<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1255">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The only normative requirement in 6749 and it’s in the response where you have to return an access token. I’m concerned about the endpoint proliferation that
is starting to happen. <o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> John Bradley [mailto:ve7jtb@ve7jtb.com]
<br>
<b>Sent:</b> Tuesday, November 5, 2013 1:05 PM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Mike Jones; Nat Sakimura; openid-specs-ab@lists.openid.net<br>
<b>Subject:</b> Re: [Openid-specs-ab] Issue #898: New Core - 1.2 Terminology - Authentication Request, Authorization Request (openid/connect)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Personally I am not that concerned with the token endpoint response and if that is restricted to access and refresh tokens. I think the hose is out the door on that.<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My concern is around requests to the token endpoint. It is required by OAuth to be a Form POST. This is awkward for sending any sort of structured request.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That is one reason we changed the registration endpoint to take a JSON object as the POST body.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It is going to be a total pain in the ass for implementers to have a single base URI that dynamically switches between HTML Form and JSON for input.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">That is why I prefer to have a second base URL endpoint for JSON POST, if some tricky server wants to use the same base URL for both thats fine but forcing everyone into that complexity would be a mistake in my opinion.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Mike's proposal would also likely benefit from being a JSON POST rather than key value form encoding.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Nov 5, 2013, at 12:32 PM, Anthony Nadalin <<a href="mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I understand Torsten’s point, the meta issue is what is a token endpoint, as you can just return a id_token and have the access token be NULL and that would
satisfy the specification and Torsten could not complain that it was a violation. Seems like the token endpoint needs to be sorted out</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span class="apple-converted-space"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> </span></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Mike
Jones<span class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Tuesday, November 5, 2013 12:21 PM<br>
<b>To:</b><span class="apple-converted-space"> </span>Anthony Nadalin; Nat Sakimura<br>
<b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b><span class="apple-converted-space"> </span>RE: [Openid-specs-ab] Issue #898: New Core - 1.2 Terminology - Authentication Request, Authorization Request (openid/connect)</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Torsten's comment about the Token Endpoint was that he believes that it must always return an Access Token. He wasn't objecting to it returning other things like Refresh
Tokens, ID Tokens, etc.<br>
<br>
Indeed RFC 6749 includes an example of it returning a non-standard field.<br>
<br>
-- Mike</span><o:p></o:p></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:tonynad@microsoft.com"><span style="color:purple">Anthony
Nadalin</span></a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sent:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">ý11/ý5/ý2013 12:07 PM</span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">To:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:Michael.Jones@microsoft.com"><span style="color:purple">Mike
Jones</span></a>;<span class="apple-converted-space"> </span><a href="mailto:sakimura@gmail.com"><span style="color:purple">Nat Sakimura</span></a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Cc:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:openid-specs-ab@lists.openid.net"><span style="color:purple">openid-specs-ab@lists.openid.net</span></a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Subject:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">RE: [Openid-specs-ab] Issue #898: New Core - 1.2 Terminology
- Authentication Request, Authorization Request (openid/connect)</span><o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">There is the issue of what an token endpoint should and should not return. It was clear from yesterdays Oauth discussions that people have different views, some people believe
the openid returning an I'd token is not in the sprit of the Oauth specification<br>
<br>
Sent from my Windows Phone</span><o:p></o:p></p>
</div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:Michael.Jones@microsoft.com"><span style="color:purple">Mike
Jones</span></a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sent:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">ý11/ý5/ý2013 11:35 AM</span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">To:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:sakimura@gmail.com"><span style="color:purple">Nat
Sakimura</span></a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Cc:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:openid-specs-ab@lists.openid.net"><span style="color:purple">openid-specs-ab@lists.openid.net</span></a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Subject:<span class="apple-converted-space"> </span></span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Re: [Openid-specs-ab] Issue #898: New Core - 1.2 Terminology
