IETF Logo Mail Archive

Re: [Ace] "default value" for authz-info endpoint

Carsten Bormann <cabo@tzi.org> Mon, 01 June 2020 14:51 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9965D3A1100 for <ace@ietfa.amsl.com>; Mon, 1 Jun 2020 07:51:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_R7RI3zO5wc for <ace@ietfa.amsl.com>; Mon, 1 Jun 2020 07:51:37 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D346D3A1087 for <ace@ietf.org>; Mon, 1 Jun 2020 07:51:36 -0700 (PDT)
Received: from [172.16.42.112] (p5089ae91.dip0.t-ipconnect.de [80.137.174.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 49bJ5z1M6SzyrK; Mon, 1 Jun 2020 16:51:35 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <61220bcd9e72401a9d04c114a3fbf2cf@combitech.se>
Date: Mon, 01 Jun 2020 16:51:34 +0200
Cc: Benjamin Kaduk <kaduk@mit.edu>, "ace@ietf.org" <ace@ietf.org>
X-Mao-Original-Outgoing-Id: 612715894.660501-e63f8ca32b4260cab695c2c01911c400
Content-Transfer-Encoding: quoted-printable
Message-Id: <5A5225C1-412A-4C95-8980-A73125D9025B@tzi.org>
References: <20200530223602.GF58497@kduck.mit.edu> <61220bcd9e72401a9d04c114a3fbf2cf@combitech.se>
To: Seitz Ludwig <ludwig.seitz@combitech.se>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/TklEScc_8XgA2o3ju6iPwkc0VZU>
Subject: Re: [Ace] "default value" for authz-info endpoint
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jun 2020 14:51:41 -0000

On 2020-06-01, at 11:13, Seitz Ludwig <ludwig.seitz@combitech.se> wrote:
> 
> Hi Ben,
> 
> I had a look at the well-known URI list at IANA and it seems that for vanilla OAuth 2.0 endpoints (authorization, token, introspect) there are no well-known URI:s either. What exists is an URI used by the authorization server to self-describe (including attributes giving the values of the endpoint's URIs).
> 
> So my interpretation would be that instead of defining a well-known URI for authz-info, we need to define an attribute that a Resource Server can include in its well-known information to identify the authz-info endpoint URI it is exposing. 
> 
> @Carsten (or other core experts): Would it make sense to define a new attribute in the /.well-known/core format for Resource Servers using coap?

It would probably not be an attribute but a link relation and/or a resource type.

I would expect the authz-info resource would usually be the same for an entire server?
This might argue for the “hosts” link relationship and an rt= registration.

Registry:
Resource Type (rt=) Link Target Attribute Values
in
Constrained RESTful Environments (CoRE) Parameters

If the authz-info is often different for each resource, a link from the resource to the authz-info with an appropriate link relation would work best.

Registry:
Link Relations

Grüße, Carsten


> 
> /Ludwig
> 
> 
> -----Original Message-----
> From: Ace <ace-bounces@ietf.org> On Behalf Of Benjamin Kaduk
> Sent: den 31 maj 2020 00:36
> To: ace@ietf.org
> Subject: [Ace] "default value" for authz-info endpoint
> 
> Hi all,
> 
> I was prompted by the discussion at the interim to look more closely at what we say about the "default name" for endpoint URIs, e.g., the authz-info endpoint.  The last paragraph of
> https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-5.8.1
> says:
> 
>   The default name of this endpoint in an url-path is '/authz-info',
>   however implementations are not required to use this name and can
>   define their own instead.
> 
> I've gotten advice from some URI experts that this doesn't give an easy/discoverable path (pun intended) to using a non-default value, which is problematic from the perspective of BCP 190 (and we should expect to get discussed at IESG evaluation time).  This sort of issue goes away if we allocate a well-known URI for authz-info from https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml and have that be the default.  In particular, that wouldn't actually stop any deployments from using /authz-info, but it does mean they'd have to knowingly "opt in" to doing so.
> 
> What do people think?
> 
> Thanks,
> 
> Ben
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email