Re: [Ace] "default value" for authz-info endpoint
Tomas Gustavsson <tomas.gustavsson@primekey.com> Tue, 02 June 2020 05:19 UTC
Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1E013A07AA for <ace@ietfa.amsl.com>; Mon, 1 Jun 2020 22:19:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=primekey.com header.b=FomQBA/W; dkim=pass (1024-bit key) header.d=primekey.com header.b=FomQBA/W
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jj-fnIxa_T1r for <ace@ietfa.amsl.com>; Mon, 1 Jun 2020 22:19:26 -0700 (PDT)
Received: from mail.primekey.com (mail.primekey.com [84.55.121.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD9963A07A9 for <ace@ietf.org>; Mon, 1 Jun 2020 22:19:24 -0700 (PDT)
Received: from mail.primekey.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPS id 303FE6AA0098 for <ace@ietf.org>; Tue, 2 Jun 2020 07:19:06 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1591075146; bh=OKvjW3BkiklLpvqpyblE5ihpx6kW064U1G/+RkaHskg=; h=Subject:To:References:From:Date:In-Reply-To:From; b=FomQBA/WnzXiGdbDLCffx7Bgt9dd1452WRToHh2Cy1LayfAb1OV9chtSY0Czs09v2 suXpMmihOu3sSujDzH+nV8Va+8+P05jGEIxj8YtUplISmQWZ2P3gNh+VHJpyVHivRk bv98L8bBuLMMIAVCdf/asT1gNZkv6ph6i2WRFiJk=
Received: from [192.168.1.113] (unknown [85.24.187.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPSA id 01A176AA0093 for <ace@ietf.org>; Tue, 2 Jun 2020 07:19:05 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1591075146; bh=OKvjW3BkiklLpvqpyblE5ihpx6kW064U1G/+RkaHskg=; h=Subject:To:References:From:Date:In-Reply-To:From; b=FomQBA/WnzXiGdbDLCffx7Bgt9dd1452WRToHh2Cy1LayfAb1OV9chtSY0Czs09v2 suXpMmihOu3sSujDzH+nV8Va+8+P05jGEIxj8YtUplISmQWZ2P3gNh+VHJpyVHivRk bv98L8bBuLMMIAVCdf/asT1gNZkv6ph6i2WRFiJk=
To: ace@ietf.org
References: <20200530223602.GF58497@kduck.mit.edu> <61220bcd9e72401a9d04c114a3fbf2cf@combitech.se> <20200601235843.GH58497@kduck.mit.edu>
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Autocrypt: addr=tomas.gustavsson@primekey.com; prefer-encrypt=mutual; keydata= xsBNBEyuwwYBCAD31Jsxn1lf7rnFc7y3Ol+TE7pU7ohO78kMdoVrZdAMnU9W0P33GedbU+kF 8/RFq7HlXV8a91RkgtdcMAK8tSdtBKDGZCOJZm5qOZ/EHikY8k/7s1wgSQSF4hYSG/IABCCA W139joDFl4L3buWyk2lsYX1HDBpuXGDL5HFyu165T0ZVlt23T04xmAwpIHUViKUWw1QYnlRz s66Desn2WeP+X8/QlqF1zOTUXbgrThB1X/Oh2+wzP08HVoTQCzlrEMeb9x2k+oa8PtVdnflh nZKBtyyBkZxRoHG3tNKcaf7JLoadSXcSKSKvfApcsxpP2JpkQgIhLi3JWik/Z+RR2WD1ABEB AAHNMFRvbWFzIEd1c3RhdnNzb24gPHRvbWFzLmd1c3RhdnNzb25AcHJpbWVrZXkuY29tPsLA dwQTAQgAIQUCWX8yTAIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBibcSbAEP+QGAU CAC82dn8XCQ8Ei7gxQAdRSc2imaP/388i/ObDMYhNhg5j4gXs3tkfxuCvhwkzskUFgOtmaEy uz/gIiVjQIsjQrHh5tl9M0q2tqbDHJpWfE6/SkXPUmTqQ0VGyq1MmZ3/zg2jSoll74qBSfdH V7sWugRXeCBxfaPeYo8DdPCGi27yrdL8zb3xkJ3BxPcDGNdkLm+Yza+qAOrssCD7MSLN+6Sd ML5Xcmw6pgRPlQ0aCsM7scrwgBNb7KrwxaqBxqwcuqF0NMgNjeiEHi2Oj3HOZdYU4Blk2GFq 9zHuCzTWumgNOlfksZ9K3ZMJBn6KLPot5bVXIKdnHwWRzoKMDxkSZjM5zsBNBEyuwwYBCADZ 98eCFQ64zKo1OKkUgEJHO1JdsiqRO1znu6KyaTcd2vXfOCGkFFVBL+vjzzyyYV7Sg1/AaG4r l9TKJCwvx8mUmTJkKQspTfOj6AY33bmfMB/8LBYj2BjtxXyMucPjNTJqbL2r1HeGPV2nwyof MAyo2qcYuiLs20Ob7U8vooOV3GDDKEkXtJYZzTEU6qabGsepGIvMu770OZwvm4akQiCGe5sQ 4+/UH1pMZQNi+/fGbONFx+TUVMM8EkXD6dQ5WoL+xPabPjqiUmR7EBvg0uocr70Ag93tWk1d 4RgFcicjwMFcPg4TZ8Y/3Y7Nmbyo14+4SMNfNPFLgQMawL+cLLkdABEBAAHCwF8EGAECAAkC GwwFAlYXhXUACgkQYm3EmwBD/kA2igf/QNpPe7sLt3KdRD3x4cStxGjLCWyj7x1YLVnV4Nnu TvaNhC+KHx3uG39y1x3PJQwslpeSQ6JipOUmxeQjjGJGQZLV41L1PCJVhCL98Dinr6dJkYB7 cAVhfmW8PI51jiANExLZu8U5gnthj5CGv4428ODQgSoRI0demG3HmVCNrKdap+orhT8zRkq8 DuHTO01U7PKsfvQ2k8AqSAC/JjMOs1mpFe032IApXxlZkE+33Q3dE5BiJmICYg8hsRXvpKTm ZMCdNZJUQLq+XNpg6RtAPQIPMmCepXrE9M/KuH+jFS2G5+Hx5VBSM644E1G2i+HOPCVdHjof iaNi3V/ItEG3jw==
Message-ID: <cae014a0-6c42-52c6-b822-888654fed284@primekey.com>
Date: Tue, 02 Jun 2020 07:19:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <20200601235843.GH58497@kduck.mit.edu>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/xmN9IECiMIB2ZM6yw-JJRrheA0Y>
