Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
John Bradley <ve7jtb@ve7jtb.com> Mon, 25 January 2016 22:11 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D581A1A7F for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 14:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xR4ss1JIT1bM for <oauth@ietfa.amsl.com>; Mon, 25 Jan 2016 14:11:22 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E101F1A1A7B for <oauth@ietf.org>; Mon, 25 Jan 2016 14:11:21 -0800 (PST)
Received: by mail-qg0-x231.google.com with SMTP id 6so120240795qgy.1 for <oauth@ietf.org>; Mon, 25 Jan 2016 14:11:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=eW+6icJc5f7YpVtHt477PbhIACohV1+CR2hhGBKuE5U=; b=QBvzl3PqXO/fmUEBZLxc8ov3Z0p3LtHzvRobDziG7bbIE71olROiUkIKy560sA0cUV E6kSHL+s5K486wzXn2kwldVpd2y2Bx7EhPTfL2KY6aKHbchWEjhQQFfI10L6Xz48v+a8 Ej745hT0lB3rmoxbba7M5ciDbPs/ybowmbSoZFIxby3EmMCXH53GbOnehpn5wHXDypWS bLwk8lTirebVTNkoYYjTC22DZqBmSmdHq2qk9lm3QdSoGj3UAqtH9WO6PUNYBFzZI98H zBjD3tdeVrfCRXUWo75uVMj7g+gGzMZ9yhrtMdHHXUJEnPSphfPBqYR4HHDLShLiwOwp j9Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=eW+6icJc5f7YpVtHt477PbhIACohV1+CR2hhGBKuE5U=; b=YHdWsKjiLjx2T86nke2/eRNIPuU7fEGe3N6FrmIffl2yx5iCNNgIuESHZkfk2Hn6Nd lIh/HSfT8f2THzkOGQXTAxt+Mb0sKhgnucMksdls23JmgaqbSIRrdYx2TupWSHn1M+yv hZZy6y7u3jUSwj4CUbTMbyIraNLTFvfoNhUlq1eGGYvTTLRWinnBucAD4SuWjgCebH1c bsjnOejpkAWwa/x53ztSNT36OLns3MtnEk1IJGSziuhV7lLawKlDf8Bq49pnGrTOwiEl G9CurBGuOqCXqey46ZqGxVnrLwr98pxMHuaHjuDVcdi3uzXPUZR2fUDExmem0accnwSy sM6w==
X-Gm-Message-State: AG10YOQD2phKqILbkI/qxaZve3vhC/hwbO+jAk5xZHfaf0uhFK+BjxMwnazTtUB3G/cXHw==
X-Received: by 10.140.94.68 with SMTP id f62mr24504991qge.0.1453759880978; Mon, 25 Jan 2016 14:11:20 -0800 (PST)
Received: from [192.168.8.101] ([181.202.242.181]) by smtp.gmail.com with ESMTPSA id s90sm9544198qgs.13.2016.01.25.14.11.19 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 25 Jan 2016 14:11:20 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_FC0CF0E8-DBC5-45BC-B8DA-022FF6F764C1"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAAP42hB=1rudPCzrCgaUp3W8+K0jcfoAwq3gJG5=vNeK9pqjaA@mail.gmail.com>
Date: Mon, 25 Jan 2016 19:11:17 -0300
Message-Id: <6F32C1CF-EA2A-4A74-A694-F52FD19DBA5C@ve7jtb.com>
References: <568D24DD.3050501@connect2id.com> <EA392E73-1C01-42DC-B21D-09F570239D5E@ve7jtb.com> <CAAP42hAA6SOvfxjfuQdjoPfSh3HmK=a7PCQ_sPXTmDg+AQ6sug@mail.gmail.com> <568D5610.6000506@lodderstedt.net> <CAAP42hA8SyOOkJ-D299VgvQUdQv6NXqxSt9R0TK7Zk7JaU56eQ@mail.gmail.com> <F9C0DF10-C067-4EEB-85C8-E1208798EA54@gmail.com> <CABzCy2A+Z86UCJXeK1mLPfyq9p1QQS=_dekbEz6ibP8Z8Pz87Q@mail.gmail.com> <CAAP42hCKRpEnS7zVL7C_jpaFXwXUjzkNUzxtDa9MUKAQw7gsAA@mail.gmail.com> <10631235-AF1B-4122-AEAE-D56BBF38F87E@ve7jtb.com> <CAAP42hB=1rudPCzrCgaUp3W8+K0jcfoAwq3gJG5=vNeK9pqjaA@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/yK1tE8yjkAm4NGoOZLA2w9qxhvE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Discovery (draft-jones-oauth-discovery-00)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2016 22:11:25 -0000
