IETF Logo Mail Archive

Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method

John Bradley <ve7jtb@ve7jtb.com> Thu, 25 April 2013 11:57 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B36B21F95EB for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2013 04:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.382
X-Spam-Level:
X-Spam-Status: No, score=-2.382 tagged_above=-999 required=5 tests=[AWL=0.216, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3TnLF+UfJlcT for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2013 04:57:38 -0700 (PDT)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE8121F9590 for <oauth@ietf.org>; Thu, 25 Apr 2013 04:57:38 -0700 (PDT)
Received: by mail-ie0-f182.google.com with SMTP id bn7so3454693ieb.27 for <oauth@ietf.org>; Thu, 25 Apr 2013 04:57:37 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=awKnvsH31SfS/hSTMacaQHVJTxeDSQc6UWGiFgx0NKQ=; b=PxMI/6uHCq8XfGgKg20nZO3DTRfqdVhWWES3GK2Q1+O71pbnPDmBAvY8DOCFyA+iz3 faMxzeGETYI7F1HcWIVPK4p2mcpWRd6I2f9pRZkX5OUeEFb9HmlDhfw5+KObIz7uMEIV AqHq4ifXSHSHDXHtJTaRorEURNqtYoDu7c/1q4RsHXy0fOxYm69JrrBlQzKxZHM5KZEm u/tYmJh5oXJhxmHMD1V7S7kXyUnsPwYLWVtFLfFTqmDHZiU8jhXjGmMFNnhXcVetM7fU RN+uL7dwMIUX1pHL6EhfBke8LJEK6ucdzJTrnMqCqycDIekIQIZsb6Tj64rnHU8cqV37 kmdA==
X-Received: by 10.50.130.3 with SMTP id oa3mr25496686igb.76.1366891057587; Thu, 25 Apr 2013 04:57:37 -0700 (PDT)
Received: from [192.168.1.39] (190-20-16-122.baf.movistar.cl. [190.20.16.122]) by mx.google.com with ESMTPSA id dy5sm12422852igc.1.2013.04.25.04.57.28 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 04:57:36 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_1C25A3B5-4171-4219-AC76-82DCB14CF2F6"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <E670140C-68DA-4F42-BF98-EB9C22F86B68@oracle.com>
Date: Thu, 25 Apr 2013 08:57:07 -0300
Message-Id: <8DE15911-C16A-4581-914D-3F2B5735AE59@ve7jtb.com>
References: <53250C00-9D1C-4E81-9AD6-E12241B875D9@oracle.com> <5178498B.3050406@mitre.org> <0E96125F-CFEC-4157-8A1E-3CFCA1C4D79F@oracle.com> <0C683171-29F6-47EA-A611-AB6394207353@ve7jtb.com> <E24D0C95-DBDF-430F-B8A7-FC4E67C255BD@oracle.com> <4E1F6AAD24975D4BA5B1680429673943676ABC64@TK5EX14MBXC284.redmond.corp.microsoft.com> <E670140C-68DA-4F42-BF98-EB9C22F86B68@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQkYjRQfqYwnhaEH1s8oKKy+3H/lvP2y/BpnaSU2M9ccbGoO2BLviCxll/ykxSJiN1TkGeCj
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 11:57:39 -0000

I think discovery is required.  One of the things that needs to be discovered is the dynamic registration endpoint.

We can try and back pseudo discovery into Dynamic registration, however just doing discovery as a separate step will be easier.

If you start wanting to overload registration there are lots of things in discovery like endpoints and key information from the AS that are not currently included in dynamic registration.   You picked only one thing out of a long list of things that would need to change if you wanted to include discovery functionality in dynamic registration.

I think Discovery can be done a number of ways but probably deserves its own spec as we did with Connect.

John B.

On 2013-04-24, at 8:28 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> Fair enough, but that doesn't make sense in this broader forum where discovery isn't assumed.   
> 
> Phil
> 
> On 2013-04-24, at 16:17, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
>> What you’re missing is the part of the OpenID Connect flow where the client first discovers the capabilities that the Server advertises.  In this case, it uses this discovery parameter:
>>  
>> token_endpoint_auth_signing_alg_values_supported
>> OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the private_key_jwt and client_secret_jwt methods to encode the JWT. Servers SHOULD support RS256.
>>  
>> So in this use case, the client already knows what algorithms it can choose from, and it makes the choice.
>>  
>> Other OAuth flows could do the same thing, given either dynamic discovery or a published algorithm list by the server.
>>  
>>                                                             -- Mike
>>  
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt
>> Sent: Wednesday, April 24, 2013 3:55 PM
>> To: John Bradley
>> Cc: oauth@ietf.org WG
>> Subject: Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
>>  
>> Right and if the client wants a method not supported then what?
>>  
>> Why can't the client offer up a list of methods it is able to support, say in order of preference?
>>  
>> The text appears to indicate only one value may be passed.
>>  
>> Given the way it is written. It seems better to just have the server say the client must do authn method X in the response.
>>  
>> Phil
>>  
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>>  
>> 
>> 
>>  
>> On 2013-04-24, at 3:41 PM, John Bradley wrote:
>> 
>> 
>> In Connect the AS may support a number of token endpoint authentication methods.   The reason to allow a client to register using a particular one is to prevent downgrade attacks.
>>  
>> If the client wants to always use an asymmetric signature you don't want to allow attackers to use weaker methods like http basic.
>>  
>> So a server may support any number of methods, but it is reasonable for a client to specify which one it is going to use.   In a closed system that may not be that useful but in a open system where the AS has a looser relationship to the client it is important.
>>  
>> John B.
>>  
>> On 2013-04-24, at 7:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>> 
>> 
>> Hmmm… what was the objective or use case for having the client being able to choose in the first place?
>>  
>> It seems to me that the AS will make a decision based on many factors. As you say, there isn't any other place that enumerates the various [authn] methods a client can use to access the token endpoint.  So, why do it?
>>  
>> Phil
>>  
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>>  
>> 
>> 
>>  
>> On 2013-04-24, at 2:07 PM, Justin Richer wrote:
>> 
>> 
>> Seems reasonable to me, can you suggest language to add in the capability? Would it require an IANA registry? Right now there isn't any other place that enumerates the various methods that a client can use to access the token endpoint.
>> 
>>  -- Justin
>> 
>> On 04/24/2013 04:17 PM, Phil Hunt wrote:
>> For parameters to token_endpoint_auth_method, the spec has defined "client_secret_jwt" and "private_key_jwt". Shouldn't there be similar options of SAML?
>>  
>> Shouldn't there be an extension point for other methods?
>>  
>> Phil
>>  
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>>  
>>  
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>  
>>  
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>  
>>

v2.23.0 | Report a Bug | By Email