Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-par-08: (with COMMENT)
Brian Campbell <bcampbell@pingidentity.com> Tue, 06 July 2021 21:53 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93A233A1529 for <oauth@ietfa.amsl.com>; Tue, 6 Jul 2021 14:53:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A8NEe2hBCtjl for <oauth@ietfa.amsl.com>; Tue, 6 Jul 2021 14:52:57 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3193B3A14FC for <oauth@ietf.org>; Tue, 6 Jul 2021 14:52:57 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id v14so396691lfb.4 for <oauth@ietf.org>; Tue, 06 Jul 2021 14:52:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ckTblRd6X8/5uhX6AoXmcN7f7UfwxhaTWRfGC9VtlIY=; b=dBHCh20eD63poo4Ua4CAW4iaeFaDXSQqk/GIDBgjyJSk1P0d5CHsjsmS/iTHyrUvBa KeJ3PCqoRLhCrccMsjwgkiW9llRd7FpVc4u8ShAcz5dh3FOkjy6M27bvzeuRJIG3aqRe WPdsgKpDvkqd8rhcVVbISvdEgxaqBIrScvmM+chO1wJ4ZQtodL4kfZEhECNbR5zfN6Zc 2e5dO1x0qIOKvPBxh1j9llPRSlRBaPGdRYVw6fhD2n/AisKQp4hJcc86+3V6LfIXeLei Q/g2Qu765eTMY9DDS36xA14BEPXbNbKG9wMcHbODA+oHqpmrTTEtzpeGLnTRKHCrRA6G Nf/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ckTblRd6X8/5uhX6AoXmcN7f7UfwxhaTWRfGC9VtlIY=; b=NDIfpjKJVh3qI8XPY4M4aO5KKOQxVn6uj2noKLkBbuwRJ3rmLkAlw7w+TbdIXLAp4T QOKSiN8LicyFuZoP49LjP0T8TYvu1lvQSj/2Gc2BXWWpxUdCwjQNMBBz4ah0QJ1FRz8k tpRarS5FAT+B9xraj5vHVYe6ur3DYkkH/kUHMD4ADLCuWCgbTwLktD8GJ+LHS3BRPT0W 4YllKP8ujRVLgKAzDZuFhJjlBBKn9eLUftS8YjWzaxFeijzA+Al4MU8Rm3/Y5EgsXb54 VEXKFwIpkAomsiTvLx/hbP+Cyp22e1TpN2332ApswctLzlGIhEGFXr585N1B9VmoQlc4 H0bg==
X-Gm-Message-State: AOAM533AgI7n0bpuIiv2HHlJ8Bsp8/MRceuH55ZHQyXbo+Bev/wVbTop XZMaYoTyVebd/64OTHmlTnfXoG756YVYNoMqW+Sq5PQZVAcvK3hmnE4uOoEDGaN4VNF5WPlh8rf q2iqtZrfNd8wc6w==
X-Google-Smtp-Source: ABdhPJxOg2fsK3vdzqsvBjxMMhCYUWhTXJTH8dsMZ9R8wuGoO62S3SHUFoABHeOggN0Trflwh5UZU4K6psZgP1/+R18=
X-Received: by 2002:ac2:410a:: with SMTP id b10mr15601025lfi.376.1625608374126; Tue, 06 Jul 2021 14:52:54 -0700 (PDT)
MIME-Version: 1.0
References: <162495689162.17201.16673826726221874767@ietfa.amsl.com> <CA+k3eCQcouZOVbeN96pbKny5MBBf=463g4nrDyPFzWx2SmGN_w@mail.gmail.com> <DM4PR11MB5438A0C76AC3DEC2A194CE63B5009@DM4PR11MB5438.namprd11.prod.outlook.com>
In-Reply-To: <DM4PR11MB5438A0C76AC3DEC2A194CE63B5009@DM4PR11MB5438.namprd11.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 06 Jul 2021 15:52:28 -0600
Message-ID: <CA+k3eCS6=EzJ-_L_h73yog3=eAFz9D7u1MXukTysQVkBEbOGpg@mail.gmail.com>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-oauth-par@ietf.org" <draft-ietf-oauth-par@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, oauth <oauth@ietf.org>, Hannes Tschofenig <hannes.tschofenig@arm.com>
Content-Type: multipart/alternative; boundary="000000000000af1c1a05c67b71a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3Ag9uDH8PaKZ5-SDMJlqOvNQnYw>
Subject: Re: [OAUTH-WG] Robert Wilton's No Objection on draft-ietf-oauth-par-08: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2021 21:53:10 -0000
In this case the only entity that really has to cope with the lifetime is the same entity that controls the lifetime. The authorization server creates the request URI and its lifetime and retains the associated data for the stated time. The URI and expiry information is conveyed to the client. But the client will just use URI value immediately upon receipt (which invalidates it) and not care anything about it after that. The lifetime is largely just some extra information conveyed to the client that's arguably not even necessary. But sometimes things like that creep in during standards development. And I am aware of a test harness that is using the expiration info to test a negative case of checking that an expired URI value can't be successfully used. So I guess it's useful in some cases. But anyway, there's really no reason it'd be an especially large value and the only one that'd have to deal with it if it were is the same one that sets the value. On Thu, Jul 1, 2021 at 6:38 AM Rob Wilton (rwilton) <rwilton@cisco.com> wrote: > Hi Brian, > > > > Thanks. > > > > Regarding caching, yes, I think that you are right that POST requests > don’t get cached. > > > > Regarding the lifetime, why wouldn’t you want to specify a limit? It > would seem to make it easier for implementations if they know what they > never have to cope with a value over X. > > > > Thanks, > > Rob > > > > > > > > *From:* Brian Campbell <bcampbell@pingidentity.com> > *Sent:* 30 June 2021 22:12 > *To:* Rob Wilton (rwilton) <rwilton@cisco.com> > *Cc:* The IESG <iesg@ietf.org>; draft-ietf-oauth-par@ietf.org; > oauth-chairs@ietf.org; oauth <oauth@ietf.org>; Hannes Tschofenig < > hannes.tschofenig@arm.com> > *Subject:* Re: Robert Wilton's No Objection on draft-ietf-oauth-par-08: > (with COMMENT) > > > > Thanks for the review Rob. I've endeavored to reply to your comments > inline below. > > > > On Tue, Jun 29, 2021 at 2:54 AM Robert Wilton via Datatracker < > noreply@ietf.org> wrote: > > Robert Wilton has entered the following ballot position for > draft-ietf-oauth-par-08: No Objection > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-par/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Hi, > > Thanks for this document. Outside my area of expertise, but I have a > couple of > questions/comments: > > Section 2: > Due to historical reasons there is potential ambiguity regarding the > appropriate audience value to use when employing JWT client assertion > based authentication (defined in Section 2.2 of [RFC7523] with > "private_key_jwt" or "client_secret_jwt" authentication method names > per Section 9 of [OIDC]). To address that ambiguity the issuer > identifier URL of the authorization server according to [RFC8414] > SHOULD be used as the value of the audience. In order to facilitate > interoperability the authorization server MUST accept its issuer > identifier, token endpoint URL, or pushed authorization request > endpoint URL as values that identify it as an intended audience. > > I may be misunderstanding this text, but I note that by giving flexibility > to > the client (i.e., the SHOULD) and being strict on the receiver (MUST > support x, > y, z), this seems to encourage a proliferation. Hence, I was wondering > whether > this might be better the other way round. I.e., be strict with what is > sent, > and less strict with what is received: MUST send 'issuer identifier', MUST > receive 'issuer identifier', SHOULD receive 'token endpoint URL' and > 'pushed > authorization request endpoint URL'? > > > > While definitely not trying to encourage proliferation, the text is aiming > to help interoperability while also accounting for the treatment in other > documents (RFC7523/21) and existing implementations while also allowing for > consistent processing to be implemented across the different endpoints > where JWT client assertion based authentication can be employed. It's kinda > tricky and I don't know for sure that the current text is exactly right but > it's made it through the WG process and seen a number of implementations. > > > > > > 2. > * "expires_in" : A JSON number that represents the lifetime of the > request URI in seconds as a positive integer. The request URI > lifetime is at the discretion of the authorization server but will > typically be relatively short (e.g., between 5 and 600 seconds). > > JSON numbers are doubles, but the value is a positive integer. Does it > make > sense to put in a hard limit of 2^53, or given that these are expected to > be > small numbers, 2^31 - 1? > > > > I think the soft general guidance is enough and don't believe a hard > upper limit is needed. > > > > > > 3. The success and error examples both define: > Content-Type: application/json > Cache-Control: no-cache, no-store > > The document states that the response should be JSON, but should it more > specifically specify the content type as "application/json"? > > > > Yeah, it probably should be that specific. I'll add the content type > specificity to the document. > > > > > > Similarly, the > cache control makes sense, but should the document mandate that the > response > must include "Cache-Control: no-cache, no-store"? > > > > Although it makes sense not to cache I'm less comfortable mandating cache > control stuff - particularly for a response to a POST (that I'm not sure is > ever cacheable anyway) and for a client that is most likely not doing any > caching at all and would immediately encounter failures if it were. > > > > > > Regards, > Rob > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Robert Wilton's No Objection on draft-… Robert Wilton via Datatracker
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Brian Campbell
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Rob Wilton (rwilton)
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Brian Campbell
- Re: [OAUTH-WG] Robert Wilton's No Objection on dr… Rob Wilton (rwilton)