<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">More comments inline :)</font><br>
<br>
<div class="moz-cite-prefix">On 6/16/15 11:28 AM, John Bradley
wrote:<br>
</div>
<blockquote
cite="mid:F3CE90EF-E0A2-430D-830F-2481347C15F5@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<br class="">
<div><br class="">
<div class=""><span style="font-family: Helvetica; font-size:
12px; font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px; float:
none; display: inline !important;" class="">Hi George,</span>
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br
class="">
</div>
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">Thanks
for the review. </div>
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br
class="">
</div>
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">Inline</div>
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br
class="">
<div class="">
<blockquote type="cite" class="">
<div class="">On Jun 15, 2015, at 6:27 PM,<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="mailto:openid-specs-native-apps-bounces@lists.openid.net"
class="">openid-specs-native-apps-bounces@lists.openid.net</a><span
class="Apple-converted-space"> </span>wrote:</div>
<br class="Apple-interchange-newline">
<div class=""><br class="">
<div class="" style="margin: 0px;"><span class=""
style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif; color:
rgb(127, 127, 127);"><b class="">From:<span
class="Apple-converted-space"> </span></b></span><span
class="" style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif;">George
Fletcher <<a moz-do-not-send="true"
href="mailto:gffletch@aol.com" class="">gffletch@aol.com</a>><br
class="">
</span></div>
<div class="" style="margin: 0px;"><span class=""
style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif; color:
rgb(127, 127, 127);"><b class="">Subject:<span
class="Apple-converted-space"> </span></b></span><span
class="" style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif;"><b
class="">AC/DC spec review</b><br class="">
</span></div>
<div class="" style="margin: 0px;"><span class=""
style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif; color:
rgb(127, 127, 127);"><b class="">Date:<span
class="Apple-converted-space"> </span></b></span><span
class="" style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif;">June 12,
2015 at 7:36:02 PM GMT-3<br class="">
</span></div>
<div class="" style="margin: 0px;"><span class=""
style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif; color:
rgb(127, 127, 127);"><b class="">To:<span
class="Apple-converted-space"> </span></b></span><span
class="" style="font-family: -webkit-system-font,
'Helvetica Neue', Helvetica, sans-serif;">"<a
moz-do-not-send="true"
href="mailto:openid-specs-native-apps@lists.openid.net"
class="">openid-specs-native-apps@lists.openid.net</a>"
<<a moz-do-not-send="true"
href="mailto:openid-specs-native-apps@lists.openid.net"
class="">openid-specs-native-apps@lists.openid.net</a>><br
class="">
</span></div>
<br class="">
<br class="">
I read through the spec on the plane ride home and
have a few comments/questions.<br class="">
<br class="">
1. Section three mentions two ways to get an acdc code
value. The second is via the token endpoint and
involves an acdc scope. This scope value is not
described and I'm wondering how this works. Do I get
an acdc token via a refresh token grant with the acdc
scope? If so, that flow doesn't seem to be described
in the spec. Maybe it's planned to be added later?<br
class="">
<br class="">
</div>
</blockquote>
<div class="">I was thinking that you would be using the
refresh token grant and including a audience parameter
and additional scope called acdc. This also needs to
accept code_challange.</div>
<div class=""><br class="">
</div>
<div class="">Perhaps having a token type requested
parameter might be cleaner. I am looking for ideas.</div>
</div>
</div>
</div>
</div>
</blockquote>
I think this makes sense though to me it begs the question as to
whether the returned access_token also has the acdc scope or just
the refresh token. Meaning should the AS generate the access_token
with all the requested scopes except the acdc scope as that scope
really only applies to the refresh_token. This isn't really default
OAuth2 behavior so should be described.<br>
<br>
I agree that we also need to define what additional parameters are
required when using the refresh_token flow to get an acdc token.<br>
<br>
Note: we do something kind of similar with a "web_session" scope
that we use to bootstrap from an OAuth2 flow into a full web browser
based session seamlessly (device to browser SSO). I can send that
spec to this list if helpful.<br>
<blockquote
cite="mid:F3CE90EF-E0A2-430D-830F-2481347C15F5@ve7jtb.com"
type="cite">
<div>
<div class="">
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">2. Once I have an acdc code token and I
present it to the token endpoint of AS2, are there any
additional parameters required? If there are no
changes to the stand oauth2 code flow then I'd
recommend stating that and adding a non-normative
example.<br class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
Should be no changes other than including the
code_verifyer from PKCE<br class="">
</div>
</div>
</div>
</div>
</blockquote>
Ok, makes sense.<br>
<blockquote
cite="mid:F3CE90EF-E0A2-430D-830F-2481347C15F5@ve7jtb.com"
type="cite">
<div>
<div class="">
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div class="">
