Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Response Type Encoding Practices
Takahiko Kawasaki <daru.tk@gmail.com> Tue, 27 June 2017 04:20 UTC
Return-Path: <daru.tk@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70509128CFF for <oauth@ietfa.amsl.com>; Mon, 26 Jun 2017 21:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.376
X-Spam-Level:
X-Spam-Status: No, score=-0.376 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HoL8zxwXntlr for <oauth@ietfa.amsl.com>; Mon, 26 Jun 2017 21:20:29 -0700 (PDT)
Received: from mail-yb0-x232.google.com (mail-yb0-x232.google.com [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90AB5128CF0 for <oauth@ietf.org>; Mon, 26 Jun 2017 21:20:28 -0700 (PDT)
Received: by mail-yb0-x232.google.com with SMTP id s9so6009058ybe.3 for <oauth@ietf.org>; Mon, 26 Jun 2017 21:20:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JbRTMv5FB29QfaOqHuCFoP8eqbdWycZVharsUHUzx7s=; b=CSWX2y1mfAqNWbK09r4tWw56aexlkIdm5sFqpzWZJ+k++pmT8pNeAWbA9ibJy6kg7L B6YEirtCxGlF+7OrpXJR2YsAlXCTWnN8YHZaidlBq9LrVUxTmigZlWYxEcwUk2wsDEvU ZXw/qkmViEQ8lmU6V9pIydrCVDkjLdbnmHndV+B/Lw5wMMuSzpCLTMKiFZYvaxZ4cgZn GXWOtf1HC/+5g153OYo/plgpW4pOVxLOng3eWSil6cGpm32gD0MglK8Nyr9rr36IRmYh m6nHF9jTiPNwOxMVZUXcicGpiPxAIajjKeUjPFSiI0Yu+2o0WrS/RHtnh7TIBU++DJGV TNpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JbRTMv5FB29QfaOqHuCFoP8eqbdWycZVharsUHUzx7s=; b=marlDnDfxz2gSNGApfCj79LH07kH9md0D0DAmBVBSbAG4OWJ69UkSn0Zfhb9fBLHmc Bwv7iZ6gnbRruTH8dH1pNbJCYIYkTN0RmuRCEweZy9+CT6oFi+ZAEkaAsWVTjo5+7+yn q7fDZnuv0npk0m5P6yxDnun3d/XTa7uSW0mcafAlSy/YEZGHMed5cI93C28RRnjSttgJ A7Ce9mDdO5LDsx7P7x1bxKmUHus5l++0e/mpBH1ATwgJRX60+4F5j/+irXV8c0ebtcLz Ozv91BCFDMghfrmTuUOvQ2lWbG57kTctfTehKaCmFnc6Ww8pu5H4OdUuuqF/E+ZrbzI3 4MeQ==
X-Gm-Message-State: AKS2vOzL2xQLYJwRVsusnU3LGTcPrPYF9Ff13/VGYN5MklOWK5qRG2nm L93EfPvTJI4ECiF+3zwB/LuhtQ/Xsg==
X-Received: by 10.37.54.4 with SMTP id d4mr2707686yba.33.1498537227811; Mon, 26 Jun 2017 21:20:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.77.67 with HTTP; Mon, 26 Jun 2017 21:20:26 -0700 (PDT)
In-Reply-To: <506d0030-68af-468b-7b2a-2d8c6d758ce4@aol.com>
References: <CAGpwqP85MS0mQn0wmUVxea3ZnUJdWEgGb09vUOM+SKZ+B+2Zcg@mail.gmail.com> <MWHPR21MB05107E7AC708F55FE45B0EFAE1DF0@MWHPR21MB0510.namprd21.prod.outlook.com> <CAGpwqP8ednQD1G55e-yxa4p2--VhBCC=2V=ANC1pE5biyxOE-A@mail.gmail.com> <MWHPR21MB05107A4CF7953C064A50C94AE1DF0@MWHPR21MB0510.namprd21.prod.outlook.com> <CAGpwqP9DsO8tuL0Uhpb9F9bxEiyMHBt0tcSPisi5A2YuKVUyxQ@mail.gmail.com> <506d0030-68af-468b-7b2a-2d8c6d758ce4@aol.com>
From: Takahiko Kawasaki <daru.tk@gmail.com>
Date: Tue, 27 Jun 2017 13:20:26 +0900
Message-ID: <CAGpwqP-O-ri6pj3FRsqGROAxVKHCChMqiPdsGTxe=LyVYDCX9A@mail.gmail.com>
To: George Fletcher <gffletch@aol.com>
Cc: Philippe Signoret <Philippe.Signoret@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1b0ede2586e50552e963b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZBxdvhhDsk1J1dB7Cf1Y3JLh7oo>
Subject: Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Response Type Encoding Practices
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2017 04:20:31 -0000
Thank you. If it is allowed that an "unspecified" behavior can be not only "not work correctly" but also "work correctly (as if scope included openid)", the condition "REQUIRED. OpenID Connect requests MUST contain the openid scope value" is not necessary (it doesn't have to say REQUIRED and MUST). Therefore, my natural interpretation is that an "unspecified" behavior is "not work correctly". However, this is my interpretation. If the interpretation is not a majority, I should accept that the example in "5. Definitions of Multi-Valued Response Type Combinations" is allowed as an unspecified behavior. Best Regards, Takahiko Kawasaki 2017-06-27 5:42 GMT+09:00 George Fletcher <gffletch@aol.com>: > From section 3.1.2.1 of the OpenID Connect Core... > > scope REQUIRED. OpenID Connect requests MUST contain the openid scope > value. *If the* *openid* *scope value is not present, the behavior is > entirely unspecified.