IETF Logo Mail Archive

Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Anthony Nadalin <tonynad@microsoft.com> Tue, 23 February 2016 23:09 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FD861B370A for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 15:09:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Utp_dh2qhJTi for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 15:09:06 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0731.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:731]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 234DA1B3708 for <oauth@ietf.org>; Tue, 23 Feb 2016 15:09:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=AzmCeQwLJY37zQonsIgc9Jp+q8y/euTftQXG8gFYg3c=; b=IOZIRmeZ5QuqUSkyqAFxbVtU713wKjUaXww/61NidZDihSFRF8ZWNa2bnF2eGR5NXlKwYKJHzpOcJplctDJ/YwzNJyaLmxTTMEmxT/MiojNhzpE0NfVD/U7KIN3gLVKI14ZGALtlafwnwxPhm93gHW1abVzeogq7N46YoTAiZ2s=
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com (10.161.207.22) by BN3PR0301MB1233.namprd03.prod.outlook.com (10.161.207.21) with Microsoft SMTP Server (TLS) id 15.1.409.15; Tue, 23 Feb 2016 23:08:47 +0000
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) by BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) with mapi id 15.01.0409.024; Tue, 23 Feb 2016 23:08:47 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
Thread-Index: AQHRa02wxzvG7zjtnEKFSlVIxrNR2p86RJxw
Date: Tue, 23 Feb 2016 23:08:47 +0000
Message-ID: <BN3PR0301MB123407F1E188A51CD64B71E2A6A40@BN3PR0301MB1234.namprd03.prod.outlook.com>
References: <56C7702B.2000401@gmx.net>
In-Reply-To: <56C7702B.2000401@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmx.net; dkim=none (message not signed) header.d=none;gmx.net; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [131.107.159.103]
x-ms-office365-filtering-correlation-id: 0680781d-f9a7-428c-8808-08d33ca648e2
x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1233; 5:/c/PTEJGivfj42HjwvH8NKX13AjNjqbmA/uVMf88b5FYxzNFNeH7aD0UO4ZIIYc7+WRy4xccJvJjXRoC3ak8Jm/LtanjGGjh4+a+e3iwc+gT6IFCymfTV5YiJC82CA5dB5y6PVhRBybjExH7XAHdlQ==; 24:BW8xZh4erX9whgocjx0KnM0DiVsxxurYKDBmXv+pYdAmLeCvA1ZOPYgDXS6SAaxi1+tMJv702Yh6JukQ0kK78pHPVqfVOPbpD+iq5xYLk8E=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1233;
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <BN3PR0301MB1233B7FCA84A471D4D3C572AA6A40@BN3PR0301MB1233.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:BN3PR0301MB1233; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1233;
x-forefront-prvs: 08617F610C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(72854002)(377454003)(87936001)(102836003)(3846002)(107886002)(11100500001)(76176999)(54356999)(189998001)(106116001)(5001960100002)(50986999)(76576001)(5004730100002)(66066001)(40100003)(5003600100002)(5008740100001)(586003)(1220700001)(5002640100001)(1096002)(2906002)(6116002)(3660700001)(74316001)(15975445007)(99286002)(3280700002)(92566002)(2900100001)(10400500002)(2950100001)(5005710100001)(2501003)(5001770100001)(8990500004)(33656002)(122556002)(10290500002)(86362001)(77096005)(10090500001)(19580405001)(19580395003)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1233; H:BN3PR0301MB1234.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2016 23:08:47.2227 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1233
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/2XWL7niR4viFI94SnVUNrmdbA80>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 23:09:12 -0000

I would go with option A, option B introduces concepts/syntax that complicates the current Oauth model

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Friday, February 19, 2016 11:43 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Early February I posted a mail to the list to make progress on the solution to the OAuth Authorization Server Mix-Up problem discovered late last year.

Here is my mail about the Authorization Server Mix-Up:
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg15336.html&data=01%7c01%7ctonynad%40microsoft.com%7c9a5edea9bc704239059508d33964d07c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DgIHvagw6YjaIFDFlxp4%2bhgQ7ivmV%2f2FuuuiDwVQRv8%3d

Here is my mail to the list that tries to summarize the discussion status and asked a few questions:
https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.ietf.org%2fmail-archive%2fweb%2foauth%2fcurrent%2fmsg15697.html&data=01%7c01%7ctonynad%40microsoft.com%7c9a5edea9bc704239059508d33964d07c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=1EvoWm%2b7K2BSdvTGCDxmzBkmeSo3Wm1GWamgtG6fcNk%3d

Unfortunately, my mail didn't lead to the intended success. While there was some feedback I wasn't getting the desired response.

In order to move forward I believe we need a working group document that serves as a starting point for further work in the group*. We have two documents that provide similar functionality in an attempt to solve the Authorization Server Mix-Up problem.

So, here is the question for the group. Which document do you want as a starting point for work on this topic:

-- Option A: 'OAuth 2.0 Mix-Up Mitigation' by Mike Jones and John Bradley

Link:
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-jones-oauth-mix-up-mitigation-01&data=01%7c01%7ctonynad%40microsoft.com%7c9a5edea9bc704239059508d33964d07c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=l27GZP9%2bS5BgvlXxSsgJ2cZv66mFbRpdkREO5L%2bcjsQ%3d

-- Option B: 'OAuth Response Metadata' by Nat Sakimura, Nov Matake and Sascha Preibisch

Link:
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-sakimura-oauth-meta-07&data=01%7c01%7ctonynad%40microsoft.com%7c9a5edea9bc704239059508d33964d07c%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=Bo6qJ%2b7JcAqfRCzAfD4D4oDCOF%2be29RFRLeyWtJP9lg%3d

Deadline for feedback is March, 4th.

Ciao
Hannes & Derek

PS: (*) Regardless of the selected solution we will provide proper acknowledgement for those who contributed to the work.

v2.23.0 | Report a Bug | By Email