I suppose the compliance for RP and IdP differs. <div><br></div><div>We could require RP to support only implicit flow while IdP to support both. </div><div><br></div><div>=nat<br><br><div class="gmail_quote">On Wed, Jul 27, 2011 at 9:39 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div style="word-wrap:break-word">No, I think the conclusion we are coming to is that while it would be nice for everyone to support both.<div>
<br></div><div>A minimal RP only needs the Token flow in Lite .</div><div><br></div><div>Is there any reason a OP wouldn't support the Token (implicit) flow?</div><div><br></div><div>Hoving to support two flows complicates the minimal RP. </div>
<div><br></div><div>John B.</div><div><div><div><div></div><div class="h5"><div>On 2011-07-26, at 12:49 PM, Mike Jones wrote:</div><br></div></div><blockquote type="cite"><span style="border-collapse:separate;font-family:Helvetica;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:-webkit-auto;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-size:medium"><div lang="EN-US" link="blue" vlink="purple">
<div><div></div><div class="h5"><div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><span style="color:rgb(0, 32, 96)">Per the call yesterday, John and I investigated whether the implicit (token) grant type can be effectively used with native client applications. The<span> </span><a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-9" style="color:blue;text-decoration:underline" target="_blank">Native Applications section</a><span> </span>of the OAuth spec makes it clear that it can. Given that most OAuth interactions today use the implicit grant type, we want to confirm the tentative decision made on the call yesterday to have the implicit grant type be the one required flow in the Lite spec.<u></u><u></u></span></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><span style="color:rgb(0, 32, 96)"><u></u> <u></u></span></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
<span style="color:rgb(0, 32, 96)"> -- Mike & John<u></u><u></u></span></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
<span style="color:rgb(0, 32, 96)"><u></u> <u></u></span></div><div><div style="border-right-style:none;border-bottom-style:none;border-left-style:none;border-width:initial;border-color:initial;border-top-style:solid;border-top-color:rgb(181, 196, 223);border-top-width:1pt;padding-top:3pt;padding-right:0in;padding-bottom:0in;padding-left:0in">
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><b><span style="font-size:10pt;font-family:Tahoma, sans-serif">From:</span></b><span style="font-size:10pt;font-family:Tahoma, sans-serif"><span> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]<span> </span><b>On Behalf Of<span> </span></b>Mike Jones<br>
<b>Sent:</b><span> </span>Monday, July 25, 2011 4:06 PM<br><b>To:</b><span> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span> </span>[Openid-specs-ab] Spec call notes 25-Jul-11<u></u><u></u></span></div>
</div></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Spec call notes 25-Jul-11<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Nat Sakimura<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">Mike Jones<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
John Bradley<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">Edmund Jay<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Breno de Medeiros<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Agenda:<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> Reviewing proposed edits by Breno and Casper Biering<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> Edits for Lite spec<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Feedback from Torsten<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Reviewing Breno's proposed edits<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> Other than those we comment on here, we are using the resolutions in Nat's response note<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> Should indicate the fact that the two flows can be used in combination<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> when a client consists of different components that both maintain user<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> signed-in state<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Nat will take a stab at text for this<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> John asked whether this should be supported in Lite<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> This should be in "Standard" - not in "Lite"<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> Related question - do we want code flow in Lite as well as implicit or just implicit?<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> We should go with just implicit to keep Lite as simple as possible<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Breno's comments about cross-domain post message and HTML5 (starting "- Client sends a request to authorization server -> Client submits"...)<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Somebody (probably Breno) needs to propose normative text for this<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Since it affects interop<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> In further discussions, we agreed that we want to mostly refer to OAuth 2 and not do Connect-specific things when possible<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> So post message flow should happen in OAuth 2 - not OpenID Connect<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Per Breno's comments about code+token<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> We agreed that this doesn't belong in Lite<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> (Per OAuth draft 19 & 20, this also becomes "code token")<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
<u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> JWT format will used for id_token, but id_token is not part of Lite<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Reviewing Caspar's proposed edits<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> Nat agrees with all of Caspar's proposed edits - Mike to review and check in<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> We agreed that redirect_uri should be required for now (as it already is)<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"><u></u> <u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
Breno requested that remove the native application text in the session management spec<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif">
We're not sure that this is right yet<u></u><u></u></div><div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> Code flow needed for Native apps<u></u><u></u></div>
<div style="margin-top:0in;margin-right:0in;margin-left:0in;margin-bottom:0.0001pt;font-size:11pt;font-family:Calibri, sans-serif"> We need to investigate this if we're only mandating token flow in Lite<u></u><u></u></div>
</div></div></div><div class="im">_______________________________________________<br>Openid-specs-ab mailing list<br></div><div class="im"><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
</div><div class="im"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div></div></span></blockquote></div><br></div></div><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>
</div>