Re: [OAUTH-WG] ID Token by Device Flow

Nat Sakimura <sakimura@gmail.com> Tue, 25 June 2019 04:03 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B841204AD for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2019 21:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6KNU2Oesc1H for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2019 21:03:25 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E196E120220 for <oauth@ietf.org>; Mon, 24 Jun 2019 21:03:24 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id u8so1351630wmm.1 for <oauth@ietf.org>; Mon, 24 Jun 2019 21:03:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=zkmkXLRLMraP/LMoeNSiHFQ93Z7A7vjnXgQ9vv9L9bg=; b=esKe5WaeV8J0xL/vGTRkx5NY7vYeppT5Nge6adaY+YzhoOKtXBWzO9gTwovl6VHxl9 3BSDIUw9l/ELBZw7HKR0TTYE28gVjTNPf2+JHgnKstYGBQR/jyC26B3/MQ1xyeZ938yf u+n7kw6FFKKeDAfcirXM+pTPsAbm7PgvKTpdZIp8iz1qewFv2cQ2xlL37RutQxtBpDVg ClX4wdm8nHEG4Q4K8BPx7fO1l2T6zWQ8paCNoOWINxMtx4gBubNh2gfu2EstpoAyi6Jx uVdMbArYeclsWupB9m8JWy29/Vppo/NSYBA9W0+nnJYCpB+sv9xc8xFVXTJRoypb1I9U EV4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=zkmkXLRLMraP/LMoeNSiHFQ93Z7A7vjnXgQ9vv9L9bg=; b=mr7SC/bkFYUWp7P/+lG4sndVNGpCnYhFa5xpVrYeoHiyhgWNFyHuidcXcLvfbHU0Xr Hb7qeYF4nHAkZNLlktOH8ehCzPepftwOzrg5bbDVgPNYFdLiIsz7HiS2gwxsvcddwYGh 5TJi/yvsN5NNKLJ/1qd/erTFNawxuVBaA1cIbOgFFhdASO+4t3rUla1NdojKjnXQvs6e ZTaYoOZ9ylx60dSpZ7Gm3GhMAcNUOiBhpK/Ed2ATONckcowKt58RqD6bQGmlwz4E5X49 7BfKTravnvFIF0Q/cHpNGzrj3/0aJjbxV0eVokq0PmC/IJKu5ooIDp2CMqLUpxyrWOPI nihw==
X-Gm-Message-State: APjAAAVi4CtwzSJabtWdcyTzrMeFxrb8gm+XHSRz661FP4XHkWZ+ZQ3c Db86KdpDTxG/NMSZuJijIjovzlp+2PzlK90kEXQ=
X-Google-Smtp-Source: APXvYqwe0xlureN7oUudau4Ss+vMpj3BBcrBsMN5yQhr8zt2XoVt4QT/RkujOpR8bhWHhzKhcs8U9GKlZ9iM1j+F7oI=
X-Received: by 2002:a1c:2dd2:: with SMTP id t201mr5658932wmt.109.1561435402758; Mon, 24 Jun 2019 21:03:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAHdPCmORS1=nEK9xSP-2hovCfyrt6RK78E1ciJGMYypS7CW+Tw@mail.gmail.com> <846314DA-2A9F-41EE-BD21-61EC1CCB80ED@mit.edu> <CAHdPCmO9Uyz_yRA5AbFoy_fpDat4K9P6AZCQZGgH31ZyreS94A@mail.gmail.com> <CAAP42hBceAvbbg0DS+V4Y1hq_76Wn4faVA2WWf7LVcLNuVQQ=A@mail.gmail.com>
In-Reply-To: <CAAP42hBceAvbbg0DS+V4Y1hq_76Wn4faVA2WWf7LVcLNuVQQ=A@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 25 Jun 2019 00:03:12 -0400
Message-ID: <CABzCy2DQuk4pwK7+74Z=i=_ih2Y9g0i0vZnXZdDCLr9u537nBg@mail.gmail.com>
To: William Denniss <wdenniss=40google.com@dmarc.ietf.org>
Cc: Takahiko Kawasaki <taka@authlete.com>, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sAX1UxUVpad_JD7xkLCTvoRqulI>
Subject: Re: [OAUTH-WG] ID Token by Device Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 04:03:32 -0000

If you are willing to draft one, it should be able to be done
reasonably quickly at OIDF.

On Mon, Jun 24, 2019 at 8:17 PM William Denniss
<wdenniss=40google.com@dmarc.ietf.org> wrote:
>
> Hi Taka,
>
> On Mon, Jun 24, 2019 at 12:16 PM Takahiko Kawasaki <taka@authlete.com> wrote:
>>
>> Hi Justin,
>>
>> Thank you. Consensus will be that "openid" in the "scope" request parameter should trigger generation of an ID token.
>
>
> +1, and the last time I checked, that’s how Google's implementation behaved.
>
>> I'm wondering if the WG plans to mention it explicitly in the spec and add "acr_values" request parameter.
>
>
> No plans to do this. The spec is in the edit queue so such a change can't be made and as Justin said it may be more appropriate in OpenID Foundation, if it's needed.
>
> Best,
> William
>
>>
>> Best Regards,
>> Taka
>>
>>
>> 2019年6月25日(火) 1:13 Justin Richer <jricher@mit.edu>:
>>>
>>> Taka,
>>>
>>> My reading is that the device flow, like other OAuth flows, does not prohibit extension, including passing back identity assertions like the ID Token. Since it inherits the token response from core OAuth 2, the ID Token could be issued along side the access token just like in the authorization code flow.The user is present and interacting at the AS in both cases. In fact, I’d say that there are enough similarities between the two that for the most part it should “just work” and fit the assumptions of most clients. That said, it’s technically true that there is no defined profile for the combination of the device flow and OIDC, but if something like that were to be written it would be better fit to the OpenID Foundation.
>>>
>>> — Justin
>>>
>>> On Jun 20, 2019, at 6:32 PM, Takahiko Kawasaki <taka@authlete.com> wrote:
>>>
>>> Hello,
>>>
>>> Do you have any plan to update the specification of Device Flow to support issue of ID tokens?
>>>
>>> OAuth 2.0 Device Authorization Grant
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-device-flow/?include_text=1
>>>
>>> Best Regards,
>>> Takahiko Kawasaki
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en