Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 07 February 2019 15:15 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86F01124C04; Thu, 7 Feb 2019 07:15:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2O2ezl2syi0r; Thu, 7 Feb 2019 07:15:07 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0627.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::627]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4806F1228B7; Thu, 7 Feb 2019 07:15:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dN078nYPpU+B5EQ2iGECjuOhYbd+tbcccW6j13IwS4g=; b=PelCxlEk67XgFdXtsPEOCXbCurZF+RiBUKATzcV/acCJQUJxuTzRhZfoAwdGig9lZMcQeN/4UnSuF+oKBfoRKsmqx8AkyMkF9/la7XIFI2IZTGRNNVa4bGiHePgUyUChiCqeG8mTtMBbT00xTcrkIlXxoEpCEcFxn8UqCWMq4Pw=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1501.eurprd08.prod.outlook.com (10.167.210.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17; Thu, 7 Feb 2019 15:15:04 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019%8]) with mapi id 15.20.1580.019; Thu, 7 Feb 2019 15:15:04 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Ludwig Seitz <ludwig.seitz@ri.se>, "ace@ietf.org" <ace@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] [Ace] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
Thread-Index: AQHUt6gmW8ETQzXQdEeeWnvbq21Io6XUgBEQ
Date: Thu, 7 Feb 2019 15:15:03 +0000
Message-ID: <VI1PR0801MB21121E2B483FE0ACD87C6F34FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <CAGL6epKeGW195z2SJdcXU-MyVBwTBDnsvGeo7mNJvn8UkAWmnw@mail.gmail.com> <CAGL6epKRkmf9YJCk7DV51vG9UgTzfxM5Da35w9CEYRuN+Js3kw@mail.gmail.com> <CAO_FVe6+2eexcqkreKnV43stoAsA8-+RMRZEK7_EhJk+OA7X_A@mail.gmail.com> <4eb4ea45-c3f2-7991-9544-612d055809ba@ve7jtb.com> <DM5PR00MB0293B214D198F4D9DBD08814F5990@DM5PR00MB0293.namprd00.prod.outlook.com> <CAO_FVe6CecdCxtJ78FcZ6pFJZwu6dudomjFgVeLr_cHNFbUZXQ@mail.gmail.com> <199fa6bd-8103-b1b3-12a3-08b5e3aad925@aol.com> <CAGL6epKismmWSnNcca41HWHEGhaJG7XhOULUwAz9jd5AemvuOg@mail.gmail.com> <BL0PR00MB02920F6A16D28D1652F21B2DF59A0@BL0PR00MB0292.namprd00.prod.outlook.com> <CAGL6epKjUJQNZdyHjrsJYvXE_p8QvjqxhcxXVnax2_VJ3qMO6g@mail.gmail.com> <CA+k3eCT-dU96D+_LdCtZGMA2TJij2Jzc=BgzCDkbkBGf=jKWnA@mail.gmail.com> <55a0362e-e588-bce5-f65f-856a1e21e88e@aol.com> <BL0PR00MB029262B150B2D8F3C3792302F5960@BL0PR00MB0292.namprd00.prod.outlook.com> <CA+k3eCT+ndfChx1-tqsxyqg8kX5Sc=BDw6UJyu2VQU3MDs1ssQ@mail.gmail.com> <65a8e83e-c72f-bbf5-77fd-ea8540b7ddc3@aol.com> <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se>
In-Reply-To: <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.122.55]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1501; 6:ZLxyx6FwUcfin4hPeGCg7k/TtS8OIfRFBWPH6ISTTNRTUlx9gil46v6ReNmen34CIk9divVJf7gnM+/khW0eNKROgD870K8I93nC0bBmPjFaac2mAV1XpToSiTVUvbHwrd0YuXyGEbL53MMhjsUL0vajvULH2ULwodpgrYB2oAPowvBIS5pIPw0pWCWXpiLo8aBk2x/aAHqTzzgaxMdjl9AS0UUYXRp3n72iSKpRYdd4hecWq2xchZcjM/i+e/FzSl0x8ZTX8hbJk2D7N6NoUIsn+8AhzCOfTr0XZmvJZg9e3okTTN4b5y7ospifpZsWX63XuyjE9Rs3VWcSYtdX56cT7sG7iCJl9Y28MXOz5hdJK53jGrSEblIQwzujZCFXqRUu6Mn3BrjQ+3hgY04yMU+R2e/tc8axk4C2RxCXPDlXtOUwuzBUnsq/yJABGo2V+7HP0cGSh4GYJfe4qJ9hrg==; 5:ZbuW4038m9hqOHZFYp6ksTkNne32fIZWaxXwwHcMJCqcQ+N5keJB87fKet1As1LLyFYutVMKVX2B9gH5Fv2fVW4urHhkfI2EswWpUqV/6l0sxmsf/4UpIUq1oAbfuicaVndmlEd5Hr76lWNqFVTin7qdGTVVCccUWSVPwPigzfaa8JdEqStqXnTJTMTgxx9NZrPDw9NpwqKP9+yYQHctYQ==; 7:SLle2PwO26lfDVBClhKb+cyFFVcw7B6nh8u/VR2BLJSrSHlN4SjFGEnZO6XKiXJNGHEJTW5nLuxVDGChGFR5LtFuMQum11dO+Ez4AyV+ifLBBkItFnW8TWJ0dR78Yz7mVcabHWqi3UVQBongvprigw==
x-ms-office365-filtering-correlation-id: a5bb6c7a-c552-43f1-9de2-08d68d0f0964
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1501;
x-ms-traffictypediagnostic: VI1PR0801MB1501:
x-microsoft-antispam-prvs: <VI1PR0801MB15011D0011DD91DE0C06A564FA680@VI1PR0801MB1501.eurprd08.prod.outlook.com>
x-forefront-prvs: 0941B96580
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(136003)(346002)(366004)(39860400002)(199004)(189003)(40434004)(13464003)(26005)(99286004)(66066001)(3846002)(6116002)(11346002)(446003)(14454004)(93886005)(25786009)(476003)(33656002)(71190400001)(478600001)(229853002)(72206003)(486006)(71200400001)(2501003)(102836004)(6246003)(256004)(5024004)(14444005)(2906002)(966005)(6436002)(8936002)(2201001)(316002)(7696005)(186003)(8676002)(53546011)(6506007)(55016002)(81156014)(81166006)(106356001)(53936002)(9686003)(97736004)(74316002)(7736002)(305945005)(86362001)(105586002)(110136005)(6306002)(68736007)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1501; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 5rNLeTqTmgTpNnTxspUP65l5qqiflctw2/6Xn//Dlx49TgaoebkYj+xGg9r2QiIurOIz7jWzGl6GT1kdikwQY4CSY0PIodfvm2eEmCLYZuRVg6YWacfqUTfMu+5LLSnzPWp+EiUP4wm4N2Hj2PpA70TJcs0LL8O5F2VsTVy66nZXUris0deg5tzbwyBlm5y3rZwXONkNnQaC8JsqFb7CYjKrakU6TKkXo0eXm6dQE47N1aSLm70o8jg+/ABxkebOa2wDemB/M7UcM2QOKooZKC1XbAuf8A7LftqtZBoSI8eWyOhA0f40poFSOOewTcJ6R+esgTZaC8/OX55UISFEFP4uiGyxZQp9OyOHXgsYMvv9j5DmCHXFFbgihej8D4LrlH1MSemfxzbGXSeO8AEXTKslXJ1U52z9+LKSnvoDE2o=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a5bb6c7a-c552-43f1-9de2-08d68d0f0964
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2019 15:15:03.9977 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1501
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/_Vu_ZHLOlKGJdVuR1TYZtPO8cwQ>
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 15:15:09 -0000