<blockquote type="cite" class="">
<div class=""><br class="">
3. What is the expected behavior if at AS2 the "sub"
field if the acdc code token is not understood. Is
there any desire to do any sort of implicit user
binding?<br class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
Implicit user binding? Are you asking if the downstream
AS should create the user?<br class="">
</div>
</div>
</div>
</div>
</blockquote>
Basically yes. I wrote an OAuth2 based "federation" spec for a
partner a few years ago. The basics are that the client talks to AS1
and gets in response an access_token that is a JWS. This JWS is
passed to a RS protected by AS2. The RS takes the access_token and
and passes it to AS2 for validation. AS2 validates the signature on
the JWS and then looks at the "sub" value to see if the user is
already known at AS2. If the user is NOT known at AS2, then AS2
makes a request to AS1 requesting user information and from that
creates a user in AS2 and completes the flow.<br>
<br>
This may be outside the scope of ACDC but it seems like a flow that
will be very necessary in this context of "federation".<br>
<blockquote
cite="mid:F3CE90EF-E0A2-430D-830F-2481347C15F5@ve7jtb.com"
type="cite">
<div>
<div class="">
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div class="">
<blockquote type="cite" class="">
<div class=""><br class="">
4. Is it possible (or intended) for the client to be
able to do a normal browser based authorization flow
including a scope of "acdc" and then later use the
refresh token flow to get the acdc code value?<br
class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
So if AS2 gives the client a refresh token, should the
client be able to ask for a ACDC for another AS? I don’t
see a reason to exclude that if AS2 has a policy to allow
it.</div>
</div>
</div>
</div>
</blockquote>
Actually, I was thinking more about client goes to AS1 with a scope
of "openid email profile imap acdc" and gets back a refresh_token
and access_token for those scopes. The client can then use the
refresh_token flow to get an acdc code for AS2. Basically allowing
the client to combine the acdc scope with other scopes.<br>
<br>
However, the downstream chaining concept is good as well :)<br>
<blockquote
cite="mid:F3CE90EF-E0A2-430D-830F-2481347C15F5@ve7jtb.com"
type="cite">
<div>
<div class="">
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class=""><br class="">
5. In a normal native client invocation using the code
flow, how is the server expected to get the "sid"
value to put into the acdc code token? Is that
intentionally left out of scope?<br class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
The sid is created by the AS. Without some sort of TA on
the device or using a cookie/local storage, it would need
to prompt for a device ID. Failing that each app would
probably look like a separate session.<br class="">
</div>
</div>
</div>
</div>
</blockquote>
Ok, I was assuming the sid was the value from the device. So this is
a level of indirection such that the "sid" is defined by the AS and
can be anything which represents how the AS "identifies" that
device? Probably worth explaining that in the spec.<br>
<blockquote
cite="mid:F3CE90EF-E0A2-430D-830F-2481347C15F5@ve7jtb.com"
type="cite">
<div>
<div class="">
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div class="">
<blockquote type="cite" class="">
<div class=""><br class="">
6. I'm assuming the returned acdc JWT is signed though
I don't see that specified in the spec.<br class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
Yes, I will add it.<br class="">
<blockquote type="cite" class="">
<div class=""><br class="">
7. Is there any desire to support client 1 requesting
the acdc code token and passing it to client 2? Is so,
how is the "azp" value set to the client ID of client
2? Given the PCKE requirement this isn't possible
unless client 1 passes the code_verifier to client 2.<br
class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
I don’t think we should allow acdc without a pkce proof.
Doing this with plain bearer tokens could go quite wrong.</div>
</div>
</div>
</div>
</blockquote>
I agree that we should require pkce... Just thinking that this use
case of client1 being able to get an acdc code from AS1 that it will
pass to client2 and client2 will request the access_token via the
acdc code could be pretty common.<br class="">
<blockquote
cite="mid:F3CE90EF-E0A2-430D-830F-2481347C15F5@ve7jtb.com"
type="cite">
<div>
<div class="">
<div class="" style="font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div class="">
<blockquote type="cite" class="">
<div class=""><br class="">
8. Recommend adding non-normative examples:)<br
class="">
</div>
</blockquote>
<div class=""><br class="">
</div>
Right.<br class="">
<blockquote type="cite" class="">
<div class=""><br class="">
Thanks,<br class="">
George<br class="">
<br class="">
--<br class="">
George Fletcher<br class="">
Chief Architect, Identity Services<br class="">
AOL Inc.</div>
</blockquote>
</div>
</div>
</div>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-native-apps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-native-apps@lists.openid.net">Openid-specs-native-apps@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-native-apps">http://lists.openid.net/mailman/listinfo/openid-specs-native-apps</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"></a></div>
</body>
</html>