Yes sorry. code_challenge_method is the query parameter so code_challenge_methods_supported > On Jan 25, 2016, at 6:12 PM, William Denniss <wdenniss@google.com> wrote: > > > > On Thu, Jan 21, 2016 at 6:17 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote: > The code_challenge and code_challenge_method parameter names predate calling the spec PKCE. > > Given that some of us deployed early versions of PKCE in products and opensource to mitigate the problem before the spec was completed we decided not to rename the parameter names from code_verifier_method to pkce_verifier_method. > > For consistency we should stick with code_verifier_methods_supported in discovery. > > To clarify, did you mean "code_challenge_methods_supported"? That is, building on the param name "code_challenge_method" from Section 4.3 <https://tools.ietf.org/html/rfc7636#section-4.3>? > > > John B. > >> On Jan 21, 2016, at 3:12 AM, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote: >> >> "code_challenge_methods_supported" definitely works for me. >> >> Any objections to moving forward with that? I would like to update our discovery doc shortly. >> >> On Thu, Jan 21, 2016 at 1:37 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote: >> Ah, OK. That's actually reasonable. >> >> 2016年1月21日(木) 9:31 nov matake <matake@gmail.com <mailto:matake@gmail.com>>: >> I prefer “code_challenge_methods_supported”, since the registered parameter name is “code_challenge_method”, not “pkce_method". >> >>> On Jan 19, 2016, at 11:58, William Denniss <wdenniss@google.com <mailto:wdenniss@google.com>> wrote: >>> >>> Seems like we agree this should be added. How should it look? >>> >>> Two ideas: >>> >>> "code_challenge_methods_supported": ["plain", "S256"] >>> >>> or >>> >>> "pkce_methods_supported": ["plain", "S256"] >>> >>> >>> >>> On Wed, Jan 6, 2016 at 9:59 AM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: >>> +1 >>> >>> >>> Am 06.01.2016 um 18:25 schrieb William Denniss: >>>> +1 >>>> >>>> On Wed, Jan 6, 2016 at 6:40 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote: >>>> Good point. Now that PKCE is a RFC we should add it to discovery. >>>> >>>> John B. >>>> > On Jan 6, 2016, at 9:29 AM, Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote: >>>> > >>>> > I just noticed PKCE support is missing from the discovery metadata. >>>> > >>>> > Is it a good idea to add it? >>>> > >>>> > Cheers, >>>> > >>>> > Vladimir >>>> > >>>> > -- >>>> > Vladimir Dzhuvinov >>>> > >>>> > >>>> > _______________________________________________ >>>> > OAuth mailing list >>>> > OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > >
- [OAUTH-WG] Advertise PKCE support in OAuth 2.0 Di… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… John Bradley
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… William Denniss
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Torsten Lodderstedt
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… William Denniss
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Nat Sakimura
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… nov matake
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Nat Sakimura
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… William Denniss
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… John Bradley
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Nat Sakimura
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Phil Hunt
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… William Denniss
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… John Bradley
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… William Denniss
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Mike Jones
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… William Denniss
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… William Denniss
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Mike Jones
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Dominick Baier
- Re: [OAUTH-WG] Advertise PKCE support in OAuth 2.… Dominick Baier