<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF">
<div>
<div style="font-family:Calibri,sans-serif; font-size:11pt">"Implicit Flow" is defined in the Terminology section.<br>
<br>
</div>
</div>
<hr>
<span style="font-family:Tahoma,sans-serif; font-size:10pt; font-weight:bold">From:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">n-sakimura</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt; font-weight:bold">Sent:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">10/29/2013 9:51 PM</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt; font-weight:bold">To:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">openid-specs-ab@lists.openid.net</span><br>
<span style="font-family:Tahoma,sans-serif; font-size:10pt; font-weight:bold">Subject:
</span><span style="font-family:Tahoma,sans-serif; font-size:10pt">Re: [Openid-specs-ab] Guidance on what the different flows are for</span><br>
<br>
<div>
<div class="moz-cite-prefix">(2013/10/30 10:22), Mike Jones wrote:<br>
</div>
<blockquote type="cite">
<div class="WordSection1">
<p class="MsoNormal">Several reviewers have requested guidance on when to use the different flows. I believe that we’d be doing a service to our readers by providing it.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Several reviewers have objected to this text in <a href="http://openid.net/specs/openid-connect-core-1_0.html#Authentication">
http://openid.net/specs/openid-connect-core-1_0.html#Authentication</a> – saying that sometimes the Code flow is used even when the client can’t maintain the secrecy of the client_secret:</p>
<p class="MsoNormal"><span lang="EN">The Authorization Code Flow is suitable for Clients that can securely maintain a Client Secret between themselves and the Authorization Server whereas, the Implicit Flow is suitable for Clients that cannot.</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I believe that that the statement would still be true if we changed the word “suitable” to “intended”. And then, as discussed in the F2F meeting, we could add the sentence:</p>
<p class="MsoNormal">“However, the Authorization Code flow is sometimes also used by Native applications in order to be able to obtain a Refresh Token, even when they cannot ensure the secrecy of the client_secret value.”</p>
</div>
</blockquote>
It does not have to be native applications. <br>
We do not have to constrain code grant for anything. <br>
<br>
Only the thing which may be worth noting is that (1) enables client authentication for confidential clients, (2) allows clients to obtain refresh token, (3) more secure than implicit grant as the token is not exposed in the front channel, (4) requires extra
roundtrip compaired to the implicit, (5) Token endpoint has to be directly reacheable from the client.
<br>
<br>
In contrast, the implicit grant will have (1) less roundtrip and thus latency, (2) the client does not need a direct reacheability to the server, (3) client cannot be confidential, (4) tokens are exposed in the frong channel so inherently less secure, and
(5) you cannot get refresh token with this grant. <br>
<br>
Perhaps having tables like the following is better as the guidance. <br>
<br>
<link rel="File-List" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
@font-face
{font-family:"MS 明朝"}
@font-face
{font-family:Century}
@font-face
{font-family:"Cambria Math"}
@font-face
{}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0mm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Century","serif"}
.MsoChpDefault
{}
@page
{}
@page WordSection1
{margin:99.25pt 30.0mm 30.0mm 30.0mm}
div.WordSection1
{}
-->
</style><link rel="File-List" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
@font-face
{font-family:"MS 明朝"}
@font-face
{font-family:Century}
@font-face
{font-family:"Cambria Math"}
@font-face
{}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0mm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Century","serif"}
.MsoChpDefault
{}
@page
{}
@page WordSection1
{margin:99.25pt 30.0mm 30.0mm 30.0mm}
div.WordSection1
{}
-->
</style>
<table class="MsoTableGrid" border="1" cellpadding="0" cellspacing="0" style="border-collapse:collapse; border:none">
<tbody>
<tr style="">
<td valign="top" width="329" style="width:246.4pt; border:solid windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">Conditions / Requirement</span></p>
</td>
<td valign="top" width="85" style="width:63.8pt; border:solid windowtext 1.0pt; border-left:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">code grant</span></p>
</td>
<td valign="top" width="85" style="width:63.75pt; border:solid windowtext 1.0pt; border-left:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">implicit grant</span></p>
</td>
<td valign="top" width="82" style="width:61.15pt; border:solid windowtext 1.0pt; border-left:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">hybrid grant</span></p>
</td>
</tr>
<tr style="">
<td valign="top" width="329" style="width:246.4pt; border:solid windowtext 1.0pt; border-top:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">Server is not directly reachable from the client</span></p>
</td>
<td valign="top" width="85" style="width:63.8pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</td>
