IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Atul Tulshibagwale <atul@sgnl.ai> Sat, 30 March 2024 01:31 UTC

Return-Path: <atul@sgnl.ai>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B14C14F6F3 for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2024 18:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sgnl.ai
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yYJoFt2yLw1 for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2024 18:31:31 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D63FC14F6F0 for <oauth@ietf.org>; Fri, 29 Mar 2024 18:31:30 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1e0d82d441bso22773975ad.3 for <oauth@ietf.org>; Fri, 29 Mar 2024 18:31:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgnl.ai; s=google; t=1711762289; x=1712367089; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=iu61D293SVkAjW34nu55HKrTfeqg9xLJtaZGGTlXrpw=; b=adx6M9JdACndSM5wzazwtLnCa9T4F4ef7Fj3eWWZ2psjBVVchLBVFaBebpn2YIBLWO pqoyqal3CxZ5lVL7g/z+rqLQF+mukUv2IgWcChEO518pD4q112X8QRPr2MmXdnJ5B1IF 1xb7zcmI2FyUA/v8padnjBvTgcktDRlLr+b5QzxiMzbZ1kWW/fO2lHVNVyywfbM1K2QR f5xdj9S+2xQ4aanDnl6n2PggX895Dg+3+x+plZUY/guPQ0ffjqy11dg1DlWoIjepAK1P /IhAKeyE+Gs4BBUS7FeNB6fbZaEcp5xuQTqFJP6OQ44BcZJHs5Xfan33dae2O0pGrIEE 7onA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711762289; x=1712367089; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iu61D293SVkAjW34nu55HKrTfeqg9xLJtaZGGTlXrpw=; b=i4zQamBdzzi8Ma6tg8s1QZIIL5jpBWBr/p0yRBC3+7h69r9bfp0pkc3zbPeLDOJYFz ehLqY5Jb7el9w35Kme+d88k9hNX9SG5SfI8xHlPRxcaf5JA13PXe2TYMnRcnE2EOP//r nVNgEXXRE/ejOoZdc8DANbAu3SbPCh2WRQJmYEkCBteX0VTF1L8Fg34Ay3ku/yQDOj06 QPASxR43mAwd/m9ga2KpFVRv0eR+cHo9Fp0sH/MvIGBK8LH/hBbGP4aci4p9lw1jog7l r6hud3zmn5bv727lpxK4wrgJh+ggUb3RLWok5zB+L8UuyeLezUtC1s3nvYrYU+QIiBSh wewQ==
X-Forwarded-Encrypted: i=1; AJvYcCVt/rhx5Y2a82kDjfWvOjB9kLf7BgHbgfqprWljToyHdPyKEL8ILRiOeDHp77W3ypwVIuGSqAeqarRVqFv7Zw==
X-Gm-Message-State: AOJu0Yw5kmBDZo3qUHkoSyvhq74sw1g/IBoA7Ln3+xVyHai/UVMkG2hV jWNykzXbs/X5ew/WyChdndzuaWRDVWXx4yy9IGbMK/tRVCoqeiePJEBUeI7NIEjLXSCYYhC49OH xpCwl/hKlOXBODbRxUuUJyqezdpvG/aoAaaxOsCR2t3Yq0EFg
X-Google-Smtp-Source: AGHT+IF20AUXH3CbcRmEpgfjRcwvSgrvBOodT3Co8pMNptiy1V/SBh0+Xx1y+JK9xTuaiIMdD3Dyn0QoRRzsPi6/xuo=
X-Received: by 2002:a17:902:ce8f:b0:1e0:e85b:2d30 with SMTP id f15-20020a170902ce8f00b001e0e85b2d30mr4882330plg.42.1711762289322; Fri, 29 Mar 2024 18:31:29 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QRjmgs5Si4Fj+hSmScwx+4ihQmxfznCCVE4+8F2UFkw@mail.gmail.com> <CANtBS9cNXEsiv8UqPSSeRf8pfUXZea5_bftwwFb5PnfG9YSfoA@mail.gmail.com>
In-Reply-To: <CANtBS9cNXEsiv8UqPSSeRf8pfUXZea5_bftwwFb5PnfG9YSfoA@mail.gmail.com>
From: Atul Tulshibagwale <atul@sgnl.ai>
Date: Fri, 29 Mar 2024 18:31:13 -0700
Message-ID: <CANtBS9fEXz99jNBQQMjCwM6SRehcb=2HZ5Nq5z0OCba08e_OzA@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000320b920614d6b7ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1GMKGxTfpQ0-k-asP8b4nj79YhE>
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 01:31:36 -0000

Continuing my review notes from section 3.2:

