Re: [OAUTH-WG] Question regarding RFC 8628

Joseph Heenan <> Mon, 18 November 2019 15:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 78AD5120952 for <>; Mon, 18 Nov 2019 07:02:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ORuw5ly7iMnb for <>; Mon, 18 Nov 2019 07:02:10 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 93A0D120842 for <>; Mon, 18 Nov 2019 07:02:10 -0800 (PST)
Received: by with SMTP id b18so18443357wrj.8 for <>; Mon, 18 Nov 2019 07:02:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=GwN43hSjuQzOVVeb2y+PaYqJNtx0Y2CRCY0R2uqNPN4=; b=JGWpU2RTnGDqQNUra11nLBlW2vo0Xd4H4VQMDa31DRAD0kpm6IfckxxvacR+P85OGd rP1x/rPIvYnosI2Rkq0RzD3osXle3eqOK020ZYlt0pwzzb+3mSJH1qtVEH2ORNGWENo1 anTXhVErQp9L0mL+JjHn0WNeY+lV+9xtOAM1pMxiVTQg213aheJ4DbsC44UDeKN2unkD xOY2DazIDbDCClivWKePvVQ5W5e7UbOkCpNqfDDBwZMn95FeROEJaTga0jMwR8AEBUrL bKsDJ0l1JXjNWgO7HOxDtGjVZhLG+YEcfvWBB+f6bDeL27ZSnj6yLUmHiJ3CwdZ2U0iz ymJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=GwN43hSjuQzOVVeb2y+PaYqJNtx0Y2CRCY0R2uqNPN4=; b=c0mt+F9tVkbPT5qhyJEYypLc/3QSFdQ3+/BsekYyleT42IZW79sqGQTj4LV4vzJbLs sx4JwZDHFrsjPVUbJTf/Oxwg8PyCus2IyEja/yBp2diRw+VUkXCL2HrEDcTdjlsLfoUA t8A2nmbwFYQiEBN7TqDPuWKwgdDgvre8NF3mCxkyI8ZFVgDpihHuvNJcAvPdsXS8yoyp 8KJH9P+VDjsLEqW1xCuM9ojCa5W6tEeka69KCJWxBOLD19n66fJcZH7hGXIQsgm3WWTr 8EMbB6MKTscSO6rlWQvA6LQ/+h29wTcUDpzHRCPf8CupTgYD8HE8TlJX2xO5OR3gdIwM w7Sw==
X-Gm-Message-State: APjAAAUrhDEqfd6+eZFQV8qD9Zp69oJeMhI5ko2mP44EwZzZjZP+Ay5m F6AZSCC9yosp06lYKOP0IaAcWA==
X-Google-Smtp-Source: APXvYqyB+ffYDzB4I/+iSim5Ao23/S2FO6MOlrjpWjM3Kg+cdrt6AfmR4cV6IirEgPAKxwmB8bWaBg==
X-Received: by 2002:a5d:538d:: with SMTP id d13mr32740967wrv.304.1574089328657; Mon, 18 Nov 2019 07:02:08 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id w17sm24486689wrt.45.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Nov 2019 07:02:07 -0800 (PST)
From: Joseph Heenan <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D43EE33F-0C6F-4722-B90D-45490F1A8DFB"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 18 Nov 2019 15:02:06 +0000
In-Reply-To: <5f3c07fdfdaa4557919a573d29f54d13@STEMES002.steteu.corp>
Cc: Torsten Lodderstedt <>, "" <>
To: Robache Hervé <>
References: <> <bab1c3a71a924582b25b76ac71d6b960@STEMES002.steteu.corp> <> <> <5f3c07fdfdaa4557919a573d29f54d13@STEMES002.steteu.corp>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [OAUTH-WG] Question regarding RFC 8628
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 18 Nov 2019 15:02:12 -0000

Hi Hervé

> On 18 Nov 2019, at 14:20, Robache Hervé <> wrote:
> Thanks Joseph
> I agree with you. There should be no issue when the URL is registered during the TPP app installation.
> From my perspective, this URL should be passed during the authorization request within the [redirect_uri] field.

Exactly, and that same url should have been pre-registered with the authorization server.

> By the way, most of the French banks will use Oauth2 AC and not OpenId Connect. I guess that the sequence diagram is roughly the same, isn’t it?

Correct; pretty much exactly the same as I presume you’d still be using the authorization code flow.

The security concerns for app2app are very similar to basic OAuth2 / OpenID Connect, and to quickly sum those up for anyone reading this that's not familiar with those concerns: it’s very easy to do something that has undesirable security properties, and you should follow documents like FAPI-RW (an OpenID Connect based standard originally, but now JARM exists and has some vendor adoption OpenID Connect is not required) or the OAuth2 security BCP, to ensure your implementation is not vulnerable to the known attacks against OAuth2.