<td valign="top" width="85" style="width:63.75pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
<td valign="top" width="82" style="width:61.15pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</td>
</tr>
<tr style="">
<td valign="top" width="329" style="width:246.4pt; border:solid windowtext 1.0pt; border-top:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">Want less round trip</span></p>
</td>
<td valign="top" width="85" style="width:63.8pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</td>
<td valign="top" width="85" style="width:63.75pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
<td valign="top" width="82" style="width:61.15pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
</tr>
<tr style="">
<td valign="top" width="329" style="width:246.4pt; border:solid windowtext 1.0pt; border-top:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">Do not want to reveal tokens for better security</span></p>
</td>
<td valign="top" width="85" style="width:63.8pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
<td valign="top" width="85" style="width:63.75pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</td>
<td valign="top" width="82" style="width:61.15pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">(some)</span></p>
</td>
</tr>
<tr style="">
<td valign="top" width="329" style="width:246.4pt; border:solid windowtext 1.0pt; border-top:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">Want client authentication</span></p>
</td>
<td valign="top" width="85" style="width:63.8pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
<td valign="top" width="85" style="width:63.75pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</td>
<td valign="top" width="82" style="width:61.15pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
</tr>
<tr style="">
<td valign="top" width="329" style="width:246.4pt; border:solid windowtext 1.0pt; border-top:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">Want refresh token</span></p>
</td>
<td valign="top" width="85" style="width:63.8pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
<td valign="top" width="85" style="width:63.75pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</td>
<td valign="top" width="82" style="width:61.15pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
</tr>
<tr style="">
<td valign="top" width="329" style="width:246.4pt; border:solid windowtext 1.0pt; border-top:none; padding:0mm 5.4pt
0mm 5.4pt">
<p class="MsoNormal"><span lang="EN-US">Slow front channel, fast back channel</span></p>
</td>
<td valign="top" width="85" style="width:63.8pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
<td valign="top" width="85" style="width:63.75pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</td>
<td valign="top" width="82" style="width:61.15pt; border-top:none; border-left:none; border-bottom:solid windowtext 1.0pt; border-right:solid
windowtext 1.0pt; padding:0mm 5.4pt 0mm
5.4pt">
<p class="MsoNormal"><span lang="EN-US">x</span></p>
</td>
</tr>
</tbody>
</table>
<link rel="File-List" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CUsers%5CNat%5CAppData%5CLocal%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
@font-face
{font-family:"MS 明朝"}
@font-face
{font-family:Century}
@font-face
{font-family:"Cambria Math"}
@font-face
{}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0mm;
margin-bottom:.0001pt;
text-align:justify;
text-justify:inter-ideograph;
font-size:10.5pt;
font-family:"Century","serif"}
.MsoChpDefault
{}
@page
{}
@page WordSection1
{margin:99.25pt 30.0mm 30.0mm 30.0mm}
div.WordSection1
{}
-->
</style><br>
The same table is uploaded here: <a href="http://nat.sakimura.org/2013/10/30/guidance-on-which-grant-flow-to-use-for-openid-connect/">
http://nat.sakimura.org/2013/10/30/guidance-on-which-grant-flow-to-use-for-openid-connect/</a><br>
<br>
BTW, do we still want to use the term "flow"? OAuth stopped using the term and it uses "grant" instead. Currently, "implicit flow" for example is not defined.
<br>
<br>
Nat<br>
<br>
<br>
<blockquote type="cite">
<div class="WordSection1">
<p class="MsoNormal"> </p>
<p class="MsoNormal">Would that combination work for people?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Finally, I propose that we add this guidance about the Hybrid Flow:</p>
<p class="MsoNormal">“The Hybrid flow enables Clients to obtain an ID Token and/or Access Token with only one round trip to the Authorization Server, possibly minimizing latency, while still enabling Clients to later get tokens from the Token Endpoint – especially
a Refresh Token.”</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Per the decision at the F2F, all this “guidance” text would move to the introduction.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Are people good with the wording above, or would you like to make alternative suggestions?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> -- Mike</p>
<p class="MsoNormal"> </p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
<a class="moz-txt-link-freetext" href="Tel:+81-3-6274-1412">Tel:+81-3-6274-1412</a> Fax:+81-3-6274-1547
本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ござӓ
6;|
14;せんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
</pre>
</div>
</body>
</html>