[OAUTH-WG] Re: OAuth Client ID Metadata Document
Dick Hardt <dick.hardt@gmail.com> Mon, 08 July 2024 18:07 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18464C1E7238 for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 11:07:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PjQbT8Tuxv4U for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 11:07:54 -0700 (PDT)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4F41C1E591E for <oauth@ietf.org>; Mon, 8 Jul 2024 11:07:49 -0700 (PDT)
Received: by mail-yb1-xb2e.google.com with SMTP id 3f1490d57ef6-e03d49ff259so2909013276.2 for <oauth@ietf.org>; Mon, 08 Jul 2024 11:07:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720462068; x=1721066868; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Kwm3HGGFwMAH98SyPDzunfOYwy9uNT7uV+inZkH5uv0=; b=Tm4iG9yxcQ7zXB322C9j2bLCg/gphkkZmiTzpd/C3PSw72AxGpIrsAXl3t7zfbla6b uYrQ9u3+nMCarSC3kpR9fbRVvdrirZjkequyr/ig1SwFmKl3o5lkLyXqjV4CCPGiUjrR nhH/lRUGjCX7TlVFe9Po0oNOZ42P2yQgKRs4FFSGhuakXDaAl/TrTZrhRLF5Pn7uy59Q D6L87CF/77+feJhcP4Q7R2dyYeaCuS3DS/BA2Tg70KGbK5c/LAAmb/1hyetSs6on2Btz oqeYeyLzRGILSrfb1x8DLajuKkES8rby505bIdcAhev1yqHC7aUgjY1IYZdKjLigvD3r ZTOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720462068; x=1721066868; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Kwm3HGGFwMAH98SyPDzunfOYwy9uNT7uV+inZkH5uv0=; b=pDIjg2fDa9JySb/FhsWB+rEoek/dOKCPYZ0O3P79aCEO/A+27wVHRjJYpOsJSxUAig s5b7jYVBOnqJrn6fyD2SynW4MJbRBtRbJMsQrKxsa89Ts6LrbJjsBJAjF1FFgMkScPH+ VR7xsKFXP3YK6UdhEg1iwyI5H/YLPhAEHMZe2zNdoGsF0CUI6/91yWFn27cPUHHCMcsS wmel2je+psrLlZMmfffddK3T2eHzx5UGWwo4CxfSKJdIeF3dV7prlXyADDOkRTMGJON5 9IpLEitApa7VIBu4bhTjLoO4TabGPvrGGKO4ux0e9KBhz7RMKmqB4MFo5QUx9nu2cHxx 9voQ==
X-Forwarded-Encrypted: i=1; AJvYcCVTHMIRku1gvJCSNyD2gFGDjimXwplFws3uKud9eQtMxZfDlx6cNOZlPzgIp/8Fz15Bp/tkdYaAv0zOKrsInQ==
X-Gm-Message-State: AOJu0Yzgd8GBzx5hDrDakqvAjbAiSI+bs62sqF6nsVjPZJk9E8ayEVSV TtMcuiUFMfid3pyij7iM3ETcAYBLyf2WFowuszBushddWE9f5XJPKGDIDiFKvq/K4UsoFD/G15u PrwYev/Ix7LZSIOI6/JpJr7UnBpk=
X-Google-Smtp-Source: AGHT+IGvVdyzrxdAprOMUDaGdfwld7YHGH3z1O36I0dA7nNOTZprzDLZuWxOrJzOYUDLXnJoJhWCafvAzYOP7LKHiXk=
X-Received: by 2002:a5b:486:0:b0:e03:527d:34ff with SMTP id 3f1490d57ef6-e041b03ffa3mr576754276.3.1720462068279; Mon, 08 Jul 2024 11:07:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com> <BB9F5666-3FD7-4B38-A9E5-C7777FEE14E0@brandedcode.com>
In-Reply-To: <BB9F5666-3FD7-4B38-A9E5-C7777FEE14E0@brandedcode.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 08 Jul 2024 11:07:12 -0700
Message-ID: <CAD9ie-tp+EsPR2eQMXCrxFnrZr-BfRzS1bg_pm68uEhjmytggg@mail.gmail.com>
To: Emelia Smith <emelia@brandedcode.com>
Content-Type: multipart/alternative; boundary="0000000000006df062061cc04aad"
Message-ID-Hash: 2QCPGALX7TJJTJONWT4PO7ACBG6GUSLY
X-Message-ID-Hash: 2QCPGALX7TJJTJONWT4PO7ACBG6GUSLY
X-MailFrom: dick.hardt@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: Dick.Hardt@gmail.com
Subject: [OAUTH-WG] Re: OAuth Client ID Metadata Document
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1uiJ61xJHSVxHRJ7R_f750CihRo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
On Mon, Jul 8, 2024 at 10:15 AM Emelia Smith <emelia@brandedcode.com> wrote: > Just to follow up on this, further: > > > 1. If an AS supports both registered, and unregistered clients, is > there any guidance or requirements on differentiating between them such as > NOT issuing other identifiers that start with 'https"? > > > > This is probably a good call-out. I am unsure about how many AS's > would actually support both types of clients in practice though. > > In practice you're not checking for "https" but "https://", furthermore > most implementations use random bytes, often base64url or hex encoded, so > they simply don't have the character set necessary to generate client_id's > that are also valid URIs (or at least, the probability of this is > incredibly small) > Agree on the "https://" -- that was what I intended. There may be ASes that use URLs as identifiers. I don't know of any. Not having thought it all through, I might allow a developer to "claim" a "https://" client_id so that they could have more functionality, for example to enable localhost or access to more sensitive data. Thanks for this work Emelia! Will you be in Vancouver IETF? /Dick
- [OAUTH-WG] OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Aaron Parecki
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia Smith
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia S.
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia Smith
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document David Waite