Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-reciprocal-00.txt

Torsten Lodderstedt <> Tue, 17 July 2018 15:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7B630130F73 for <>; Tue, 17 Jul 2018 08:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YJxAMMDEHyXO for <>; Tue, 17 Jul 2018 08:22:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4838E126DBF for <>; Tue, 17 Jul 2018 08:22:43 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <>) id 1ffRoG-0006XG-JI; Tue, 17 Jul 2018 17:22:40 +0200
From: Torsten Lodderstedt <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_AED7E529-88B6-4282-A411-357EB2AA4767"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 17 Jul 2018 17:22:37 +0200
In-Reply-To: <>
Cc: oauth <>
To: Dick Hardt <>
References: <>
X-Mailer: Apple Mail (2.3445.9.1)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-reciprocal-00.txt
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Jul 2018 15:22:55 -0000

Hi Dick,

I gave you draft a read and came up with the following questions:

Section 2: How does Party A know it is supposed to conduct a reciprocal OAuth flow if Party B does not indicate so in the authorization response?

Section 3

Party A is supposed to call the token endpoint of Party B using an authorization code generated by Party A. How does Party B interpret this code? Or does it just send this code back to Party A to obtain its access token for A?

Party B uses the access token issued to Party A in the first part of the flow (ordinary OAuth code flow) to identify the respective user account with Party B. Since the AS consumes its access token as an RS, does Party A need to include a certain scope in the code flow request in order to enable this part of the flow?

How is the AS of Party B supposed to determine the token endpoint of Party A’s AS?

I think a figure of the overall process would help to understand the concept. 

kind regards,

> Am 24.05.2018 um 22:28 schrieb
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>        Title           : Reciprocal OAuth
>        Author          : Dick Hardt
> 	Filename        : draft-ietf-oauth-reciprocal-00.txt
> 	Pages           : 4
> 	Date            : 2018-05-24
> Abstract:
>   There are times when a user has a pair of protected resources that
>   would like to request access to each other.  While OAuth flows
>   typically enable the user to grant a client access to a protected
>   resource, granting the inverse access requires an additional flow.
>   Reciprocal OAuth enables a more seamless experience for the user to
>   grant access to a pair of protected resources.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> OAuth mailing list