Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
Atul Tulshibagwale <atul@sgnl.ai> Sat, 30 March 2024 01:31 UTC
Return-Path: <atul@sgnl.ai>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06B14C14F6F3 for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2024 18:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sgnl.ai
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6yYJoFt2yLw1 for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2024 18:31:31 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D63FC14F6F0 for <oauth@ietf.org>; Fri, 29 Mar 2024 18:31:30 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1e0d82d441bso22773975ad.3 for <oauth@ietf.org>; Fri, 29 Mar 2024 18:31:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgnl.ai; s=google; t=1711762289; x=1712367089; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=iu61D293SVkAjW34nu55HKrTfeqg9xLJtaZGGTlXrpw=; b=adx6M9JdACndSM5wzazwtLnCa9T4F4ef7Fj3eWWZ2psjBVVchLBVFaBebpn2YIBLWO pqoyqal3CxZ5lVL7g/z+rqLQF+mukUv2IgWcChEO518pD4q112X8QRPr2MmXdnJ5B1IF 1xb7zcmI2FyUA/v8padnjBvTgcktDRlLr+b5QzxiMzbZ1kWW/fO2lHVNVyywfbM1K2QR f5xdj9S+2xQ4aanDnl6n2PggX895Dg+3+x+plZUY/guPQ0ffjqy11dg1DlWoIjepAK1P /IhAKeyE+Gs4BBUS7FeNB6fbZaEcp5xuQTqFJP6OQ44BcZJHs5Xfan33dae2O0pGrIEE 7onA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711762289; x=1712367089; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=iu61D293SVkAjW34nu55HKrTfeqg9xLJtaZGGTlXrpw=; b=i4zQamBdzzi8Ma6tg8s1QZIIL5jpBWBr/p0yRBC3+7h69r9bfp0pkc3zbPeLDOJYFz ehLqY5Jb7el9w35Kme+d88k9hNX9SG5SfI8xHlPRxcaf5JA13PXe2TYMnRcnE2EOP//r nVNgEXXRE/ejOoZdc8DANbAu3SbPCh2WRQJmYEkCBteX0VTF1L8Fg34Ay3ku/yQDOj06 QPASxR43mAwd/m9ga2KpFVRv0eR+cHo9Fp0sH/MvIGBK8LH/hBbGP4aci4p9lw1jog7l r6hud3zmn5bv727lpxK4wrgJh+ggUb3RLWok5zB+L8UuyeLezUtC1s3nvYrYU+QIiBSh wewQ==
X-Forwarded-Encrypted: i=1; AJvYcCVt/rhx5Y2a82kDjfWvOjB9kLf7BgHbgfqprWljToyHdPyKEL8ILRiOeDHp77W3ypwVIuGSqAeqarRVqFv7Zw==
X-Gm-Message-State: AOJu0Yw5kmBDZo3qUHkoSyvhq74sw1g/IBoA7Ln3+xVyHai/UVMkG2hV jWNykzXbs/X5ew/WyChdndzuaWRDVWXx4yy9IGbMK/tRVCoqeiePJEBUeI7NIEjLXSCYYhC49OH xpCwl/hKlOXBODbRxUuUJyqezdpvG/aoAaaxOsCR2t3Yq0EFg
X-Google-Smtp-Source: AGHT+IF20AUXH3CbcRmEpgfjRcwvSgrvBOodT3Co8pMNptiy1V/SBh0+Xx1y+JK9xTuaiIMdD3Dyn0QoRRzsPi6/xuo=
X-Received: by 2002:a17:902:ce8f:b0:1e0:e85b:2d30 with SMTP id f15-20020a170902ce8f00b001e0e85b2d30mr4882330plg.42.1711762289322; Fri, 29 Mar 2024 18:31:29 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QRjmgs5Si4Fj+hSmScwx+4ihQmxfznCCVE4+8F2UFkw@mail.gmail.com> <CANtBS9cNXEsiv8UqPSSeRf8pfUXZea5_bftwwFb5PnfG9YSfoA@mail.gmail.com>
In-Reply-To: <CANtBS9cNXEsiv8UqPSSeRf8pfUXZea5_bftwwFb5PnfG9YSfoA@mail.gmail.com>
From: Atul Tulshibagwale <atul@sgnl.ai>
Date: Fri, 29 Mar 2024 18:31:13 -0700
Message-ID: <CANtBS9fEXz99jNBQQMjCwM6SRehcb=2HZ5Nq5z0OCba08e_OzA@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000320b920614d6b7ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1GMKGxTfpQ0-k-asP8b4nj79YhE>
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 01:31:36 -0000
Continuing my review notes from section 3.2: 1. Section 3.2 paragraph 2 says "Claims that return multiple values are represented as JSON arrays." should this be "MUST be represented as JSON arrays"? "Are" is probably OK because it is a statement of fact, but since this spec will be used by implementers, "MUST be" is more prescriptive 2. Section 3.2: Is there any ordering condition to multi-valued claims? I.e. A client MUST / SHOULD try to use the smallest indexed value of a multi-valued claim and if that is unsuccessful, then use the next smallest indexed value? I don't know if this matters. If not, should we clarify that clients MAY use any subset of values? 3. Section 3.2 example: Not having "scopes_supported" in the example is a miss I think, although it does not affect the correctness of the document 4. Section 4 protected_resources: "would not be used" is ambiguous. Can we say "MUST NOT be present in the Authorization Server Metadata"? 5. Section 5. Step 4 should read "The resource server responds with..." 6. Section 5.1: Does this introduce any IANA consideration? How would we know if some other spec is not using "resource_metadata" in some other way in the WWW-Authenticate response header? (Unlikely, but if there is a way to reserve it, we should) 7. Section 5.2: "...it is expected retrieve..." has a typo, should be "expected to retrieve". The language can also be more normative: "...The client SHOULD retrieve..." 