 083289FD26
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(189002)(164054003)(24454002)(199003)(4326007)(10400500002)(19580405001)(122556002)(87936001)(5005710100001)(2906002)(10290500002)(8990500004)(92566002)(86362001)(40100003)(93886004)(86612001)(5004730100002)(230783001)(1220700001)(102836003)(77096005)(76576001)(1096002)(2900100001)(11100500001)(5001960100002)(15975445007)(74316001)(54356999)(3846002)(2950100001)(19617315012)(16236675004)(97736004)(3280700002)(33656002)(5001770100001)(6116002)(81156007)(19580395003)(189998001)(101416001)(99286002)(66066001)(50986999)(106356001)(105586002)(5008740100001)(106116001)(5003600100002)(586003)(76176999)(5002640100001)(10090500001); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB44214DF2BDECA8050E819F6F5C70BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jan 2016 22:49:18.2451 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/noOkH0sfWQNCTXjDEXlEugKzwDI>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 22:49:29 -0000

I'll add it to the discovery draft in the next day or so.  Also, please see my questions in the message "[OAUTH-WG] Discovery document updates planned". I was waiting for that feedback before doing the update.

Thanks,
-- Mike
________________________________
From: William Denniss<mailto:wdenniss@google.com>
Sent: ‎1/‎25/‎2016 2:29 PM
To: John Bradley<mailto:ve7jtb@ve7jtb.com>
Cc: Nat Sakimura<mailto:sakimura@gmail.com>; oauth@ietf.org<mailto:oauth@ietf.org>; Mike Jones<mailto:Michael.Jones@microsoft.com>
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)

OK great! It seems that we have consensus on this. So this is what we plan to add to our discovery doc, based on this discussion:

"code_challenge_methods_supported": ["plain","S256"]

What are the next steps? Can we we add it to https://tools.ietf.org/html/draft-jones-oauth-discovery directly? I see that the IANA registry created by that draft is "Specification Required", but PKCE is already an RFC without this param being registered.


On Mon, Jan 25, 2016 at 2:11 PM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
Yes sorry.   code_challenge_method is the query parameter so code_challenge_methods_supported


On Jan 25, 2016, at 6:12 PM, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:



On Thu, Jan 21, 2016 at 6:17 AM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
The code_challenge and code_challenge_method parameter names predate calling the spec PKCE.

Given that some of us deployed early versions of PKCE in products and opensource to mitigate the problem before the spec was completed we decided not to rename the parameter names from code_verifier_method to pkce_verifier_method.

For consistency we should stick with code_verifier_methods_supported in discovery.

To clarify, did you mean "code_challenge_methods_supported"?  That is, building on the param name "code_challenge_method" from Section 4.3<https://tools.ietf.org/html/rfc7636#section-4.3>?


John B.

On Jan 21, 2016, at 3:12 AM, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:

"code_challenge_methods_supported" definitely works for me.

Any objections to moving forward with that? I would like to update our discovery doc shortly.

On Thu, Jan 21, 2016 at 1:37 PM, Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>> wrote:
Ah, OK. That's actually reasonable.

2016?1?21?(?) 9:31 nov matake <matake@gmail.com<mailto:matake@gmail.com>>:
I prefer “code_challenge_methods_supported”, since the registered parameter name is “code_challenge_method”, not “pkce_method".

On Jan 19, 2016, at 11:58, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:

Seems like we agree this should be added. How should it look?

Two ideas:

"code_challenge_methods_supported": ["plain", "S256"]

or

"pkce_methods_supported": ["plain", "S256"]



On Wed, Jan 6, 2016 at 9:59 AM, Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>> wrote:
+1


Am 06.01.2016 um 18:25 schrieb William Denniss:
+1

On Wed, Jan 6, 2016 at 6:40 AM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
Good point.  Now that PKCE is a RFC we should add it to discovery.

John B.
> On Jan 6, 2016, at 9:29 AM, Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote:
>
> I just noticed PKCE support is missing from the discovery metadata.
>
> Is it a good idea to add it?
>
> Cheers,
>
> Vladimir
>
> --
> Vladimir Dzhuvinov
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email