On Behalf Of Breno
>> Sent: Saturday, March 17, 2012 12:10 PM
>> To: Eran Hammer
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>
>> That is much clearer. Thank you.
>>
>> On Sat, Mar 17, 2012 at 9:17 AM, Eran H
ail.com] On Behalf Of Breno
> > Sent: Saturday, March 17, 2012 12:10 PM
> > To: Eran Hammer
> > Cc: OAuth WG
> > Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
> >
> > That is much clearer. Thank you.
> >
> > On Sat, Mar 17, 2012 at 9:17 A
ubject: RE: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
Mike, Nat,
Does the new text work for you?
EH
> -Original Message-
> From: breno.demedei...@gmail.com
> [mailto:breno.demedei...@gmail.com] On Behalf Of Breno
> Sent: Saturday, March 17, 2012 12:10 PM
> To: E
gt; people.
> >
> > Better?
> >
> > EH
> >
> >
> >> -Original Message-
> >> From: breno.demedei...@gmail.com
> >> [mailto:breno.demedei...@gmail.com] On Behalf Of Breno
> >> Sent: Saturday, March 17, 2012 8:50 AM
> >&g
rom: breno.demedei...@gmail.com
>> [mailto:breno.demedei...@gmail.com] On Behalf Of Breno
>> Sent: Saturday, March 17, 2012 8:50 AM
>> To: Eran Hammer
>> Cc: OAuth WG
>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>
>> To summarize,
ent authentication requirements to each. Or the server could
> > require separate client registration for each component.
> >
> >>
> >> EH
> >>
> >>> -Original Message-
> >>> From: Breno de Medeiros [mailto:br...@google.com]
> &
From: Breno de Medeiros [mailto:br...@google.com]
>>> Sent: Thursday, March 15, 2012 2:12 PM
>>> To: Eran Hammer
>>> Cc: Nat Sakimura; OAuth WG
>>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>>
>>> On Thu, Mar 15, 20
-Original Message-
>> From: Breno de Medeiros [mailto:br...@google.com]
>> Sent: Thursday, March 15, 2012 2:12 PM
>> To: Eran Hammer
>> Cc: Nat Sakimura; OAuth WG
>> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>>
>> On Thu, Mar 15, 201
?
EH
> -Original Message-
> From: Breno de Medeiros [mailto:br...@google.com]
> Sent: Thursday, March 15, 2012 2:12 PM
> To: Eran Hammer
> Cc: Nat Sakimura; OAuth WG
> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> On Thu, Mar 15, 2012 at 13:13,
s that do not fit the
>>>>> current type definitions.
>>>>>
>>>>> It is far too late for us to define a new client type, along with all
>>>>>the
>>>>> security considerations that such type imply. Our entire security
>>>
uch type imply. Our entire security
>>>> consideration section and protocol design are based on have a well
>>>>defined
>>>> client type.
>>>>
>>>> Requiring separate registration for each component is the most
>>>> straight-forw
ecify such
>>> complex clients." seems a very round about way to say that the core spec
>>> already provides for such arrangements in the most common scenario. It
>>>is a
>>> bit of a stretch to say that the server provides "other registration
>
>>
>> The best way to move forward is to take a minute and ask the group to
>>share
>> how they handle such cases or how they think they should be handled.
>>Based
>> on that we can come up with a clear solution.
>>
>> EH
>>
>> From: Breno
w they handle such cases or how they think they should be handled. Based
> on that we can come up with a clear solution.
>
> EH
>
> From: Breno de Medeiros
> Date: Thu, 15 Mar 2012 09:56:13 -0700
> To: Eran Hammer-Lahav
> Cc: Nat Sakimura , OAuth WG
>
> Subject: Re
Mar 2012 09:56:13 -0700
To: Eran Hammer-Lahav mailto:e...@hueniverse.com>>
Cc: Nat Sakimura mailto:sakim...@gmail.com>>, OAuth WG
mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
On Thu, Mar 15, 2012 at 07:45, Eran Hammer
mailto:e...@hue
an
Hammer
Sent: Thursday, March 15, 2012 7:45 AM
To: Nat Sakimura; Breno de Medeiros; OAuth WG
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
This add-on is unnecessary. It already says the authorization server can handle
it any way it wants. The fact that other registration o
2 2:04 AM
> *To:* Breno de Medeiros; OAuth WG
>
> *Subject:* Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> ** **
>
> ** **
>
> So, Eran's first proposal:
>
> ** **
>
> A client application consisting of multiple components, eac
case raised.