* Other scope values MAY be present. Scope values > used that are not understood by an implementation SHOULD be ignored. See > Sections 5.4 > <http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims> and 11 > <http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess> for > additional scope values defined by this specification. > In this light, there is no specification that covers the behavior of the > AS given the authorization request you provided. > > At least that is my reading of the specs. > > Thanks, > George > > > On 6/26/17 1:59 PM, Takahiko Kawasaki wrote: > > Thank you. Please let me ask a simplified question. > > If an authorization server returns this response (including id_token): > > HTTP/1.1 302 Found > Location: https://client.example.org/cb# > access_token=SlAV32hkKG > &token_type=bearer > &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso > &expires_in=3600 > &state=af0ifjsldkj > > when it receives this request (without scope=openid): > > GET /authorize? > response_type=id_token%20token > &client_id=s6BhdRkqt3 > &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb > &state=af0ifjsldkj HTTP/1.1 > Host: server.example.com > > , is the implementation of the authorization server correct? > > Best Regards, > Takahiko Kawasaki > > > 2017-06-26 21:53 GMT+09:00 Philippe Signoret <Philippe.Signoret@microsoft. > com>: > >> None of the examples in that spec are _*OpenID Connect*_ authentication >> requests. They are, however, valid _*OAuth 2.0**_* authorization >> requests. The one in question demonstrates use of the >> response_mode=id_token, as defined in the realm of OAuth 2.0. If (and only >> if) it had scope=openid, _*then*_ it would become an OpenID Connect auth >> request, and the OpenID Connect specs would apply. >> >> >> >> In other words, the fact that id_token is in the response_type does _ >> *not**_ *automatically make it an OpenID Connect request. >> >> >> >> Another way of seeing it is that the OAuth 2.0 Multiple Response Type >> Encoding spec is laying some foundations, as part of the OAuth 2.0 >> framework, upon which OpenID Connect is then built. >> >> >> >> In Section 11.3. OAuth Authorization Endpoint Response Types Registry >> <https://tools.ietf.org/html/rfc6749#section-11.3>, the OAuth 2.0 spec >> (RFC 6749) defines a registry of response types: >> >> >> >> This specification establishes the OAuth Authorization Endpoint >> >> Response Types registry. >> >> >> >> Then, in Section 3, ID Token Response Type >> <http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#id_token>, >> OAuth 2.0 Multiple Response Types registers “id_token” as a response type >> in that same registry: >> >> >> >> This section registers a new Response Type, the id_token, in accordance >> with the stipulations in the OAuth 2.0 specification, Section 8.4. The >> intended purpose of the id_token is that it MUST provide an assertion of >> the identity of the Resource Owner as understood by the Authorization >> Server. The assertion MUST specify a targeted audience, e.g. the requesting >> Client. However, the specific semantics of the assertion and how it can be >> validated are not specified in this document. >> >> >> >> Finally, on that OAuth 2.0 foundation, the OpenID Connect spec defines >> (amongst other things) that including “scope=openid” is how the client >> indicates that this is an OpenID Connect request, makes use of the >> previously registered Response Type “id_token” (in some flows—other flows >> don’t use the “id_token” response type), and proceeds to specify the format >> and contents of the ID Token: >> >> >> >> OpenID Connect implements authentication as an extension to the OAuth 2.0 >> authorization process. Use of this extension is requested by Clients by >> including the openid scope value in the Authorization Request. >> Information about the authentication performed is returned in a *JSON >> Web Token (JWT)* >> <http://openid.net/specs/openid-connect-core-1_0.html#JWT> [JWT] called >> an ID Token (see *Section 2* >> <http://openid.net/specs/openid-connect-core-1_0.html#IDToken>). >> >> >> >> Philippe >> >> >> >> *From:* Takahiko Kawasaki [mailto:daru.tk@gmail.com] >> *Sent:* Monday, June 26, 2017 2:17 PM >> *To:* Philippe Signoret <Philippe.Signoret@microsoft.com> >> *Cc:* oauth@ietf.org >> *Subject:* Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Response Type >> Encoding Practices >> >> >> >> The response_type of the example includes id_token and it is the reason >> I've brought it up. id_token triggers Authentication Request. >> >> >> >> # The response_type in the example in Appendix A >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html%23FragmentExample&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C092adcaef9954edf8e3208d4bc8d2fba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340761951990482&sdata=mRz8ViYA0cYXXO4iVw1vAgO4Xejh%2FDcxYegTfdeOSBw%3D&reserved=0> >> does not include id_token and so I've not mentioned it. >> >> >> >> Best, >> >> Taka >> >> >> >> >> >> >> >> 2017-06-26 17:09 GMT+09:00 Philippe Signoret < >> Philippe.Signoret@microsoft.com>: >> >> scope=openid is required for OpenID Connect Authentication Requests >> (e.g. "3.3.2.1. Authentication Request >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23HybridAuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=HO6gAigTdBjgxOhsS41bKLbbl1cUyUugvXBjJ4hwmKE%3D&reserved=0>" >> in "OpenID Connect Core 1.0 >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=FrFLKpyHVfZbRw1OsOs7QH%2F2bSrJbJluKnny0X%2FiJxw%3D&reserved=0>"), >> but not for an OAuth 2.0 Authorization Request (e.g. "4.1.1. >> Authorization Request >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6749%23section-4.1.1&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C092adcaef9954edf8e3208d4bc8d2fba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340761952000490&sdata=%2FHh3%2BtauyK%2F03OVtSOX7p8XpidnT%2FPGHq8cwvl07vwg%3D&reserved=0>" >> in "RFC6749 The OAuth 2.0 Authorization Framework >> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6749&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C092adcaef9954edf8e3208d4bc8d2fba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340761952000490&sdata=a0%2BsS06wPx%2FxzxKc6z7pBXnQ0p4V7yciycZ%2F6uKJ2SU%3D&reserved=0> >> "). >> >> >> >> OpenID Connect is “an identity layer on top of the OAuth 2.0 protocol”. >> OpenID Connect specs will often refer to aspects of the OAuth 2.0 protocol, >> but the OAuth 2.0 specs will generally not refer to the OpenID Connect >> constructs. (Because OpenID Connect is a specific case of OAuth 2.0.) >> >> >> >> Philippe >> >> >> >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Takahiko >> Kawasaki >> *Sent:* Monday, June 26, 2017 7:46 AM >> *To:* oauth@ietf.org >> *Subject:* [OAUTH-WG] Example in OAuth 2.0 Multiple Response Type >> Encoding Practices >> >> >> >> Hello, >> >> >> >> I'm not so sure that this is the right place to ask, but I'm wondering >> whether it is correct or not that the following non-normative example found >> in "5. Definitions of Multi-Valued Response Type Combinations >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html%23Combinations&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=A2%2F5R%2FFDSMUN8lthoex%2BAnF3h%2FouQHjXBPhW3Yv5D7M%3D&reserved=0>" >> in "OAuth 2.0 Multiple Response Type Encoding Practices >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Foauth-v2-multiple-response-types-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=oax1ui3n46P2n67Mqx14t0458TZjrcw9IUsdCoGsmho%3D&reserved=0>" >> does not include "scope=openid". >> >> >> >> GET /authorize? >> >> response_type=id_token%20token >> >> &client_id=s6BhdRkqt3 >> >> &redirect_uri=https%3A%2F%2Fclient.example.org <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2F2Fclient.example.org&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=%2BaCAvhV9qt75Cqajdrr84BVG6MRS3747Ux5CsjJtgQE%3D&reserved=0>%2Fcb >> >> &state=af0ifjsldkj HTTP/1.1 >> >> Host: server.example.com <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fserver.example.com&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=PoXzHooKqVnYx4pzWD%2B4THUElRZjsUC2TNdMlTrhfiY%3D&reserved=0> >> >> >> >> The reason I'm wondering is that "3.3.2.1. Authentication Request >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23HybridAuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=HO6gAigTdBjgxOhsS41bKLbbl1cUyUugvXBjJ4hwmKE%3D&reserved=0>" >> in "OpenID Connect Core 1.0 >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=FrFLKpyHVfZbRw1OsOs7QH%2F2bSrJbJluKnny0X%2FiJxw%3D&reserved=0>" >> requires Authentication Requests be made as defined in "3.1.2.1. >> Authentication Request >> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23AuthRequest&data=02%7C01%7CPhilippe.Signoret%40microsoft.com%7C7ae0944f524d4655cb6c08d4bc56b163%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340527913704845&sdata=WoKMDXrFJDmvaGHGY8ry8Nn7iG5qliNjqNw8UamnHHg%3D&reserved=0>" >> and "3.1.2.1" requires the scope request parameter contain openid. >> >> >> >> >> >> Best Regards, >> >> Takahiko Kawasaki >> >> >> >> >> > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] Example in OAuth 2.0 Multiple Response… Takahiko Kawasaki
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… Takahiko Kawasaki
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… Takahiko Kawasaki
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… George Fletcher
- Re: [OAUTH-WG] Example in OAuth 2.0 Multiple Resp… Takahiko Kawasaki