IETF Logo Mail Archive

Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

George Fletcher <gffletch@aol.com> Tue, 29 January 2019 13:15 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3072130E78 for <ace@ietfa.amsl.com>; Tue, 29 Jan 2019 05:15:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFzSkX0qBlXM for <ace@ietfa.amsl.com>; Tue, 29 Jan 2019 05:15:07 -0800 (PST)
Received: from sonic317-27.consmr.mail.bf2.yahoo.com (sonic317-27.consmr.mail.bf2.yahoo.com [74.6.129.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A825F12D4E8 for <ace@ietf.org>; Tue, 29 Jan 2019 05:15:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1548767706; bh=/GXDzE4L+riIHn7kpgGnDsn4DlQBaHSZ40+rY3eSyJI=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=Onee/SINUTlfwlrmiakK3vhymOf4/M4D5qWKJ1ZJfUvtdU6yEhqDqIwCB4HjkVWWLplzFyGMp0R2x2ZHI+sTzbgVz0fb7gIiT6nkWjJXce3wr6TD2/PuvbzcuIA98WUNrR/3buaIgc7zY+5qCW5Q+oa1QyTU/Bp58jQyylEA00b2WuP7Yw+nl3oqvx7jQxWKPj4IAiEtaqfTSLhd81dZw6Pk2/dBU5kgobWOMOGMWr7UEyvsiw4jApg9b+L2Y9l05LIWvVU7/e/yrFgYG03sO0Ct9nDH1JhaIrerPS0c8fDJDrOT7JFJBsehht7mjL0czF1R8oehOEAk0f4y+363YA==
X-YMail-OSG: _lIGNVkVM1k.iPROOvnnwrIEB4e_XbWGl1.I0T2sikUwsg5dTAo6pK1E0SHqKIV uwmcKlBB05sxspGqe1jhY4DD8ae10p7iiIXgutfD9T2084l8B2Xi1uuKMXlgTwIhOM8bXhQsviqo u5T6_t0K1nRhaDb6aJOWpfjtxEZ.95o8srooznoUA.7StBYClMhNTe.Dyr8Ao3.Mf9YUCZjHE68e 3JWyvTYcwYYwxzxZyexz8ghnrpYdwb1m5Pq.LiC5zlP8ZoCEccYz_1FIP7Qmn1K2BMoAjOyFIwp6 KRtNB3m7wmEwAsg6zAEexL8CsLp6zyxCTBFwEdq6PITwaJ02pCkiiSm2a_QO9rwuepjonqapCXXr TB8OEDrAA5727Twazdn4mHZ9sjeIpaKlVGwaB1CbffmGRlAk0iQCcK1BBFRN86OeJV_QJhYe4RWr L_Kt4mq.dp1dMi0RfLTUFmrMqj.visy7BE1RAORKPpJjaXE2J1sc.ryQeH0hseGp.6AsRPCCyhag iDbN_mgdAJGKHwFpcqwRRcNRZvDvRwDiKDGNdCb09x99ZGmhAc.XaI_4A4yS404U_NZArjEuyU.. 7C_WMykaYesM4Hn72x1ILdxMRCGQ67_B_6FqgcTGrRsCcqsEU.95dCXR.KBtiSAoKuCMwXWo7gCl frTTFnlF27nRKCdqvr_b5drltaesjI.4QDmi6JL29X8PSZfUGaeeExMxp9kObJEVOmAcvtfCstJb btTnOMvCULj88cVD1.BkKJdBv2DMrbzqyMBsiwqedk84OpSEbE7YJrNsGVMQt9GqAN0mKtw.UfX5 d4L1a38v70hSFLRM3iAzpuYiaH9pnmfKcRYq1px1IYyOu.NC0AbUNAV2MVJVwNix9zHLlH6xc.1M jkjI_uMr8XzfoBwx.1ax12mcBffJ7Udli6FejNc8DzjmGVy3L4LdO0HiudZ130ZjWsvUGysX6gQ9 .N8kDcbJ1LEY6YuixkmvZ.qvhVCLemzI7toUO_HrMZNO3oDCwfYavde6OcfsdDxiWyfKSoxG3hZk WlYteZyxVn8.z6X18paMCBjcui7jVQNT.zCCtNvKiguNfDWQ0eGoBBPfOOLh_iVI6vw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.bf2.yahoo.com with HTTP; Tue, 29 Jan 2019 13:15:06 +0000
Received: from nat-vpn-users2.cfw-a-gci.net.buffalo.office.oath (EHLO [172.135.138.233]) ([184.165.8.97]) by smtp401.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 759dc410db180f06b2e23284340785dc; Tue, 29 Jan 2019 13:15:02 +0000 (UTC)
To: Ludwig Seitz <ludwig.seitz@ri.se>, ace@ietf.org, oauth@ietf.org
References: <CAGL6epKeGW195z2SJdcXU-MyVBwTBDnsvGeo7mNJvn8UkAWmnw@mail.gmail.com> <CAO_FVe6+2eexcqkreKnV43stoAsA8-+RMRZEK7_EhJk+OA7X_A@mail.gmail.com> <4eb4ea45-c3f2-7991-9544-612d055809ba@ve7jtb.com> <DM5PR00MB0293B214D198F4D9DBD08814F5990@DM5PR00MB0293.namprd00.prod.outlook.com> <CAO_FVe6CecdCxtJ78FcZ6pFJZwu6dudomjFgVeLr_cHNFbUZXQ@mail.gmail.com> <199fa6bd-8103-b1b3-12a3-08b5e3aad925@aol.com> <CAGL6epKismmWSnNcca41HWHEGhaJG7XhOULUwAz9jd5AemvuOg@mail.gmail.com> <BL0PR00MB02920F6A16D28D1652F21B2DF59A0@BL0PR00MB0292.namprd00.prod.outlook.com> <CAGL6epKjUJQNZdyHjrsJYvXE_p8QvjqxhcxXVnax2_VJ3qMO6g@mail.gmail.com> <CA+k3eCT-dU96D+_LdCtZGMA2TJij2Jzc=BgzCDkbkBGf=jKWnA@mail.gmail.com> <55a0362e-e588-bce5-f65f-856a1e21e88e@aol.com> <BL0PR00MB029262B150B2D8F3C3792302F5960@BL0PR00MB0292.namprd00.prod.outlook.com> <CA+k3eCT+ndfChx1-tqsxyqg8kX5Sc=BDw6UJyu2VQU3MDs1ssQ@mail.gmail.com> <65a8e83e-c72f-bbf5-77fd-ea8540b7ddc3@aol.com> <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <a62553e1-0f04-4068-92fb-7be1fd086f80@aol.com>
Date: Tue, 29 Jan 2019 08:15:01 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se>
Content-Type: multipart/alternative; boundary="------------735FC6F53AF1B8CBF59CD64C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/_0F0uaCyVPd0XPdYVaBY4nlTyTk>
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2019 13:15:10 -0000