   1. Section 3.2 paragraph 2 says "Claims that return multiple values are
   represented as JSON arrays." should this be "MUST be represented as JSON
   arrays"? "Are" is probably OK because it is a statement of fact, but since
   this spec will be used by implementers, "MUST be" is more prescriptive
   2. Section 3.2: Is there any ordering condition to multi-valued claims?
   I.e. A client MUST / SHOULD try to use the smallest indexed value of a
   multi-valued claim and if that is unsuccessful, then use the next smallest
   indexed value? I don't know if this matters. If not, should we clarify that
   clients MAY use any subset of values?
   3. Section 3.2 example: Not having "scopes_supported" in the example is
   a miss I think, although it does not affect the correctness of the document
   4. Section 4 protected_resources: "would not be used" is ambiguous. Can
   we say "MUST NOT be present in the Authorization Server Metadata"?
   5. Section 5. Step 4 should read "The resource server responds with..."
   6. Section 5.1: Does this introduce any IANA consideration? How would we
   know if some other spec is not using "resource_metadata" in some other way
   in the WWW-Authenticate response header? (Unlikely, but if there is a way
   to reserve it, we should)
   7. Section 5.2: "...it is expected retrieve..." has a typo, should be
   "expected to retrieve". The language can also be more normative: "...The
   client SHOULD retrieve..."
   8. Section 5.3: Do we need this section? The spec doesn't use "Client
   Identifier" anywhere, so the section may not be needed in this spec.

-- Review completed.

Atul

On Wed, Mar 27, 2024 at 12:00 PM Atul Tulshibagwale <atul@sgnl.ai> wrote:

> Hi all,
> I'd committed to reviewing the draft at IETF 119, so here is my feedback
> up to section 3.1:
>
>    1. Section 1: The sentence "Each protected resource publishing
>    metadata about itself makes its own metadata document available at a
>    well-known location rooted at the protect resource's URL, even when the
>    resource server implements multiple protected resources." has two issues:
>       1. Typo: "protected resource's URL" instead of "protect
>       resource's URL"
>       2. This contradicts the statement in section 3, which states the
>       "well-known" should be inserted between the host and path components
>    2. Section 1: The sentence "The means by which the client obtains the
>    location of the protected resource metadata document is out of scope"
>    conflicts with Section 3, which says "Protected resources MUST make ...
>    (it) available at a path ...".
>    3. Section 2, "authorization_servers": since this is normative
>    language, instead of saying "Protected resources MAY choose not to
>    advertise some supported authorization servers even when this parameter is
>    used.", should we say "the list of OAuth authorization servers MAY be a
>    subset of the authorization servers supported by the protected resource."
>    4. Section 3, paragraph 1: The last sentence, i.e. "The well-known URI
>    path suffix used MUST be registered in the IANA "Well-Known URIs" registry"
>    is a bit confusing. Should it say something like "If not using the default
>    well-known URI, such URI path suffix MUST be registered..." This last
>    sentence of paragraph 1 can actually be dropped, and the first sentence in
>    the 2nd paragraph can be updated to refer to the IANA well-known registry.
>    5. Section 3, paragraph 2: The first sentence should capitalize "MAY"
>    in "...application-specific ways may define and register..."
>    6. Section 3, paragraph 2: The first sentence can drop the word "used"
>    here: "...URI path suffixes used to publish..." The sentence will make more
>    sense with that word dropped.
>    7. Section 3, paragraph 2: The last sentence is additional
>    non-normative language, and could be removed, or could be moved to the
>    "IANA Considerations" section
>    8. Section 3, paragraph 3: "...specify what well-known URI string..."
>    should be changed to "...specify what well-known URI path-suffix..."
>    9. Section 3, paragraph 3: Instead of saying "...publish its metadata
>    at multiple well-known locations'', should we say "...publish its metadata
>    using multiple well-known path-suffixes''?
>    10. Section 3.1, last paragraph: The sentence "This is required in
>    some multi-tenant hosting configurations" may be removed as it is not the
>    only situation in which a host may have multiple OPRM documents.
>
> I will continue the review but I wanted to update the WG on my review so
> far.
>
> Atul
>
> On Wed, Mar 27, 2024 at 5:54 AM Rifaat Shekh-Yusef <
> rifaat.s.ietf@gmail.com> wrote:
>
>> All,
>>
>> This is a *WG Last Call* for the *OAuth 2.0 Protected Resource Metadata*
>> document.
>> https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-03.html
>>
>> Please, review this document and reply on the mailing list if you have
>> any comments or concerns, by *April 12*.
>>
>> Regards,
>>   Rifaat & Hannes
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email