IETF Logo Mail Archive

Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

Mike Jones <Michael.Jones@microsoft.com> Thu, 15 March 2012 17:07 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B41821F87B5 for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 10:07:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.847
X-Spam-Level:
X-Spam-Status: No, score=-3.847 tagged_above=-999 required=5 tests=[AWL=-0.249, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fqePz0vjxc8M for <oauth@ietfa.amsl.com>; Thu, 15 Mar 2012 10:07:48 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe003.messaging.microsoft.com [216.32.181.183]) by ietfa.amsl.com (Postfix) with ESMTP id 26B0321F842D for <oauth@ietf.org>; Thu, 15 Mar 2012 10:07:47 -0700 (PDT)
Received: from mail203-ch1-R.bigfish.com (10.43.68.240) by CH1EHSOBE003.bigfish.com (10.43.70.53) with Microsoft SMTP Server id 14.1.225.23; Thu, 15 Mar 2012 17:07:47 +0000
Received: from mail203-ch1 (localhost [127.0.0.1]) by mail203-ch1-R.bigfish.com (Postfix) with ESMTP id CB92B4203FD; Thu, 15 Mar 2012 17:07:47 +0000 (UTC)
X-SpamScore: -27
X-BigFish: VS-27(zz9371Ic85fh4015I1419Mzz1202hzz1033IL8275bh8275dhz2fh2a8h668h839hd25h)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
Received-SPF: pass (mail203-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ;
Received: from mail203-ch1 (localhost.localdomain [127.0.0.1]) by mail203-ch1 (MessageSwitch) id 1331831265632366_11472; Thu, 15 Mar 2012 17:07:45 +0000 (UTC)
Received: from CH1EHSMHS023.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.225]) by mail203-ch1.bigfish.com (Postfix) with ESMTP id 97BBEE004C; Thu, 15 Mar 2012 17:07:45 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS023.bigfish.com (10.43.70.23) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 15 Mar 2012 17:07:45 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.237]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0283.004; Thu, 15 Mar 2012 17:07:20 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eran Hammer <eran@hueniverse.com>, Nat Sakimura <sakimura@gmail.com>, Breno de Medeiros <breno@google.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Thread-Index: AQHNAgMKtRI52qb7tE6+kmeeW24qnZZqBiQAgAACNICAAA7JAIAABA0AgAADMYCAAACtcIAABZMAgAAVJQCAAAHFAIAAAp4AgAAE2YCAAAAhgIAAzdQAgABfgQCAACaV8A==
Date: Thu, 15 Mar 2012 17:07:20 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436641F82B@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAGdjJpLBCyvg21zuGi1jWK58hkDL4Ff7-xdJ0dy0WZpvNPPrKA@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08903@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qE3KcFgJey7xXzW8dkTPzvtcu_ke7abkOEMS4hwi93yEg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08919@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAGdjJpK6dMzSyoxEb_2rQcB-anXzvWaW-PLdYTZW_jECieBSMg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08932@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4E1F6AAD24975D4BA5B16804296739436641D4E3@TK5EX14MBXC284.redmond.corp.microsoft.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF08949@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAAJ++qG+jdej64rjWM8V4MU_uxEc-2WoT4MKqhD_9ef0jBYwgg@mail.gmail.com> <CAC4RtVBzDdeJViT_zOJ4QQQoo4Soy0iJJL_EK5zGd+94J1h7RQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF0896E@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CALaySJ+tTmh1jHzn-6g+CSwLWNoq0KQ1HKXD-KdaORZKJwjv6w@mail.gmail.com> <CALaySJL9EphC=L2Dj++9bCcusnOPouQ4vRmuEdDM-6ggURo-fA@mail.gmail.com> <CABzCy2Bi+YvaJiXwsnNPFHXxGDkFSRiMEzKbVi9YD8zF7D8nxg@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453AFF089F4@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E723453AFF089F4@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436641F82BTK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 17:07:50 -0000

I disagree.  The add-on is necessary exactly because several OAuth experts (Breno, Marius, Nat, John, Nov, and I) all read the new text as a breaking change that prohibited exactly what the new text explicitly allows.  Given you agree that it doesn't change the meaning, there's no harm in adding the text below, and plenty of good for the clarification it provides.

I agree with Nat.  Please add:
  Each component MAY have the same client_id, in which case the server
  judges the client type and the associated security context  based on
  the response_type parameter in the request.

Or if you dislike that, just add:
  Each component MAY have the same client_id.

                                                            Thanks,
                                                            -- Mike

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer
Sent: Thursday, March 15, 2012 7:45 AM
To: Nat Sakimura; Breno de Medeiros; OAuth WG
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23

This add-on is unnecessary. It already says the authorization server can handle it any way it wants. The fact that other registration options are possible clearly covers the client identifier reuse case. As for the response type, that's not an issue but more of an optimization for an edge case raised.

EH

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of Nat Sakimura
Sent: Thursday, March 15, 2012 2:04 AM
To: Breno de Medeiros; OAuth WG
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23


So, Eran's first proposal:

  A client application consisting of multiple components, each with its
  own client type (e.g. a distributed client with both a confidential
  server-based component and a public browser-based component), MUST
  register each component separately as a different client to ensure
  proper handling by the authorization server, unless the authorization
  server provides other registration options to specify such complex clients.

kind of meets my concern. There seems to be another issue around the usefulness of return_type in such case raised by Breno, and if I understand it correctly, Eran's answer was that these separate components may have the same client_id so that return_type is a valid parameter to be sent at the request.

So, to clarify these, perhaps changing the above text slightly to the following solves the problem?

  A client application consisting of multiple components, each with its
  own client type (e.g. a distributed client with both a confidential
  server-based component and a public browser-based component), MUST
  register each component separately as a different client to ensure
  proper handling by the authorization server, unless the authorization
  server provides other registration options to specify such complex clients.
  Each component MAY have the same client_id, in which case the server
  judges the client type and the associated security context  based on
  the response_type parameter in the request.

Would it solve your problem, Breno?

Best,

=nat

v2.23.0 | Report a Bug | By Email