Thank you so much for the background!

I believe that since the latest draft of the resource indicators spec 
[1] allows for abstract identifiers, and since a URN is also a URI, you 
could easily use a URN syntax to accomplish the use case outlined in 
your email.

resource=urn:x-mydevices:temperatureSensorGroup4711

The spec currently outlines examples where the "resource identifier" is 
not a "single resource" in the context of a fully qualified API endpoint.

    Another example, for an API like SCIM [RFC7644  <https://tools.ietf.org/html/rfc7644>] that has
        multiple endpoints such as "https://apps.example.com/scim/Users",
        "https://apps.example.com/scim/Groups", and
        "https://apps.example.com/scim/Schemas" The client would use
        "https://apps.example.com/scim/" as the resource so that the issued
        access token is valid for all the endpoints of the SCIM API.

Using "https://apps.example.com/scim" is semantically equivalent to 
using "temperatureSensorGroup4711", at least to me:)

Thanks,
George

[1] https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-02

On 1/29/19 2:56 AM, Ludwig Seitz wrote:
> On 28/01/2019 23:12, George Fletcher wrote:
>> I also don't know that this raises to the level of "concern" but I 
>> find the parameter name of "req_aud" odd. Given that the parameter in 
>> the resource-indicators spec is 'resource' why not use a parameter 
>> name of 'audience'. That said, I have not read the thread on the ACE 
>> working group list so there could be very good reasons for the chosen 
>> name:)
>>
>> I do think that there is a lot of overlap (in most cases) between 
>> 'resource' and 'audience' and having two parameters that cover a lot 
>> of the same semantics is going to be confusing for developers. When 
>> calling an API at a resource server, the 'audience' and the 
>> 'resource' are pretty equivalent. Maybe in other use cases they are 
>> distinctly separate?
>>
>
> To give you all the background of "req_aud" from ACE (sorry for the 
> long text):
>
> Originally in ACE we had defined the "aud" parameter for requests to 
> the token endpoint with the semantics that the client was requesting a 
> token for a certain audience (i.e. requesting that the AS copy the 
> "aud" parameter value into the "aud" claim value of the token).
> We were then told that this collided with a use of "aud" in OAuth, 
> that specifies the intended audience of Authorization Servers (if I 
> remember correctly), so we decided to rename our parameter to 
> "req_aud" for "requested audience".
> Mike Jones then made us aware of the work on resource indicators, but 
> upon closer examination I found the "resource" parameter to be more 
> limited than the "req_aud", since resource specifically states:
>
> "Its value MUST be an absolute URI ... the "resource" parameter URI 
> value is an identifier representing the identity of the resource"
>
> My interpretation of this is that "resource" refers to a single 
> resource, which is more constrained than the definition of the "aud" 
> claim from 7519, which uses a StringOrURI value.  For example my 
> intent was to use "aud" and "req_aud" for group identifiers 
> ("temperatureSensorGroup4711") and other non-uri strings 
> (hash-of-public-key), which I cannot do with "resource". We therefore 
> decided to keep the "req_aud" parameter in 
> draft-ietf-ace-oauth-params, even though is clearly overlaps with 
> "resource".
>
> Any comments and suggestions about that line of reasoning (especially 
> from the OAuth point of view) are very welcome.
>
> /Ludwig
>
>

-- 
Identity Standards Architect
Verizon Media                     Work: george.fletcher@oath.com
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography

v2.23.0 | Report a Bug | By Email