IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document

Aaron Parecki <aaron@parecki.com> Wed, 15 July 2020 19:02 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 948B63A0EBC for <oauth@ietfa.amsl.com>; Wed, 15 Jul 2020 12:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pw1OwpQYPhXM for <oauth@ietfa.amsl.com>; Wed, 15 Jul 2020 12:02:31 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9D043A0EC6 for <oauth@ietf.org>; Wed, 15 Jul 2020 12:02:17 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id q74so3441136iod.1 for <oauth@ietf.org>; Wed, 15 Jul 2020 12:02:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=t1SraYoln8doxovdHhPpObiz05rU5s1JZXQit6pzwSk=; b=K/F2CqIwCU5qCRDH0TMzalgykALh/grganHQoq8m9qm1WJ771gPXzzsl+s64LKeo7C ZEsCQrGfe81QLazuA6MQZxsUlBBLWwDlXo1WNUDq252PdhZdV8mJEpIdoPs98yJEZT5T jFqfylkAJVz3D8MwXuzsHopSda9n8N8GLOh1d1rWluEqAkgcksRHk4Wi3J48D1WHn9Zf 45M1+YdSZuiogPTGcmwWOqtngb4rX29ahHWRQbzZi9Zm5OqP6/aCZq1noROGHCBQ4mGa iIqT0rUM5wukofj5jROW0HeS9yPt90I/wWQU2ppm0wPV+TxytMJpN37N0pUKxX3khM6o kEuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=t1SraYoln8doxovdHhPpObiz05rU5s1JZXQit6pzwSk=; b=mp4eVL7IKUomubQpLiK6+NlITafJaB7vebp/4jOAaR38s6916I4LiohwmAcKgMlkQH phej9f7uWDXn0tgnO+UgAfonsbJYrfpNVl420W7QPEYm58vAKmpSBc4YfbTGIXgqkIEX i/REab732JxxP518YqLZqvvi9flfi3goimAM0dueG7kdGFUw/78SQSpyPAPOe63qUU5I qSJ1MPzVNztXjeGJ7bNQZ61WwRzGBovguki8CDBpSEp48n2WhEllpEwHqGO8MpLCGw5A Rfi5P43wL/eI+pZjaon7kGzEj+EenroJEDR1va7mVO38peo+RhWxq3pMVjiT08L6pR3c y3/Q==
X-Gm-Message-State: AOAM531QmwzaX3j18EWDWxpG0ONxTOUiJodl4TYiChdE86BsYVjkAHQk 6UirxWLZLCS2xHWAVfSJE0PfPhlcNak=
X-Google-Smtp-Source: ABdhPJxY2usQr1m6B+5s22TbnfC6ikWJeY2kT9VGE3GnCdwDnUW7eb5lIMq1tCRh+ALvuf/TtgHZ0g==
X-Received: by 2002:a05:6638:2601:: with SMTP id m1mr872398jat.141.1594839736240; Wed, 15 Jul 2020 12:02:16 -0700 (PDT)
Received: from mail-io1-f49.google.com (mail-io1-f49.google.com. [209.85.166.49]) by smtp.gmail.com with ESMTPSA id k14sm1597735ion.17.2020.07.15.12.02.14 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 15 Jul 2020 12:02:14 -0700 (PDT)
Received: by mail-io1-f49.google.com with SMTP id a12so3374927ion.13 for <oauth@ietf.org>; Wed, 15 Jul 2020 12:02:14 -0700 (PDT)
X-Received: by 2002:a02:b714:: with SMTP id g20mr873067jam.117.1594839733990; Wed, 15 Jul 2020 12:02:13 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP-CTbXYnmmgxEEVkHEXgtN5JnYSfS5KZvhogGvHrppkjA@mail.gmail.com> <CAD9ie-suSMcc9kzcAdvkrsXNaO2r0_Fp7HKTZenaVaqs9Uz4Jw@mail.gmail.com> <CAJot-L0wYMMkUDjEbn3O50_A-Ly03ASdz=UhU_yZuLaayN3mpA@mail.gmail.com>
In-Reply-To: <CAJot-L0wYMMkUDjEbn3O50_A-Ly03ASdz=UhU_yZuLaayN3mpA@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 15 Jul 2020 12:02:02 -0700
X-Gmail-Original-Message-ID: <CAGBSGjrO1hLRU7aGFwMfKaT0991q=zr1YTnbL06s5G3k8RLOSw@mail.gmail.com>
Message-ID: <CAGBSGjrO1hLRU7aGFwMfKaT0991q=zr1YTnbL06s5G3k8RLOSw@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Dick Hardt <dick.hardt@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="000000000000d20c7f05aa7f8f91"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/s2ucD_BCbRYA-qkiAwgcpwgfZ9o>
Subject: Re: [OAUTH-WG] Call for adoption - OAuth 2.1 document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 19:02:34 -0000

Just to clarify, this thread is a call for adoption, not meant to discuss
the details of this particular draft.

Any issues with the draft can be raised as new threads. But right now, the
question posed to the list is whether the group thinks this document should
be adopted as a working group item.

Oh, and +1 from me :-)

Aaron Parecki
https://aaronparecki.com

On Wed, Jul 15, 2020 at 11:57 AM Warren Parad <wparad@rhosys.ch> wrote:

> I only recently joined this WG DL, so maybe this was already discussed by
> I have two things I'm confused/curious about:
>
> 1. Can we avoid using (1, 2, 3) on the left side of the diagram to
> describe, I'm not even sure what they are supposed to represent, not to
> mention the RO in the diagram doesn't really provide value (for me)
> relevant to the code grant flow. It's confusing to see these numerical
> identifiers twice in the same picture. But maybe there is something hidden
> in this that I'm missing, still 3a and 3b could be used to identify
> different legs of the same code path.
> [image: image.png]
>
> 2. It seems recently more and more common to pass the access_token to some
> RS via a cookie, yet 7.2.1 says it defines two methods. I think we need
> some RFC2119
> <https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html#RFC2119> keywords
> here, to suggest that either SHOULD use one of these two, or MUST. And then
> optionally state whether or not we recommend or reject the use of cookies
> as a place for access tokens. It's also possible that the language threw me
> off, because would an access token in a cookie be a bearer token, but no
> matter, if I'm having this thought, then surely others have it as well,
> right?
>
> [image: image.png]
>
>
> *Warren Parad*
> Secure your user data and complete your authorization architecture.
> Implement Authress <https://bit.ly/37SSO1p>.
> <https://rhosys.ch>
>
>
> On Wed, Jul 15, 2020 at 7:55 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> +1
>>
>> On Wed, Jul 15, 2020 at 10:42 AM Rifaat Shekh-Yusef <
>> rifaat.s.ietf@gmail.com> wrote:
>>
>>> All,
>>>
>>> This is a *call for adoption* for the following *OAuth 2.1* document as
>>> a WG document:
>>> https://www.ietf.org/id/draft-parecki-oauth-v2-1-03.html
>>>
>>> Please, provide your feedback on the mailing list by *July 29th.*
>>>
>>> Regards,
>>>  Rifaat & Hannes
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email