Re: [OAUTH-WG] Confusion on Implicit Grant flow
Bill Burke <bburke@redhat.com> Mon, 09 February 2015 22:32 UTC
Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7A91A8A63 for <oauth@ietfa.amsl.com>; Mon, 9 Feb 2015 14:32:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gc4_FVlM-joz for <oauth@ietfa.amsl.com>; Mon, 9 Feb 2015 14:32:24 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5830F1A8A52 for <oauth@ietf.org>; Mon, 9 Feb 2015 14:32:24 -0800 (PST)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t19MWNmP026426 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 9 Feb 2015 17:32:23 -0500
Received: from [10.10.61.137] (vpn-61-137.rdu2.redhat.com [10.10.61.137]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t19MWMXA004847; Mon, 9 Feb 2015 17:32:23 -0500
Message-ID: <54D93578.9050105@redhat.com>
Date: Mon, 09 Feb 2015 17:32:24 -0500
From: Bill Burke <bburke@redhat.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <BLUPR04MB6918C7701D0DB90B0FA6B0D95380@BLUPR04MB691.namprd04.prod.outlook.com> <CANSMLKFMUQsBfOo=i0ki8PF_8PjRf7W3t=PiPo7qnftN9gUyWg@mail.gmail.com> <54D91317.9010101@redhat.com> <1E340378-2D34-4AC8-906C-415EF025068E@ve7jtb.com> <54D91D87.8040303@redhat.com> <FD337176-C292-4688-9CFA-A3C7DF40FCA2@ve7jtb.com> <54D92A3C.4060106@redhat.com> <32B26B45-FB75-47DF-8E34-42943B13F0E0@ve7jtb.com>
In-Reply-To: <32B26B45-FB75-47DF-8E34-42943B13F0E0@ve7jtb.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/yMAJwkJA9n0h6O4Q0QR34ubqZXc>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Confusion on Implicit Grant flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 22:32:26 -0000
On 2/9/2015 5:03 PM, John Bradley wrote: > OK, I don't know if the WG has discussed the issue of fragments in browser history. > > So you are trading off several round trips against the possibility of a token leaking in browser history or bookmark? > Yes, bookmarking tokens is a little scary, IMO, as we've already run into users bookmarking URLs with codes in them. Also, wasn't there additional security vulnerabilities surrounding implicit flow? Maybe these were just the product of incorrect implementations, I don't remember, it was a while ago. > One extension that Connect introduced was a "code id_token" response type that is fragment encoded. That would let you pass the code directly to the JS saving two legs. > It looks like OIDC added a "response_mode" parameter where you can specify "query" or "fragment". Thanks for pointing this out! Thanks for all the help. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Josh Mandel
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- [OAUTH-WG] Confusion on Implicit Grant flow Adam Lewis
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Prateek Mishra
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Reddick, Anwar
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Sergey Beryozkin
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Brian Campbell
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Bill Burke
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Adam Lewis
- Re: [OAUTH-WG] Confusion on Implicit Grant flow John Bradley
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Prateek Mishra
- Re: [OAUTH-WG] Confusion on Implicit Grant flow Antonio Sanso