Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
Brian Campbell <bcampbell@pingidentity.com> Mon, 10 December 2018 18:03 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E096A1310B4 for <oauth@ietfa.amsl.com>; Mon, 10 Dec 2018 10:03:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlbGF5bwYDXe for <oauth@ietfa.amsl.com>; Mon, 10 Dec 2018 10:03:35 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A08311310A7 for <oauth@ietf.org>; Mon, 10 Dec 2018 10:03:35 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id f14so9515985iol.4 for <oauth@ietf.org>; Mon, 10 Dec 2018 10:03:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qmyZZOa2jNVhqot7qkWIfS+ZeCW3BAM9tDKpptktW5I=; b=ay28vdYmHUTR/31zds3975DKrHJ1RMKOjItbZfAFGdjprSqLDpKip0aWf3sGsP1G9Y wmCArDBPWIVXgfmS8xY10C8LVxnmVFJqZYKZsvxL9Pzk4gkvVFBvXavzTS/okZABmh5H mrzFCEFqnLKGENgvaAHNCmGqoR++aviHBI75I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qmyZZOa2jNVhqot7qkWIfS+ZeCW3BAM9tDKpptktW5I=; b=IBlg6CUVRQPS8Sab43kOD8VMyi4bNEXmDt+k+mYYI3EADPqg5IWHiZES2ZKK8dHAvm F3nkmcOdnCFfaEPvlB/xXjnCf4qoILPPpNVJk++do+f1bZmFka+en7Er2gAh0hk5mMa8 uV3keIIugXtqiBjaCQXFDJBWPfnvCAZn8RrCV8Uv/alrVtQnfqq241hBdx1VXLxwtKKw E4YYcvxRLLLcLL5TMMRFu++MwN3qVqDmBeGN9R1QTCMD2ES33Z7FuFOowOzQSx87orYb HWKatMASc2yLJOLX0P6sHH45N4+2g9HvkIzmC2wiPdPurd+o200BfrZ9lu27gyszdgm/ lUnw==
X-Gm-Message-State: AA+aEWZgekPtI3hfvAsqUEwcE6jv39S53ydxz2k5OLa3yDQmL3HoFVUJ +4/xs3lR/PbXKGyBs0LYp7d+F6FP6yZbg78rFVwwymxtximRvcZ+/luPeqPcOj2dUEnDKoioCes DsLpylZasUR7mHxWx
X-Google-Smtp-Source: AFSGD/X5QwPoqL8ktoLzQ6vYBcy6/QVIXlrpcvnQTI1FGYJDp3nCrGCsdJqdBuNmut87RT5YWqlXEz3u7YPMcZYg6LQ=
X-Received: by 2002:a6b:6e17:: with SMTP id d23mr9311363ioh.138.1544465014857; Mon, 10 Dec 2018 10:03:34 -0800 (PST)
MIME-Version: 1.0
References: <6d88c55a-a300-47ff-af77-8fdb7dcfbc25@getmailbird.com> <CAGBSGjrj95i97mVDJq7jDA0DsLH-NasiH+E0nqc+6XjL-mnt4Q@mail.gmail.com> <c33d0aef-bc34-4daa-8bc9-8252780f4e69@getmailbird.com> <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com>
In-Reply-To: <CAGBSGjqQPRUe+AhzoRcTGf5MTOATd-875JG90RcRQ+2Hoy2wyg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 10 Dec 2018 11:03:08 -0700
Message-ID: <CA+k3eCReYp1gCv6gbHq__AWs6onQ3kPUtX+72gTmeHvZ5fhWFA@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Brock Allen <brockallen@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000944214057caec85d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ogOqjpBtdzVD939hMRqUYOJ7NMs>
Subject: Re: [OAUTH-WG] draft-parecki-oauth-browser-based-apps and response_type/fragment
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2018 18:03:38 -0000
For what it's worth, the response_mode parameter is defined in OAuth 2.0 Multiple Response Type Encoding Practices <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>, which is an OIDF document but not strictly part of OIDC so it can be used and referenced as an extension of OAuth without going fully OIDC. One of the purported benefits of fragment encoding was that it allowed for the redirect uri request to be served from browser cache. On Sat, Dec 8, 2018 at 11:58 AM Aaron Parecki <aaron@parecki.com> wrote: > Do you know of anyone currently doing this today in an OAuth-only > application? > > If the group wanted to take some existing OIDC mechanisms and apply them > to OAuth, I feel like that needs to happen in a separate RFC, and that's a > much bigger discussion. This BCP shouldn't really be defining new behavior. > It's similar to how "OAuth 2.0 for Mobile and Native Apps" is not where > PKCE is defined, PKCE has its own RFC. > > - Aaron > > > > On Sat, Dec 8, 2018 at 10:33 AM Brock Allen <brockallen@gmail.com> wrote: > >> For the same reason the implicit flow uses it -- to reduce exposure of >> the response params. I know the code is protected with the >> code_verifier, but it wouldn't hurt to reduce its exposure, no? >> >> -Brock >> >> On 12/8/2018 1:23:41 PM, Aaron Parecki <aaron@parecki.com> wrote: >> What would be the benefit of using this response type? Are you aware of >> any OAuth (not OIDC) clients that do this today? >> >> - Aaron >> >> >> On Sat, Dec 8, 2018 at 7:29 AM Brock Allen <brockallen@gmail.com> wrote: >> >>> Should the BCP suggest using OIDC's response_type=fragment as the >>> mechanism for returning the code from the AS? Or simply suggest using the >>> fragment component of the redirect_uri for the code, without a >>> response_type parameter (IOW don't allow it to be dynamic)? >>> >>> -Brock >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] draft-parecki-oauth-browser-based-apps… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Aaron Parecki
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… David Waite
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brock Allen
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Filip Skokan
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Jim Manico
- Re: [OAUTH-WG] draft-parecki-oauth-browser-based-… Brian Campbell