Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.txt
Ludwig Seitz <ludwig.seitz@ri.se> Wed, 27 November 2019 15:31 UTC
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56F521209BA for <ace@ietfa.amsl.com>; Wed, 27 Nov 2019 07:31:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0k2jx8kDHWz7 for <ace@ietfa.amsl.com>; Wed, 27 Nov 2019 07:31:20 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80079.outbound.protection.outlook.com [40.107.8.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F38A21209B8 for <ace@ietf.org>; Wed, 27 Nov 2019 07:31:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dm7RDs9HD0YhcbXwlsk5MRo+s9pUtBilK9x9AbQkKUkmyIiywqsJJVOFGKxOBnTjLXffeBOLuiGzTGv0vUtw8stzzaaDNJ3ISGQuBt3VaHpyj//IETnv0nbugxacXVnYanuM4uRenCStUsw9zS4Q2ZvpgXF2ifPjqp24zIWbHuPEW3b/+UzUHRuPLiwFSHbSxmfaq2F0ngBuvMqMxwG67R4KcMg8BXWcoNG6mLt4Y0pW3ye2cnHozo4iU5kFHWU+wZ6lhM9MdVZTC9Q8s5PJNkD1eHNd0mq5eBvW7FPCjkS44jF9SyWUr4I3rcJbvj7f+N0XGq2/fX9v7qykpLAkDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pN7oBfu9LrnYBAbPB4nFmUpIs8uGTjgEkGUJEAafWtM=; b=lo5Ugx5JTxxYtNMZy1CeF28A+DBzePDR5iyjYry/XJnKtLKIeRiEWw8KQ5n05MaWMAhWNOgeqxyoZ5N2AC2NYOUCA5bsYIETQw7p/mhx7e3es1te7pXvzNzf+XBMEYlsklCF6j/bCpZPtgQ2h7CIJCNVU2rXHILtXyW+fovNBkjoTi8Qbj6GvbK7y3KmuqRMnZ9VDVPpbHrwBgc3/p7Ww0L1nBjWKJLWB7+w/Gj09j1q/H5KP7Dp9VQJRbl/3V2kynghFOGtsNMEpYemsh1m9RhdIge9CBrBzJX0B8K5/MIRTeSK8iGZSd4peachBZWHrxXDVcqvqP8TTcW+SmvlYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pN7oBfu9LrnYBAbPB4nFmUpIs8uGTjgEkGUJEAafWtM=; b=Y/mnFb7GOP5NqTHSK8eqgCXwCc/YGY0z0HIOpGX/b+EW7+bcdmATj4OX9/YE2iUS7tOwAsPGjX6RNsXO+PCG/TxScQz6K4z0YoZPl+MBSBGvzUfOymh2rpxq1RCxd77d7X8IKg4J8dEwnrr+TlS3OaT1ty4VB0K8GJZY0Ca2/24=
Received: from VI1P18901MB0750.EURP189.PROD.OUTLOOK.COM (10.141.34.8) by VI1P18901MB0669.EURP189.PROD.OUTLOOK.COM (10.186.156.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.18; Wed, 27 Nov 2019 15:31:17 +0000
Received: from VI1P18901MB0750.EURP189.PROD.OUTLOOK.COM ([fe80::8da1:8674:901a:a0be]) by VI1P18901MB0750.EURP189.PROD.OUTLOOK.COM ([fe80::8da1:8674:901a:a0be%6]) with mapi id 15.20.2474.023; Wed, 27 Nov 2019 15:31:17 +0000
From: Ludwig Seitz <ludwig.seitz@ri.se>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.txt
Thread-Index: AQHVoBElPUIGAYRh+0eeV2SOgOBnCaeU4xyAgAeVSoCAAqDw+w==
Date: Wed, 27 Nov 2019 15:31:16 +0000
Message-ID: <VI1P18901MB07504CE220A0DD65406EC35082440@VI1P18901MB0750.EURP189.PROD.OUTLOOK.COM>
References: <157430230677.769.6413870274615783065@ietfa.amsl.com> <b2ad5cc9-0caa-137d-79f0-2a9bfe1060e3@ri.se>, <20191125230411.GN32847@mit.edu>
In-Reply-To: <20191125230411.GN32847@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ludwig.seitz@ri.se;
x-originating-ip: [194.218.146.227]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4b40ec58-9285-4ba7-392f-08d7734ed857
x-ms-traffictypediagnostic: VI1P18901MB0669:
x-microsoft-antispam-prvs: <VI1P18901MB0669B72F88846FE6F0D4C57B82440@VI1P18901MB0669.EURP189.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(366004)(346002)(136003)(396003)(376002)(189003)(199004)(51444003)(53546011)(6506007)(8936002)(81156014)(81166006)(14454004)(91956017)(478600001)(76116006)(8676002)(4326008)(7696005)(33656002)(7736002)(6916009)(316002)(6116002)(6246003)(9686003)(66066001)(3846002)(305945005)(2171002)(26005)(6436002)(2906002)(102836004)(186003)(5660300002)(86362001)(25786009)(229853002)(44832011)(76176011)(64756008)(66556008)(66476007)(11346002)(71190400001)(446003)(71200400001)(14444005)(99286004)(66946007)(55016002)(74316002)(52536014)(256004)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P18901MB0669; H:VI1P18901MB0750.EURP189.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ri.se does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2fX73fp3xLRL0IhH5LZKtzSzxWiFNuTzhFN7CGTZU7BcB4uH4zCp2rWx9gX8E6iELR4KF74GBPedq7f6dorM2BHBDpu6rsW/whg+5kTffscDj4MzXCq4DNGHcFamq6vVoGN5dicOi7TiNveHkHY4HW3zACRMcftkbOv/s6IO5gXRiwo+gRbcu8Fgzi8zsXJ2lmiPay1TmyK8pSvIAn3BseHWKuf9Ls5fHvgKHIRo/d6aAzh0wS3dVQTcgC2SZR/+DB2Eh+ftzLvece0rivKCe2EN6A82bXYHp7GZMxwlBQEs3fdCaZHmLm0pzkiY46hyEZDwQW0am+2GoVlwzRPE2Xep2LTTExhVWHevzvni88ID6UQbslQQNpfeZ4r5pL94JvG0+Mdaysdmpt8ZtA8uQLuoevfv1ZVRiExUZvbCcX3sY1Ss7YVFZvY0Ubp50FQP
