Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.txt
Benjamin Kaduk <kaduk@mit.edu> Fri, 29 November 2019 06:30 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD2EC120013 for <ace@ietfa.amsl.com>; Thu, 28 Nov 2019 22:30:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C72j_cxotZKc for <ace@ietfa.amsl.com>; Thu, 28 Nov 2019 22:30:05 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6A8812000F for <ace@ietf.org>; Thu, 28 Nov 2019 22:30:04 -0800 (PST)
Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xAT6U0ju008214 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 29 Nov 2019 01:30:02 -0500
Date: Thu, 28 Nov 2019 22:29:59 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ludwig Seitz <ludwig.seitz@ri.se>
Cc: "ace@ietf.org" <ace@ietf.org>
Message-ID: <20191129062959.GW32847@mit.edu>
References: <157430230677.769.6413870274615783065@ietfa.amsl.com> <b2ad5cc9-0caa-137d-79f0-2a9bfe1060e3@ri.se> <20191125230411.GN32847@mit.edu> <VI1P18901MB07504CE220A0DD65406EC35082440@VI1P18901MB0750.EURP189.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <VI1P18901MB07504CE220A0DD65406EC35082440@VI1P18901MB0750.EURP189.PROD.OUTLOOK.COM>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/x4eng0kW3wX5gYoXikEh_nfNTHk>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Nov 2019 06:30:07 -0000
On Wed, Nov 27, 2019 at 03:31:16PM +0000, Ludwig Seitz wrote: > Hi Ben, > > replies inline. > > /Ludwig > ________________________________________ > From: Benjamin Kaduk <kaduk@mit.edu> > Sent: Tuesday, November 26, 2019 12:04 AM > To: Ludwig Seitz > Cc: ace@ietf.org > Subject: Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.txt > > Hi Ludwig, > > On Thu, Nov 21, 2019 at 03:16:03AM +0100, Ludwig Seitz wrote: > > Hello ACE, > > > > turns out -26 didn't cover one of the items in Ben's review, namely the > > question of using Client introspection to determine token expiration as > > a lower bound for key expiration. Since the whole issue of Client > > introspection was contentious between OAuth experts, we decided to > > remove the text describing that option. This still leaves us with the > > two other options, so the problem is still covered. > > Thanks for all the updates! I'm just about ready to push the "request Last > Call" button, but wanted to check one thing first: > > Section 5.6.3 seems to limit the error responses to 4.00 and 4.01, but > Section 5.8.2 also talks about 4.03 and 4.05. I noticed because I was > checking Section 5.1.1's note about "unauthorized_client" error response against the > various options in 5.8.2, to see if we're internally consistent about when > we say to send errors vs. AS request creation hints. My recollection is > that we can have all three of a response code, error response (e.g., > "unauthorized_client"), and (our custom format of) response payload present > in the same response, so any potential conflict would be limited to just > the response code, but please correct me if I'm wrong about that. > > [LS] Section 5.6.3 describes the interaction with the token endpoint at the AS. There we mirrored the behaviour of OAuth error responses. > Section 5.8.2 describes the interaction with the newly defined authz-info endpoint at the RS. We decided that this warranted more detailed error responses, so that a client gets some hint on what went wrong when an access token is rejected by the RS. > This is why we have added the 4.03 and 4.05 messages. > Section 5.1.1 describes an access request to a resource at the RS (other than the authz-info endpoint) and has yet another different error behaviour. > For the token endpoint (5.6.3), the response code is part of the HTTP/CoAP header, while the "error" parameter (with values such as e.g. "unauthorized_client") is part of the payload in certain error responses (which may also contain "error_description" and "error_uri"), this is just mirroring behaviour of OAuth. > For the authz-info endpoint (5.8.2) no such parameters are specified in the document (i.e. it just uses the response codes). > Does this clarify the issue? It does; thanks for putting the pieces into the proper context for me. > Also, a few nits that could be treated as LC comments: > > There's a stray 'W' in Figure 7 > > In Section 6.8: s/obsole/obsolete/, and s/profile/ace_profile/ > > In Section 8.16 we removed the entire "Specifications are required for the > standards track range of point assignment[...]" bullet point. I think that > only the first two sentences of that bullet point were redundant with RFC > 8126, and the last two ("Specifications are needed for the first-come, > first-serve range if they are expected [...]") reflected new requirements. > > [LS] Does the " LC comments" part mean I should wait with updating the draft? It means you're free to wait, yes. (If you want to update anyway that's also fine.) -Ben
- [Ace] I-D Action: draft-ietf-ace-oauth-authz-27.t… internet-drafts
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Ludwig Seitz
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Benjamin Kaduk
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Ludwig Seitz
- Re: [Ace] I-D Action: draft-ietf-ace-oauth-authz-… Benjamin Kaduk