- Authentication Request, Authorization Request (openid/connect)</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The ID Token part is not part of the Authentication Request. It’s contained in a response which is either an Authorization Response or Token Response, depending
upon the flow used. Therefore, I didn’t say anything about the ID Token in the Authentication Request definition.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We’re now talking about the ID Token in lots of introductory text, so I don’t think not saying anything about it in this definition a problem.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span class="apple-converted-space"><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span></span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Nat
Sakimura [<a href="mailto:sakimura@gmail.com"><span style="color:purple">mailto:sakimura@gmail.com</span></a>]<span class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Tuesday, November 05, 2013 1:36 AM<br>
<b>To:</b><span class="apple-converted-space"> </span>Mike Jones<br>
<b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net"><span style="color:purple">openid-specs-ab@lists.openid.net</span></a><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [Openid-specs-ab] Issue #898: New Core - 1.2 Terminology - Authentication Request, Authorization Request (openid/connect)</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">What about:<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">**Authentication Request**<br>
Authorization Request used to obtain the result of authentication performed by the server as ID Token through the use of OpenID Connect extension parameters and profiled scopes</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif"">What is important about it is that the authentication is performed at the server and the result is transferred from the server to the client through ID Token. </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">2013/11/5 Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank"><span style="color:purple">Michael.Jones@microsoft.com</span></a>><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I'm fine with adding the "Authorization Request" definition. As for the Authentication Request definition, I have some quibbles with Nat's proposed language, because I find it to be less clear and somewhat circular. Saying "to obtain
the Authentication Result" doesn't add anything, and in fact, would just cause us to have to define "Authentication Result" as well.<br>
<br>
How about something closer to this?<br>
<br>
**Authentication Request**<br>
An OAuth 2.0 Authorization Request using extension parameters and scopes defined by OpenID Connect to request that the End-User be authenticated by the Authorization Server, which is an OpenID Connect Provider.<br>
<span style="color:#888888"><br>
<span class="hoenzb"> -- Mike</span></span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br>
-----Original Message-----<br>
From:<span class="apple-converted-space"> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net"><span style="color:purple">openid-specs-ab-bounces@lists.openid.net</span></a><span class="apple-converted-space"> </span>[mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net"><span style="color:purple">openid-specs-ab-bounces@lists.openid.net</span></a>]
On Behalf Of Nat Sakimura<br>
Sent: Monday, November 04, 2013 11:13 PM<br>
To:<span class="apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net"><span style="color:purple">openid-specs-ab@lists.openid.net</span></a><br>
Subject: [Openid-specs-ab] Issue #898: New Core - 1.2 Terminology - Authentication Request, Authorization Request (openid/connect)<br>
<br>
New issue 898: New Core - 1.2 Terminology - Authentication Request, Authorization Request<a href="https://bitbucket.org/openid/connect/issue/898/new-core-12-terminology-authentication" target="_blank"><span style="color:purple">https://bitbucket.org/openid/connect/issue/898/new-core-12-terminology-authentication</span></a><br>
<br>
Nat Sakimura:<br>
<br>
Capturing Breno's request on Nov. 4 that says: "I think we should have an explicit entry to Authorization Request that says: "An OAuth2 Authorization Request as defined in RFC 6749"<br>
And then "Authentication Request" --> With a language more similar to the one proposed by Nat in this thread."<br>
<br>
**Currently**:<br>
<br>
**Authentication Request**<br>
An OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.<br>
<br>
**Proposed**:<br>
<br>
**Authentication Request**<br>
Authorization Request used to obtain the Authentication Result through the use of OpenID Connect extension parameters and profiled scopes<br>
<br>
**Authorization Request**<br>
OAuth 2 authorization request as defined in RFC 6749<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"><span style="color:purple">Openid-specs-ab@lists.openid.net</span></a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank"><span style="color:purple">http://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal">--<span class="apple-converted-space"> </span><br>
Nat Sakimura (=nat)<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank"><span style="color:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>