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 4b40ec58-9285-4ba7-392f-08d7734ed857
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Nov 2019 15:31:16.9875 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zAWMok3zYTGTStSdf6O00J7M/1WhjykkawRKMfJmNokxk33TYN5P0LKq7esCtXr/cRzHzUorcXGzTn3pfhrZEA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P18901MB0669
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/WJ8xZH0KsEYCtskwP8tuv-xNCUE>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2019 15:31:23 -0000
Hi Ben, replies inline. /Ludwig ________________________________________ From: Benjamin Kaduk <kaduk@mit.edu> Sent: Tuesday, November 26, 2019 12:04 AM To: Ludwig Seitz Cc: ace@ietf.org Subject: Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.txt Hi Ludwig, On Thu, Nov 21, 2019 at 03:16:03AM +0100, Ludwig Seitz wrote: > Hello ACE, > > turns out -26 didn't cover one of the items in Ben's review, namely the > question of using Client introspection to determine token expiration as > a lower bound for key expiration. Since the whole issue of Client > introspection was contentious between OAuth experts, we decided to > remove the text describing that option. This still leaves us with the > two other options, so the problem is still covered. Thanks for all the updates! I'm just about ready to push the "request Last Call" button, but wanted to check one thing first: Section 5.6.3 seems to limit the error responses to 4.00 and 4.01, but Section 5.8.2 also talks about 4.03 and 4.05. I noticed because I was checking Section 5.1.1's note about "unauthorized_client" error response against the various options in 5.8.2, to see if we're internally consistent about when we say to send errors vs. AS request creation hints. My recollection is that we can have all three of a response code, error response (e.g., "unauthorized_client"), and (our custom format of) response payload present in the same response, so any potential conflict would be limited to just the response code, but please correct me if I'm wrong about that. [LS] Section 5.6.3 describes the interaction with the token endpoint at the AS. There we mirrored the behaviour of OAuth error responses. Section 5.8.2 describes the interaction with the newly defined authz-info endpoint at the RS. We decided that this warranted more detailed error responses, so that a client gets some hint on what went wrong when an access token is rejected by the RS. This is why we have added the 4.03 and 4.05 messages. Section 5.1.1 describes an access request to a resource at the RS (other than the authz-info endpoint) and has yet another different error behaviour. For the token endpoint (5.6.3), the response code is part of the HTTP/CoAP header, while the "error" parameter (with values such as e.g. "unauthorized_client") is part of the payload in certain error responses (which may also contain "error_description" and "error_uri"), this is just mirroring behaviour of OAuth. For the authz-info endpoint (5.8.2) no such parameters are specified in the document (i.e. it just uses the response codes). Does this clarify the issue? Also, a few nits that could be treated as LC comments: There's a stray 'W' in Figure 7 In Section 6.8: s/obsole/obsolete/, and s/profile/ace_profile/ In Section 8.16 we removed the entire "Specifications are required for the standards track range of point assignment[...]" bullet point. I think that only the first two sentences of that bullet point were redundant with RFC 8126, and the last two ("Specifications are needed for the first-come, first-serve range if they are expected [...]") reflected new requirements. [LS] Does the " LC comments" part mean I should wait with updating the draft? /Ludwig
- [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.t… internet-drafts
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Ludwig Seitz
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Benjamin Kaduk
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Ludwig Seitz
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Benjamin Kaduk