8. Section 5.3: Do we need this section? The spec doesn't use "Client Identifier" anywhere, so the section may not be needed in this spec. -- Review completed. Atul On Wed, Mar 27, 2024 at 12:00 PM Atul Tulshibagwale <atul@sgnl.ai> wrote: > Hi all, > I'd committed to reviewing the draft at IETF 119, so here is my feedback > up to section 3.1: > > 1. Section 1: The sentence "Each protected resource publishing > metadata about itself makes its own metadata document available at a > well-known location rooted at the protect resource's URL, even when the > resource server implements multiple protected resources." has two issues: > 1. Typo: "protected resource's URL" instead of "protect > resource's URL" > 2. This contradicts the statement in section 3, which states the > "well-known" should be inserted between the host and path components > 2. Section 1: The sentence "The means by which the client obtains the > location of the protected resource metadata document is out of scope" > conflicts with Section 3, which says "Protected resources MUST make ... > (it) available at a path ...". > 3. Section 2, "authorization_servers": since this is normative > language, instead of saying "Protected resources MAY choose not to > advertise some supported authorization servers even when this parameter is > used.", should we say "the list of OAuth authorization servers MAY be a > subset of the authorization servers supported by the protected resource." > 4. Section 3, paragraph 1: The last sentence, i.e. "The well-known URI > path suffix used MUST be registered in the IANA "Well-Known URIs" registry" > is a bit confusing. Should it say something like "If not using the default > well-known URI, such URI path suffix MUST be registered..." This last > sentence of paragraph 1 can actually be dropped, and the first sentence in > the 2nd paragraph can be updated to refer to the IANA well-known registry. > 5. Section 3, paragraph 2: The first sentence should capitalize "MAY" > in "...application-specific ways may define and register..." > 6. Section 3, paragraph 2: The first sentence can drop the word "used" > here: "...URI path suffixes used to publish..." The sentence will make more > sense with that word dropped. > 7. Section 3, paragraph 2: The last sentence is additional > non-normative language, and could be removed, or could be moved to the > "IANA Considerations" section > 8. Section 3, paragraph 3: "...specify what well-known URI string..." > should be changed to "...specify what well-known URI path-suffix..." > 9. Section 3, paragraph 3: Instead of saying "...publish its metadata > at multiple well-known locations'', should we say "...publish its metadata > using multiple well-known path-suffixes''? > 10. Section 3.1, last paragraph: The sentence "This is required in > some multi-tenant hosting configurations" may be removed as it is not the > only situation in which a host may have multiple OPRM documents. > > I will continue the review but I wanted to update the WG on my review so > far. > > Atul > > On Wed, Mar 27, 2024 at 5:54 AM Rifaat Shekh-Yusef < > rifaat.s.ietf@gmail.com> wrote: > >> All, >> >> This is a *WG Last Call* for the *OAuth 2.0 Protected Resource Metadata* >> document. >> https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-03.html >> >> Please, review this document and reply on the mailing list if you have >> any comments or concerns, by *April 12*. >> >> Regards, >> Rifaat & Hannes >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Michael Jones
- [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource … Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Atul Tulshibagwale
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Michael Jones
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Vladimir Dzhuvinov
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Giuseppe De Marco
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Atul Tulshibagwale
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Michael Jones
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Brian Campbell
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Brian Campbell
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Michael Jones
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Brian Campbell
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Brian Campbell
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Michael Jones
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Pieter Kasselman
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Michael Jones
- Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resou… Michael Jones