[Ace] comment on draft-ietf-ace-oauth-authz-26
Daniel Migault <daniel.migault@ericsson.com> Thu, 21 November 2019 02:29 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B05D1208AA for <ace@ietfa.amsl.com>; Wed, 20 Nov 2019 18:29:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.405
X-Spam-Level:
X-Spam-Status: No, score=-1.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.244, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lok0fROy-Nwp for <ace@ietfa.amsl.com>; Wed, 20 Nov 2019 18:29:17 -0800 (PST)
Received: from mail-vs1-f43.google.com (mail-vs1-f43.google.com [209.85.217.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05158120077 for <ace@ietf.org>; Wed, 20 Nov 2019 18:29:17 -0800 (PST)
Received: by mail-vs1-f43.google.com with SMTP id b16so1184584vso.10 for <ace@ietf.org>; Wed, 20 Nov 2019 18:29:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6TB9hJqEtcV8+zj98I3xuiZFYIcyb0K0VmP92mqZV8Y=; b=IGNMzHUJa/3QwxR14j5/jRFytb/sgmC1IfrvvONRhwtM58hHHUKjjfZX5r1tjPjv0g rckIYrN71IcuZPlixszF2VxCs1w2T9xbQivprItoEexKneqBi1VZwm7fYUt0E2Flh54E GeHOxrmqigFTMZ1IyVw3+EGknsI4a+7gCG22Dpczh3MUClAgTkyX6n8QAf7ZP6x9CvS0 Vca0OaDZZzUtvCA15/9FOeJw050O0RZe1nn71PDDQkIXWcmuxh5lE1rMAoYOMhaNM8Nt WFqxja3DqDhePY9AgVdzrZ7oSTDeAQ8SXBexCIjHW+5RRHzpb6qktKlrVnWRxRwKULRz vt2A==
X-Gm-Message-State: APjAAAURI++60U1AWjGMCeVBRGkp5XYbgWAIjxxNpNKry/DMu4czInuO fkDapCrhylajAC+pTpXQdTvu1Q07dXq+F4UK2yd9ng==
X-Google-Smtp-Source: APXvYqy+TuWUC94S5Sj8iabx/7A6Jr6ScdGYekRz6MM/6NQbHaQcPC+fU/PjU1vZBh/96TSYEDVwG27a0x6C1G6rZ/k=
X-Received: by 2002:a67:ef84:: with SMTP id r4mr4082387vsp.31.1574303355751; Wed, 20 Nov 2019 18:29:15 -0800 (PST)
MIME-Version: 1.0
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 21 Nov 2019 10:29:04 +0800
Message-ID: <CADZyTkkUsfeXcMo3pgZH47P2zWVdearXO4SLjvLOmDcGC4TptA@mail.gmail.com>
To: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000049d3a20597d210ce"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/YW5J5r7pUYwuP9U7d2IYDzf-dZ8>
Subject: [Ace] comment on draft-ietf-ace-oauth-authz-26
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 02:29:18 -0000
Hi,
This only concerns potential clarification of the text.
While reviewing mqtt-profile draft I raised an issue regarding the
reference for Oauth [RFC6749] while the remaining of the document
references draft-ietf-ace-oauth-authz [1]. My reading of
draft-ietf-ace-oauth-authz section 5.6.3
<https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>. was
the same of the one of mqtt-profile coauthors, that is error mandates the
use of CBOR. Discussing this with others it seems a mis interpretation of
draft-ietf-ace-oauth-authz section 5.6.3
<https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>
[2].
I believe that is nice this is a mis-interpretation, but I would recommend
that the text makes it more explicit the use of JSON is permitted. This
seems to me a request to clarify the text.
Yours,
Daniel
[1]
"""
In the case of an error, the AS returns error responses for HTTP-
based interactions as ASCII codes in JSON content, as defined in
Section 5.2 of RFC 6749
<https://tools.ietf.org/html/rfc6749#section-5.2> [RFC6749
<https://tools.ietf.org/html/rfc6749>].
"""
[2]
"""
5.6.3 <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>.
Error Response
The error responses for CoAP-based interactions with the AS are
generally equivalent to the ones for HTTP-based interactions as
defined in Section 5.2 of [RFC6749]
<https://tools.ietf.org/html/rfc6749#section-5.2>, with the following
exceptions:
o When using CBOR the raw payload before being processed by the
communication security protocol MUST be encoded as a CBOR map.
o A response code equivalent to the CoAP code 4.00 (Bad Request)
MUST be used for all error responses, except for invalid_client
where a response code equivalent to the CoAP code 4.01
(Unauthorized) MAY be used under the same conditions as specified
in Section 5.2 of [RFC6749]
<https://tools.ietf.org/html/rfc6749#section-5.2>.
o The Content-Format (for CoAP-based interactions) or media type
(for HTTP-based interactions) "application/ace+cbor" MUST be used
for the error response.
o The parameters "error", "error_description" and "error_uri" MUST
be abbreviated using the codes specified in Figure 12, when a CBOR
encoding is used.
o The error code (i.e., value of the "error" parameter) MUST be
abbreviated as specified in Figure 10, when a CBOR encoding is
used. /------------------------+-------------\
| Name | CBOR Values |
|------------------------+-------------|
| invalid_request | 1 |
| invalid_client | 2 |
| invalid_grant | 3 |
| unauthorized_client | 4 |
| unsupported_grant_type | 5 |
| invalid_scope | 6 |
| unsupported_pop_key | 7 |
| incompatible_profiles | 8 |
\------------------------+-------------/
Figure 10: CBOR abbreviations for common error codes
In addition to the error responses defined in OAuth 2.0, the
following behavior MUST be implemented by the AS:
o If the client submits an asymmetric key in the token request that
the RS cannot process, the AS MUST reject that request with a
response code equivalent to the CoAP code 4.00 (Bad Request)
including the error code "unsupported_pop_key" defined in
Figure 10.
o If the client and the RS it has requested an access token for do
not share a common profile, the AS MUST reject that request with a
response code equivalent to the CoAP code 4.00 (Bad Request)
including the error code "incompatible_profiles" defined in
Figure 10.
"""
- [Ace] comment on draft-ietf-ace-oauth-authz-26 Daniel Migault
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Ludwig Seitz
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Daniel Migault
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Cigdem Sengul
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Daniel Migault
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Jim Schaad
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Daniel Migault
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Ludwig Seitz
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Cigdem Sengul
- Re: [Ace] comment on draft-ietf-ace-oauth-authz-26 Daniel Migault