EH
From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Nat
Sakimura
Sent: Thursday, March 15, 2012 2:04 AM
To: Breno de Medeiros; OAuth WG
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
So, Eran's first proposal:
A client application
That seems to cover it.
My problem is that client registration has been treated largely as being out of
scope other than some general principals. We are now adding normative text,
but still not specifying mechanisms.
Nat's text allows existing practice with complex clients like Facebook with
So, Eran's first proposal:
A client application consisting of multiple components, each with its
own client type (e.g. a distributed client with both a confidential
server-based component and a public browser-based component), MUST
register each component separately as a different client t
> Off list.
Or not so much off list. He-he.
b
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
Off list.
> It would be great if people could just reply stating which they like best.
כן
Sometimes, one just has to whack people over the head.
b
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
rch 14, 2012 1:20 PM
> To: OAuth WG
> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> > I am sorry, but with this language this is a different spec with
> > different compliance profiles and without supplying enough guidance
> > for creating int
> I am sorry, but with this language this is a different spec with
> different compliance profiles and without supplying enough guidance
> for creating interoperable server implementations for common
> deployment models.
As I read this thread, I see two things come out clearly:
1. Eran didn't int
gt;
>
>> -Original Message-----
>> From: Mike Jones [mailto:michael.jo...@microsoft.com]
>> Sent: Wednesday, March 14, 2012 11:42 AM
>> To: Eran Hammer; Marius Scurtescu
>> Cc: Breno de Medeiros; OAuth WG
>> Subject: RE: [OAUTH-WG] Fw: Breaking change i
#x27;m open to other suggestions as
> long as they account for the deep dependency this protocol has on client type
> identification.
>
> EH
>
>
>
>> -Original Message-
>> From: Mike Jones [mailto:michael.jo...@microsoft.com]
>> Sent: Wednesday,
EH
> -Original Message-
> From: Mike Jones [mailto:michael.jo...@microsoft.com]
> Sent: Wednesday, March 14, 2012 11:42 AM
> To: Eran Hammer; Marius Scurtescu
> Cc: Breno de Medeiros; OAuth WG
> Subject: RE: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> All
ietf.org] On Behalf Of Eran
Hammer
Sent: Wednesday, March 14, 2012 11:35 AM
To: Marius Scurtescu
Cc: Breno de Medeiros; OAuth WG
Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
You are not reading it correctly.
This is a *registration* requirement, meaning, the client has to inform
s Scurtescu [mailto:mscurte...@google.com]
> Sent: Wednesday, March 14, 2012 11:24 AM
> To: Eran Hammer
> Cc: Breno de Medeiros; OAuth WG
> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> Before v23 a web server client could use either response_type=code or
> re
> authorization server can properly enforce the rest of the normative security
>> language in the specification.
>> >
>> > EH
>> >
>> >
>> >> -Original Message-
>> >> From: oauth-boun...@ietf.org [mailto:oauth-boun
; To: Eran Hammer
> Cc: Marius Scurtescu; OAuth WG
> Subject: Re: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> Can you explain to me why response_type is necessary at all after this
> change.
>
> If a javascript client (candidate for token usage) and the web server
&g
language in
> the specification.
>
> EH
>
>
>> -Original Message-
>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
>> Of Marius Scurtescu
>> Sent: Wednesday, March 14, 2012 9:53 AM
>> To: OAuth WG
>> Cc: Breno de
rius Scurtescu
> Sent: Wednesday, March 14, 2012 9:53 AM
> To: OAuth WG
> Cc: Breno de Medeiros
> Subject: [OAUTH-WG] Fw: Breaking change in OAuth 2.0 rev. 23
>
> Hi,
>
> Nat Sakimura started a thread on the OpenID Connect list about a breaking
> change introduced by rev
Hi,
Nat Sakimura started a thread on the OpenID Connect list about a
breaking change introduced by rev 2.3
The paragraph in question is in section 2.1:
"A client application consisting of multiple components, each with its
own client type (e.g. a distributed client with both a confidential
serve
34 matches
Mail list logo
