Re: [OAUTH-WG] draft-hardt-oauth-mutual-01

Brian Campbell <> Tue, 16 January 2018 17:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 50D8F12E741 for <>; Tue, 16 Jan 2018 09:28:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VCaoHwESSl8d for <>; Tue, 16 Jan 2018 09:28:36 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3CDC712E059 for <>; Tue, 16 Jan 2018 09:28:24 -0800 (PST)
Received: by with SMTP id c16so5766731itc.5 for <>; Tue, 16 Jan 2018 09:28:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rDa38r3ItloxPl++SQWv010moe2U6M0mM+HQ0s1Cm6s=; b=GWiI3Gq73yjhtW4Gb2GQzjzA1QFObsGk3TAfDtRG2ciJLPIE4T7GeyKgdymsKzLuxt T9NBCJ7/anLbhRLBkv/kftGwnVWJ5cr2DaaLARpMUnqh3gsHOcWH7Ymj4Lhxc2cXrHUy /rF8Z0XtYX9l9TVU+vFBWJg23u5C4ijvg1pao=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rDa38r3ItloxPl++SQWv010moe2U6M0mM+HQ0s1Cm6s=; b=k6r2Pcmz7d3QUKQ0rZTTD+GhEdEZqA74tXaJJAtYSV59Xp0xrh0THUNiav5P/2GGNs TXnLsZO0xtSPwAoXZhAAF5rtvjAJBlRJAZXj3V9xSw7I6euzr3fiMOSIkhPMstxhEGwN VaZdeXPgznvqLLI19SSOhC3Xo+TrMO7cPCXhHdn/GflQ+PXRVhzggT7s3SbY+84PWaFi x2jZHfiXSrGgibEC9x6O3qmGNZkKJIe43+mriWn44E7na0ozavk1xTwani6Y/9IDsrAC ozzKb/4BArlF5+jlUqsi/n0abHdY2t+CoiImNzKRPu6/5PmhCD/t78KWGBoBcbyWuwny YPJQ==
X-Gm-Message-State: AKwxytcOf+eujO0/JkyPZB9r16jEvXPakonWPhqHrDDRFHH9uxPIgOuj gw4+1h+OakJ9suS2CXM7HFp/y6kqjInj8J2eyeytoPs5nDpiDcgj/VfXA4nQO4diXUvBla31ZUj D5x86Jf1/r+Ra6A==
X-Google-Smtp-Source: ACJfBosn/CWmMnHmNacWVovpcZVWBiilz0O8yu8s7DmtO/PN51hRw6PZ5Hm8Oh+z4g8Nyg2wmhJYTs0VWMwNxKAhjhI=
X-Received: by with SMTP id f145mr19194538ita.103.1516123703476; Tue, 16 Jan 2018 09:28:23 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 16 Jan 2018 09:27:52 -0800 (PST)
In-Reply-To: <>
References: <> <>
From: Brian Campbell <>
Date: Tue, 16 Jan 2018 10:27:52 -0700
Message-ID: <>
To: Hannes Tschofenig <>
Cc: Dick Hardt <>, oauth <>
Content-Type: multipart/alternative; boundary="001a1147b3e2c8202f0562e80e43"
Archived-At: <>
Subject: Re: [OAUTH-WG] draft-hardt-oauth-mutual-01
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Jan 2018 17:28:38 -0000

A few thoughts on the new draft and/or reiterating comments from the call

"[DH: should this be a URI?]" - yes, the grant type should be a URI
because, for better or worse, that's how OAuth allows for new grants (the device flow and JWT
authorization grant are examples that can be followed

I don't believe client_id should be required in 2.2. Sending/requiring
client_id or not at the token endpoint depends on the form of client
authentication that's taking place. That's how it works with the grants in
RFC6749 and other extension grants. This draft should be consistent with
all that.

I do think some discussion or description of what the response will/should
look like is needed. Things are kinda reversed in this flow with party A
'pushing' the authorization code it generated up to party B's authorization
server. It's not clear (to me anyway) how party B's AS should respond and
if/how it would be consistent with a typical token endpoint response. Maybe
echo back the access token that was just sent in? But I dunno.

The example needs some attention (grant type value is old, the basic authn
header probably isn't legal, maybe more).

On Tue, Jan 16, 2018 at 7:46 AM, Hannes Tschofenig <> wrote:

> Hi Dick,
> maybe you can re-submit the document with a new filename that matches
> the updated title.
> Ciao
> Hannes
> On 01/16/2018 03:39 PM, Dick Hardt wrote:
> > I have made changes based on feedback on the call this morning. Updated
> > version at:
> _______________________________________________
> OAuth mailing list

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*