Re: [Ace] "default value" for authz-info endpoint
Seitz Ludwig <ludwig.seitz@combitech.se> Tue, 02 June 2020 10:09 UTC
Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D7363A07B1 for <ace@ietfa.amsl.com>; Tue, 2 Jun 2020 03:09:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6cjQAgObiRAH for <ace@ietfa.amsl.com>; Tue, 2 Jun 2020 03:09:19 -0700 (PDT)
Received: from weald2.air.saab.se (weald2.air.saab.se [136.163.212.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A16AA3A07B9 for <ace@ietf.org>; Tue, 2 Jun 2020 03:09:17 -0700 (PDT)
Received: from mailhub2.air.saab.se ([136.163.213.5]) by weald2.air.saab.se (8.14.4/8.14.4) with ESMTP id 052A9EsC019798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 2 Jun 2020 12:09:15 +0200
DKIM-Filter: OpenDKIM Filter v2.11.0 weald2.air.saab.se 052A9EsC019798
Received: from corpappl16256.corp.saab.se (corpappl16256.corp.saab.se [10.12.13.175]) by mailhub2.air.saab.se (8.13.8/8.13.8) with ESMTP id 052A8xRf019439 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 2 Jun 2020 12:08:59 +0200
Received: from corpappl16593.corp.saab.se (10.12.12.125) by corpappl16256.corp.saab.se (10.12.13.175) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Tue, 2 Jun 2020 12:08:59 +0200
Received: from corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3]) by corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3%4]) with mapi id 15.01.1979.003; Tue, 2 Jun 2020 12:08:59 +0200
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: Tomas Gustavsson <tomas.gustavsson@primekey.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] "default value" for authz-info endpoint
Thread-Index: AQHWNtLNChFP5YTUaEKWMUOOhp3jGKjDd1DQgADaq4CAAFmXAIAAbYqQ
Date: Tue, 02 Jun 2020 10:08:58 +0000
Message-ID: <4e5ef6ea5509402c85b63a85ad619ffb@combitech.se>
References: <20200530223602.GF58497@kduck.mit.edu> <61220bcd9e72401a9d04c114a3fbf2cf@combitech.se> <20200601235843.GH58497@kduck.mit.edu> <cae014a0-6c42-52c6-b822-888654fed284@primekey.com>
In-Reply-To: <cae014a0-6c42-52c6-b822-888654fed284@primekey.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.12.13.211]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 052A8xRf019439
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.198, required 5, ALL_TRUSTED -1.00, KAM_ASCII_DIVIDERS 0.80, SURBL_BLOCKED 0.00, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1591697340.32673@WjtVJpgiu6w2pF7QfUDb4g
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald2.air.saab.se [136.163.212.4]); Tue, 02 Jun 2020 12:09:15 +0200 (CEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/zpujYixtIUD1jP7kDlsoa9k7D0E>
Subject: Re: [Ace] "default value" for authz-info endpoint
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 10:09:22 -0000
Hi Tomas, Thank you for your comment. Some observations and questions: I have a hard time seeing a reasonable use case where a resource server (RS) would need several authz-info endpoints, one could however imagine a use case with a powerful server hosting several virtual resource servers (RS) under the same IP address and thus several different authz-info endpoints (one for each RS), but this does not sound like the typical Constrained Environment scenario to me. In order to better understand what this is about: If you have such a multi-tenant situation with a .well-known for a default configuration, how would clients discover the non-default configurations? Also if a RS were to use the default URI (which is <hostname>/authz-info), why would it need to announce this in a .well-known? I would assume that this is only necessary if a non-default URI is used. @ACE: This is far away from my area of expertise and at this point I cannot devote the necessary time to "read up" on this. Can someone help us find a good solution that that we can move draft-ietf-oauth-authz forward? /Ludwig -----Original Message----- From: Ace <ace-bounces@ietf.org> On Behalf Of Tomas Gustavsson Sent: den 2 juni 2020 07:19 To: ace@ietf.org Subject: Re: [Ace] "default value" for authz-info endpoint Hi, In most cases where I've been involved with implementing a single RFC defined .well-known URL for actually servicing all end points, it ends up being one .well-known for default configuration, and multiple other (not .well-known) URLs in order to handle other configurations in multi-tennant scenarios. I hope whatever .well-known scheme is selected will handle multi-tennancy, where thare can be differently configured service end points servicing from the same host/ip. I.e. can one host server multiple authz-info? (does that make sense?) Regards, Tomas On 2020-06-02 01:58, Benjamin Kaduk wrote: > Hi Ludwig, > > I'm confident that a well-known URI (or link relation) for discovery > of RS configuration/parameters would address the BCP 190 concerns. > What we need is an obvious path to not stomp on the server owner's > namespace, and whether we do that by letting the server tell us what > what path to use or by constraining ourself to a well-specified > cordoned-off corner reserved for our use is up to us. > > Thanks for all the ideas and follow-up discussion! > > -Ben > > On Mon, Jun 01, 2020 at 09:13:13AM +0000, Seitz Ludwig wrote: >> Hi Ben, >> >> I had a look at the well-known URI list at IANA and it seems that for vanilla OAuth 2.0 endpoints (authorization, token, introspect) there are no well-known URI:s either. What exists is an URI used by the authorization server to self-describe (including attributes giving the values of the endpoint's URIs). >> >> So my interpretation would be that instead of defining a well-known URI for authz-info, we need to define an attribute that a Resource Server can include in its well-known information to identify the authz-info endpoint URI it is exposing. >> >> @Carsten (or other core experts): Would it make sense to define a new attribute in the /.well-known/core format for Resource Servers using coap? >> >> /Ludwig >> >> >> -----Original Message----- >> From: Ace <ace-bounces@ietf.org> On Behalf Of Benjamin Kaduk >> Sent: den 31 maj 2020 00:36 >> To: ace@ietf.org >> Subject: [Ace] "default value" for authz-info endpoint >> >> Hi all, >> >> I was prompted by the discussion at the interim to look more closely >> at what we say about the "default name" for endpoint URIs, e.g., the >> authz-info endpoint. The last paragraph of >> https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-5.8 >> .1 >> says: >> >> The default name of this endpoint in an url-path is '/authz-info', >> however implementations are not required to use this name and can >> define their own instead. >> >> I've gotten advice from some URI experts that this doesn't give an easy/discoverable path (pun intended) to using a non-default value, which is problematic from the perspective of BCP 190 (and we should expect to get discussed at IESG evaluation time). This sort of issue goes away if we allocate a well-known URI for authz-info from https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml and have that be the default. In particular, that wouldn't actually stop any deployments from using /authz-info, but it does mean they'd have to knowingly "opt in" to doing so. >> >> What do people think? >> >> Thanks, >> >> Ben >> >> _______________________________________________ >> Ace mailing list >> Ace@ietf.org >> https://www.ietf.org/mailman/listinfo/ace > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace > _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
- [Ace] "default value" for authz-info endpoint Benjamin Kaduk
- Re: [Ace] "default value" for authz-info endpoint Seitz Ludwig
- Re: [Ace] "default value" for authz-info endpoint Carsten Bormann
- Re: [Ace] "default value" for authz-info endpoint Jim Schaad
- Re: [Ace] "default value" for authz-info endpoint Benjamin Kaduk
- Re: [Ace] "default value" for authz-info endpoint Tomas Gustavsson
- Re: [Ace] "default value" for authz-info endpoint Seitz Ludwig