Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

Vladimir Dzhuvinov <vladimir@connect2id.com> Fri, 29 January 2016 12:23 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 851691A8733 for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 04:23:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dTJzJ_FicHKQ for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 04:23:40 -0800 (PST)
Received: from p3plsmtpa06-10.prod.phx3.secureserver.net (p3plsmtpa06-10.prod.phx3.secureserver.net [173.201.192.111]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD29D1A870A for <oauth@ietf.org>; Fri, 29 Jan 2016 04:23:40 -0800 (PST)
Received: from [192.168.0.10] ([82.11.82.125]) by p3plsmtpa06-10.prod.phx3.secureserver.net with id BoPe1s0082iDvnW01oPfVc; Fri, 29 Jan 2016 05:23:40 -0700
To: oauth@ietf.org
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
X-Enigmail-Draft-Status: N1110
Organization: Connect2id Ltd.
Message-ID: <56AB59CA.5070408@connect2id.com>
Date: Fri, 29 Jan 2016 12:23:38 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060403080701070905050107"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/1jp4djDw_8ReEt8T_lxEoDGKi5g>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 12:23:42 -0000

Thanks Mike, the updated spec looks good!

I have a question related to PKCE:

The PKCE spec seems to imply that an AS may require public clients to
use a code challenge:

https://tools.ietf.org/html/rfc7636#section-4.4.1

If an AS has such a policy in place, how is this to be advertised? Or is
that supposed to the enforced when the client gets registered (there are
no reg params for that at present)?


On 28/01/16 19:27, Mike Jones wrote:
> The OAuth Discovery specification has been updated to add metadata values for revocation<http://tools.ietf.org/html/rfc7009>;, introspection<http://tools.ietf.org/html/rfc7662>;, and PKCE<http://tools.ietf.org/html/rfc7636>;.  Changes were:
>
> *       Added "revocation_endpoint_auth_methods_supported" and "revocation_endpoint_auth_signing_alg_values_supported" for the revocation endpoint.
>
> *       Added "introspection_endpoint_auth_methods_supported" and "introspection_endpoint_auth_signing_alg_values_supported" for the introspection endpoint.
>
> *       Added "code_challenge_methods_supported" for PKCE.
>
> The specification is available at:
>
> *       http://tools.ietf.org/html/draft-jones-oauth-discovery-01
>
> An HTML-formatted version is also available at:
>
> *       http://self-issued.info/docs/draft-jones-oauth-discovery-01.html
>
>                                                           -- Mike
>
> P.S.  This note was also published at http://self-issued.info/?p=1531 and as @selfissued<https://twitter.com/selfissued>.
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Vladimir Dzhuvinov