Hi Ludwig,

> My interpretation of this is that "resource" refers to a single resource

No. Here is the text from token exchange (see last sentence):

   resource
      OPTIONAL.  Indicates the location of the target service or
      resource where the client intends to use the requested security
      token.  This enables the authorization server to apply policy as
      appropriate for the target, such as determining the type and
      content of the token to be issued or if and how the token is to be
      encrypted.  In many cases, a client will not have knowledge of the
      logical organization of the systems with which it interacts and
      will only know the location of the service where it intends to use
      the token.  The "resource" parameter allows the client to indicate
      to the authorization server where it intends to use the issued
      token by providing the location, typically as an https URL, in the
      token exchange request in the same form that will be used to
      access that resource.  The authorization server will typically
      have the capability to map from a resource URI value to an
      appropriate policy.  The value of the "resource" parameter MUST be
      an absolute URI, as specified by Section 4.3 of [RFC3986], which
      MAY include a query component and MUST NOT include a fragment
      component.  Multiple "resource" parameters may be used to indicate
      that the issued token is intended to be used at the multiple
      resources listed.

Ciao
Hannes


-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Ludwig Seitz
Sent: Dienstag, 29. Januar 2019 08:56
To: ace@ietf.org; oauth@ietf.org
Subject: Re: [OAUTH-WG] [Ace] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

On 28/01/2019 23:12, George Fletcher wrote:
> I also don't know that this raises to the level of "concern" but I
> find the parameter name of "req_aud" odd. Given that the parameter in
> the resource-indicators spec is 'resource' why not use a parameter
> name of 'audience'. That said, I have not read the thread on the ACE
> working group list so there could be very good reasons for the chosen
> name:)
>
> I do think that there is a lot of overlap (in most cases) between
> 'resource' and 'audience' and having two parameters that cover a lot
> of the same semantics is going to be confusing for developers. When
> calling an API at a resource server, the 'audience' and the 'resource'
> are pretty equivalent. Maybe in other use cases they are distinctly separate?
>

To give you all the background of "req_aud" from ACE (sorry for the long
text):

Originally in ACE we had defined the "aud" parameter for requests to the token endpoint with the semantics that the client was requesting a token for a certain audience (i.e. requesting that the AS copy the "aud"
parameter value into the "aud" claim value of the token).
We were then told that this collided with a use of "aud" in OAuth, that specifies the intended audience of Authorization Servers (if I remember correctly), so we decided to rename our parameter to "req_aud" for "requested audience".
Mike Jones then made us aware of the work on resource indicators, but upon closer examination I found the "resource" parameter to be more limited than the "req_aud", since resource specifically states:

"Its value MUST be an absolute URI ... the "resource" parameter URI value is an identifier representing the identity of the resource"

My interpretation of this is that "resource" refers to a single resource, which is more constrained than the definition of the "aud"
claim from 7519, which uses a StringOrURI value.  For example my intent was to use "aud" and "req_aud" for group identifiers
("temperatureSensorGroup4711") and other non-uri strings (hash-of-public-key), which I cannot do with "resource".  We therefore decided to keep the "req_aud" parameter in draft-ietf-ace-oauth-params, even though is clearly overlaps with "resource".

Any comments and suggestions about that line of reasoning (especially from the OAuth point of view) are very welcome.

/Ludwig


--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.