Good by me. On Thu, Jan 29, 2015 at 3:35 PM, John Bradley <ve7...@ve7jtb.com> wrote:
> > +--------+ +---------------+ > | |--(A)-- Authorization Request --->| | > | | + t(code_verifier), t | Authorization | > | | | Endpoint | > | |<-(B)---- Authorization Code -----| | > | | +---------------+ > | Client | Authz Server > | | +---------------+ > | |--(C)--- Access Token Request --->| | > | | + code_verifier | Token | > | | | Endpoint | > | |<-(D)------ Access Token ---------| | > +--------+ +---------------+ > > Figure 2: Abstract Protocol Flow > > > > > > Sakimura, et al. Expires August 2, 2015 [Page 4] > > Internet-Draft oauth_pkce January 2015 > > > This specification adds additional parameters to the OAuth 2.0 > Authorization and Access Token Requests, shown in abstract form in > Figure 1. > > A. The client creates and records a secret named the "code_verifier", > and derives a transformed version "t(code_verifier)" (referred to > as the "code_challenge") which is sent in the OAuth 2.0 > Authorization Request, along with the transformation method "t". > B. The Authorization Endpoint responds as usual, but records > "t(code_verifier)" and the transformation method. > C. The client then sends the code in the Access Token Request as > usual, but includes the "code_verifier" secret generated at (A). > D. The authorization server transforms "code_verifier" and compares > it to "t(code_verifier)" from (B). Access is denied if they are > not equal. > > > On Jan 29, 2015, at 7:16 PM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > Works for me. The text below needs to be fixed up to match too. > > On Thu, Jan 29, 2015 at 3:14 PM, John Bradley <ve7...@ve7jtb.com> wrote: > >> How about >> >> +--------+ +---------------+ >> | |--(A)-- Authorization Request --->| | >> | | + t(code_verifier), t | Authorization | >> | | | Endpoint | >> | |<-(B)- Authorization Code Grant --| | >> | | +---------------+ >> | Client | >> | | +---------------+ >> | |--(C)--- Access Token Request --->| | >> | | + code_verifier | Token | >> | | | Endpoint | >> | |<-(D)------ Access Token ---------| | >> +--------+ +--------------- >> >> >> >> On Jan 29, 2015, at 7:01 PM, Brian Campbell <bcampb...@pingidentity.com> >> wrote: >> >> In SPOP/PKCE §1.1 [1] the figure and explanation have the authorization >> request going to the "Resource Owner" and goes on to say that 'the resource >> owner responds as usual, but records "t(code_verifier)" and the >> transformation method.' That's not what the resource owner does. >> >> I know the protocol flow in RFC 6749 tries to have authorization grants >> be these abstract things that sorta come from the resource owner but, in >> the context of the the authorization request and authorization code grant >> type, it really doesn't work like that. The content in §1.1 seems, at best, >> to be more abstract and complicated than it needs to be and is bordering >> on being just kinda wrong. >> >> The RO and AS boxes should probably be consolidated into just the AS. The >> RO could be omitted from the diagram, I think. Or stick it over with the >> client, if you really want it in there, and have it authenticating and >> approving authorization though an interaction with the AS. Or something >> like that... >> >> >> >> [1] https://tools.ietf.org/html/draft-ietf-oauth-spop-06#section-1.1 >> >> 1.1 <https://tools.ietf.org/html/draft-ietf-oauth-spop-06#section-1.1>. >> Protocol Flow >> >> +--------+ +---------------+ >> | |--(A)-- Authorization Request --->| | >> | | + t(code_verifier), t | Resource | >> | | | Owner | >> | |<-(B)--- Authorization Grant -----| | >> | | +---------------+ >> | Client | >> | | +---------------+ >> | |--(C)--- Access Token Request --->| | >> | | + code_verifier | Authorization | >> | | | Server | >> | |<-(D)------ Access Token ---------| | >> +--------+ +---------------+ >> >> Figure 2: Abstract Protocol Flow >> >> >> This specification adds additional parameters to the OAuth 2.0 >> Authorization and Access Token Requests, shown in abstract form in >> Figure 1. >> >> A. The client creates and records a secret named the "code_verifier", >> and derives a transformed version "t(code_verifier)" (referred to >> as the "code_challenge") which is sent in the OAuth 2.0 >> Authorization Request, along with the transformation method "t". >> B. The resource owner responds as usual, but records >> "t(code_verifier)" and the transformation method. >> C. The client then sends the code to the Access Token Request as >> usual, but includes the "code_verifier" secret generated at (A). >> D. The authorization server transforms "code_verifier" and compares >> it to "t(code_verifier)" from (B). Access is denied if they are >> not equal. >> >> >> >> > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth