Re: [OAUTH-WG] draft-hardt-oauth-mutual-01
Brian Campbell <bcampbell@pingidentity.com> Tue, 16 January 2018 17:28 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50D8F12E741 for <oauth@ietfa.amsl.com>; Tue, 16 Jan 2018 09:28:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VCaoHwESSl8d for <oauth@ietfa.amsl.com>; Tue, 16 Jan 2018 09:28:36 -0800 (PST)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CDC712E059 for <oauth@ietf.org>; Tue, 16 Jan 2018 09:28:24 -0800 (PST)
Received: by mail-it0-x231.google.com with SMTP id c16so5766731itc.5 for <oauth@ietf.org>; Tue, 16 Jan 2018 09:28:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rDa38r3ItloxPl++SQWv010moe2U6M0mM+HQ0s1Cm6s=; b=GWiI3Gq73yjhtW4Gb2GQzjzA1QFObsGk3TAfDtRG2ciJLPIE4T7GeyKgdymsKzLuxt T9NBCJ7/anLbhRLBkv/kftGwnVWJ5cr2DaaLARpMUnqh3gsHOcWH7Ymj4Lhxc2cXrHUy /rF8Z0XtYX9l9TVU+vFBWJg23u5C4ijvg1pao=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rDa38r3ItloxPl++SQWv010moe2U6M0mM+HQ0s1Cm6s=; b=k6r2Pcmz7d3QUKQ0rZTTD+GhEdEZqA74tXaJJAtYSV59Xp0xrh0THUNiav5P/2GGNs TXnLsZO0xtSPwAoXZhAAF5rtvjAJBlRJAZXj3V9xSw7I6euzr3fiMOSIkhPMstxhEGwN VaZdeXPgznvqLLI19SSOhC3Xo+TrMO7cPCXhHdn/GflQ+PXRVhzggT7s3SbY+84PWaFi x2jZHfiXSrGgibEC9x6O3qmGNZkKJIe43+mriWn44E7na0ozavk1xTwani6Y/9IDsrAC ozzKb/4BArlF5+jlUqsi/n0abHdY2t+CoiImNzKRPu6/5PmhCD/t78KWGBoBcbyWuwny YPJQ==
X-Gm-Message-State: AKwxytcOf+eujO0/JkyPZB9r16jEvXPakonWPhqHrDDRFHH9uxPIgOuj gw4+1h+OakJ9suS2CXM7HFp/y6kqjInj8J2eyeytoPs5nDpiDcgj/VfXA4nQO4diXUvBla31ZUj D5x86Jf1/r+Ra6A==
X-Google-Smtp-Source: ACJfBosn/CWmMnHmNacWVovpcZVWBiilz0O8yu8s7DmtO/PN51hRw6PZ5Hm8Oh+z4g8Nyg2wmhJYTs0VWMwNxKAhjhI=
X-Received: by 10.36.36.151 with SMTP id f145mr19194538ita.103.1516123703476; Tue, 16 Jan 2018 09:28:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.30.193 with HTTP; Tue, 16 Jan 2018 09:27:52 -0800 (PST)
In-Reply-To: <fa362c26-8b1a-6f21-d4fa-8bd8fa9fba76@gmx.net>
References: <CAD9ie-t3RduyvdB7_YMa8f-t9EWvKw8fHNdQfvhYbCpttiHjCg@mail.gmail.com> <fa362c26-8b1a-6f21-d4fa-8bd8fa9fba76@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 16 Jan 2018 10:27:52 -0700
Message-ID: <CA+k3eCQsn=0M8pCv+6MhKQ0d8jgFpOXgLG+8DAscd9PE4XRmPw@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: Dick Hardt <dick.hardt@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1147b3e2c8202f0562e80e43"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yLaIHM1MYoiOnnVBkyBr-vHaBGo>
Subject: Re: [OAUTH-WG] draft-hardt-oauth-mutual-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 17:28:38 -0000
A few thoughts on the new draft and/or reiterating comments from the call earlier. "[DH: should this be a URI?]" - yes, the grant type should be a URI because, for better or worse, that's how OAuth allows for new grants https://tools.ietf.org/html/rfc6749#section-4.5 (the device flow and JWT authorization grant are examples that can be followed https://tools.ietf.org/html/draft-ietf-oauth-device-flow-07#section-3.4 https://tools.ietf.org/html/rfc7523#section-2.1). I don't believe client_id should be required in 2.2. Sending/requiring client_id or not at the token endpoint depends on the form of client authentication that's taking place. That's how it works with the grants in RFC6749 and other extension grants. This draft should be consistent with all that. I do think some discussion or description of what the response will/should look like is needed. Things are kinda reversed in this flow with party A 'pushing' the authorization code it generated up to party B's authorization server. It's not clear (to me anyway) how party B's AS should respond and if/how it would be consistent with a typical token endpoint response. Maybe echo back the access token that was just sent in? But I dunno. The example needs some attention (grant type value is old, the basic authn header probably isn't legal, maybe more). On Tue, Jan 16, 2018 at 7:46 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi Dick, > > maybe you can re-submit the document with a new filename that matches > the updated title. > > Ciao > Hannes > > > On 01/16/2018 03:39 PM, Dick Hardt wrote: > > I have made changes based on feedback on the call this morning. Updated > > version at: > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [OAUTH-WG] draft-hardt-oauth-mutual-01 Dick Hardt
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Hannes Tschofenig
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Brian Campbell
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Dick Hardt
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Dick Hardt
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Brian Campbell
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Dick Hardt
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Brian Campbell
- Re: [OAUTH-WG] draft-hardt-oauth-mutual-01 Dick Hardt