Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?

Dick Hardt <dick.hardt@gmail.com> Fri, 20 March 2020 18:43 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DFC53A0DA6 for <oauth@ietfa.amsl.com>; Fri, 20 Mar 2020 11:43:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbPCBnrd3WR5 for <oauth@ietfa.amsl.com>; Fri, 20 Mar 2020 11:43:31 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D41A3A0D79 for <oauth@ietf.org>; Fri, 20 Mar 2020 11:43:31 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id v16so509363ljk.13 for <oauth@ietf.org>; Fri, 20 Mar 2020 11:43:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ASwS7EYNqZZgQMHecj80gswWVYAqm5mS1O0V6ENBCOY=; b=XbljrV93KERf3YqtMzcuVBJJLHPwcXjr3OrENFIfitV5ZpRAOyPqVuSP7tSXB+AFbK 8KdWOeOGtX7NHBjshzEUZpYeZ62ZbK+saLEumwvttSEHGs/r08FsdvHwB4Eqk09cKOYo SnjtMZ2893520elHVmiswEBxl8tfnzTIl9GEmWXUxcdCHuO/06XuyuCMg4glw53xjN8G 7zkxGJrJ6HHdyOynFN8lIGIJlqIN1wztc/NEg/STpLKwfcPy04qRrXY6VILCB2Cyqc9k 0/O1X7QY5DiRcKGaKLaM80OZjseFXBmYq/OWnrpn3c1TKk4OYEJCaHs2Uum4uiVrxTYh UwcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ASwS7EYNqZZgQMHecj80gswWVYAqm5mS1O0V6ENBCOY=; b=e8sGfn+DSaV/ctIbGXeJ7EErtaZIxaLnnNvRaaJS4pF3wzheJmq1hAdKA32hIUGJln +MlLIqzxwTFMF0I09LIbJtTmmdf9t8L5/C9RYuN17DgfcRj/nJMls/cc4ZqY7g2gVd0Y xiE5oei51OCHVsd4wmTvbqgiJH06VTytwkS1ZJnDmBRnQREFHD8vmfijE7BXNJ6Rf3Be xq86cX/o1wJKIxvvz6upqPf57B/Zu+nl2KSw0fSU6vMlkDCtYq/d+8So0nz0HNpkhKCw RkPEs2/TI+veuUKYJpnlcgaRYPyFAqBJ4SsWHSUKIiBDSjpejs5pXHxrBtpztd4ybZjg rhNQ==
X-Gm-Message-State: ANhLgQ1m0XqPrmGhzH84DPiH6aBtHdET98fxEPogsFpfBCVZtL33V9h5 VGGQ0PoQnjNaMUwCnV7gGpx5QJ7pokXHrLvxcM0=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vtPgOFmamlKyDY0nroJiF8Re59sH8I5KoVu+aUv?= =?utf-8?q?XRy/YdRcMZkGs+EWQX/03sfyexPh+XkKmOf4j1n68ZSVNno=3D?=
X-Received: by 2002:a2e:9d84:: with SMTP id c4mr6379718ljj.51.1584729809429; Fri, 20 Mar 2020 11:43:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s9HT=9MKPK+GpVngZc+9QMxHS6KL-Sfq-UPQz2VQ3ioA@mail.gmail.com> <3F805BA8-8ABB-4939-96CC-FD2FEC811322@lodderstedt.net> <CAD9ie-sZOG0=pbFW72fZR3XtzsNFRFCyFmF5xeEPFUzHzdmHaQ@mail.gmail.com> <CA+k3eCRJMtAstvrNKPE4qAqU7TCFytrCZC8tHtupWno_J0xKbQ@mail.gmail.com> <CAD9ie-uiLS=f1QrHyQAAaq2YP=gPVFCtOawbKXwh4xG8adw=vQ@mail.gmail.com> <CA+k3eCQGqduvcOi_S6cp49NUkr4Rt1ws7Lb6t3SvVgceaHKbOQ@mail.gmail.com> <CAO_FVe4B45fQjOtUtFw+nthLn3RtaivPik9jHkC8Fqu1C3ovZg@mail.gmail.com> <CAMVRk+JCruWcpp96iDVdCpLVo4pZkn312b48L9xbbb0b0BVaAQ@mail.gmail.com> <C931D7DE-DD10-4BAB-852B-3F7151839E0A@mit.edu> <CAMVRk+K9H9K0JcQYqkM5CHEn6eRLvb=ziZ4uQN2r0eNqxusroQ@mail.gmail.com>
In-Reply-To: <CAMVRk+K9H9K0JcQYqkM5CHEn6eRLvb=ziZ4uQN2r0eNqxusroQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 20 Mar 2020 11:43:03 -0700
Message-ID: <CAD9ie-vDGwcnza6f+Mjp12mD9867nW8meDwfmm9y_tvxaHR-Cw@mail.gmail.com>
To: Jared Jennings <jaredljennings@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005b29d405a14da990"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nu15YmTaqBon2yLaUg5g34ea8j0>
Subject: Re: [OAUTH-WG] OAuth 2.1 - drop implicit flow?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 18:43:48 -0000

Minimizing market confusing is an objective of the OAuth 2.1 draft.

Given you are one of the people explaining to the market, your suggestions
are of interest and welcome!

On Wed, Mar 18, 2020 at 6:03 AM Jared Jennings <jaredljennings@gmail.com>
wrote:

> Perfect, and really good info! but most people, if we need to worry about
> the audience, are not going to put that together. They just read "OAUTH".
> It's not a deal breaker, but if the document is going to be easy to read
> and keep confusion to a minimum.... then it would be nice if it addressed
> concepts like this that might seem obvious to you.
>
> Granted, I am coming at this from a consultant perspective who works with
> a lot of companies who have architects that barely understand these
> technologies, but are implementing them for the enterprise.
>
> -Jared
> Skype:jaredljennings
> Signal:+1 816.730.9540
> WhatsApp: +1 816.678.4152
>
>
> On Wed, Mar 18, 2020 at 7:55 AM Justin Richer <jricher@mit.edu> wrote:
>
>> OpenID Connect is based on OAuth 2.0, not on OAuth 2.1. Therefore, it
>> would not be affected at all, whether through the hybrid or implicit flows.
>>
>> If OIDC pushes a revision to OAuth 2.1, then it would be bound by the
>> features of OAuth 2.1 and would need to contend with that. But until that
>> happens, everything we do with OAuth 2..1 has literally no effect on OAuth
>> 2.0 systems, including OIDC.
>>
>>  — Justin
>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>