Subject: Re: [Ace] "default value" for authz-info endpoint
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 05:19:29 -0000
Hi, In most cases where I've been involved with implementing a single RFC defined .well-known URL for actually servicing all end points, it ends up being one .well-known for default configuration, and multiple other (not .well-known) URLs in order to handle other configurations in multi-tennant scenarios. I hope whatever .well-known scheme is selected will handle multi-tennancy, where thare can be differently configured service end points servicing from the same host/ip. I.e. can one host server multiple authz-info? (does that make sense?) Regards, Tomas On 2020-06-02 01:58, Benjamin Kaduk wrote: > Hi Ludwig, > > I'm confident that a well-known URI (or link relation) for discovery of RS > configuration/parameters would address the BCP 190 concerns. What we need > is an obvious path to not stomp on the server owner's namespace, and > whether we do that by letting the server tell us what what path to use or > by constraining ourself to a well-specified cordoned-off corner reserved > for our use is up to us. > > Thanks for all the ideas and follow-up discussion! > > -Ben > > On Mon, Jun 01, 2020 at 09:13:13AM +0000, Seitz Ludwig wrote: >> Hi Ben, >> >> I had a look at the well-known URI list at IANA and it seems that for vanilla OAuth 2.0 endpoints (authorization, token, introspect) there are no well-known URI:s either. What exists is an URI used by the authorization server to self-describe (including attributes giving the values of the endpoint's URIs). >> >> So my interpretation would be that instead of defining a well-known URI for authz-info, we need to define an attribute that a Resource Server can include in its well-known information to identify the authz-info endpoint URI it is exposing. >> >> @Carsten (or other core experts): Would it make sense to define a new attribute in the /.well-known/core format for Resource Servers using coap? >> >> /Ludwig >> >> >> -----Original Message----- >> From: Ace <ace-bounces@ietf.org> On Behalf Of Benjamin Kaduk >> Sent: den 31 maj 2020 00:36 >> To: ace@ietf.org >> Subject: [Ace] "default value" for authz-info endpoint >> >> Hi all, >> >> I was prompted by the discussion at the interim to look more closely at what we say about the "default name" for endpoint URIs, e.g., the authz-info endpoint. The last paragraph of >> https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-5.8.1 >> says: >> >> The default name of this endpoint in an url-path is '/authz-info', >> however implementations are not required to use this name and can >> define their own instead. >> >> I've gotten advice from some URI experts that this doesn't give an easy/discoverable path (pun intended) to using a non-default value, which is problematic from the perspective of BCP 190 (and we should expect to get discussed at IESG evaluation time). This sort of issue goes away if we allocate a well-known URI for authz-info from https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml and have that be the default. In particular, that wouldn't actually stop any deployments from using /authz-info, but it does mean they'd have to knowingly "opt in" to doing so. >> >> What do people think? >> >> Thanks, >> >> Ben >> >> _______________________________________________ >> Ace mailing list >> Ace@ietf.org >> https://www.ietf.org/mailman/listinfo/ace > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [Ace] "default value" for authz-info endpoint Benjamin Kaduk
- Re: [Ace] "default value" for authz-info endpoint Seitz Ludwig
- Re: [Ace] "default value" for authz-info endpoint Carsten Bormann
- Re: [Ace] "default value" for authz-info endpoint Jim Schaad
- Re: [Ace] "default value" for authz-info endpoint Benjamin Kaduk
- Re: [Ace] "default value" for authz-info endpoint Tomas Gustavsson
- Re: [Ace] "default value" for authz-info endpoint Seitz Ludwig