Re: [OAUTH-WG] [apps-discuss] OAuth discovery registration.
Eve Maler <eve@xmlgrrl.com> Thu, 14 June 2012 18:16 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CB8C21F8637; Thu, 14 Jun 2012 11:16:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.757
X-Spam-Level: *
X-Spam-Status: No, score=1.757 tagged_above=-999 required=5 tests=[AWL=-3.049, BAYES_99=3.5, FROM_DOMAIN_NOVOWEL=0.5, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkznM1rgCL7U; Thu, 14 Jun 2012 11:16:46 -0700 (PDT)
Received: from promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id 27B8221F8628; Thu, 14 Jun 2012 11:16:45 -0700 (PDT)
Received: from [192.168.168.185] ([192.168.168.185]) (authenticated bits=0) by promanage-inc.com (8.14.4/8.14.4) with ESMTP id q5EIGhue002955 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 14 Jun 2012 11:16:43 -0700
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="iso-8859-1"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <1339613945.46084.YahooMailNeo@web31813.mail.mud.yahoo.com>
Date: Thu, 14 Jun 2012 11:16:42 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <54EEB138-ABDA-429F-9B0E-0F42D66F96A7@xmlgrrl.com>
References: <1339601256.43890.YahooMailNeo@web31803.mail.mud.yahoo.com> <4FD8B646.3080509@stpeter.im> <A09A9E0A4B9C654E8672D1DC003633AE53A101D6D4@GRFMBX704BA020.griffon.local> <1339611594.26607.YahooMailNeo@web31806.mail.mud.yahoo.com> <D9EDFA93-7840-40EC-881D-03E8DF2F79AD@xmlgrrl.com> <1339613945.46084.YahooMailNeo@web31813.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1278)
Cc: Apps Discuss <apps-discuss@ietf.org>, Goix Laurent Walter <laurentwalter.goix@telecomitalia.it>, O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [apps-discuss] OAuth discovery registration.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 18:16:47 -0000
FWIW, the reason we ultimately went with JSON was that it removed stumbling blocks around implementation and sheer spec volume. When we used straight XRD, we found that we had to put a full worked example in an appendix so it didn't impede the flow of the spec, and implementers reported to us that JSON would have been much preferable for producing and consuming the config data. When we found the OpenID Connect example, it was a natural fit and so we copied it. (Not trying to open up past "JRD" discussions, just sharing our experience... If OAuth ultimately absorbs some XRD-formatted hunk of machine-discoverable config data, we'll leverage it.) Eve On 13 Jun 2012, at 11:59 AM, William Mills wrote: > We certainly overlap, the thing you have that is not in the link type registrations is dynamic_client_registration_supported. We should be consistent in naming, and ideally the OAuth related JSON elements from a JSON format Webfinger request and your UMA stuff shoudl be identical. My concern with using a JSON list structure for capability lists is how it would play in the LINK header itself, that seems a bit hairy to put a JSON list inside a quoted application data value. > > Do we want something like a "capabilities" list which could include dynamic_client_registration_supported and perhaps others? > > -bill > > > > > ----- Original Message ----- >> From: Eve Maler <eve@xmlgrrl.com> >> To: William Mills <wmills@yahoo-inc.com> >> Cc: Goix Laurent Walter <laurentwalter.goix@telecomitalia.it>; Peter Saint-Andre <stpeter@stpeter.im>; O Auth WG <oauth@ietf.org>; Apps Discuss <apps-discuss@ietf.org> >> Sent: Wednesday, June 13, 2012 11:38 AM >> Subject: Re: [OAUTH-WG] [apps-discuss] OAuth discovery registration. >> >> Hi Bill-- In incorporating OAuth into several of the UMA flows, we found a need >> for the authorization server to provide OAuth-related metadata along with >> UMA-specific metadata. Originally it was strictly XRD- and hostmeta-based, but >> now uses a JSON format and is more akin to OpenID Connect's metadata in >> style: >> >> http://docs.kantarainitiative.org/uma/draft-uma-core.html#am-endpoints >> >> Do you feel that this new draft is something that ultimately *should* replace >> the OAuth-specific parts of the metadata we've spec'd out for our use >> case? Note that we went beyond just the two endpoints, also covering a feature >> toggle for "dynamic_client_registration_supported" and lists of >> "oauth_token_profiles_supported" and >> "oauth_grant_types_supported". The purpose in doing this was to >> provide a machine-readable mechanism for aiding OAuth-level interop. >> >> Thanks, >> >> Eve >> >> On 13 Jun 2012, at 11:19 AM, William Mills wrote: >> >>> On the informational status, that seemed right, but I honestly don't >> know what the correct choice is here. The actual registration happens via >> e-mail I believe, not via this document. >>> >>> Thanks for the feedback! >>> >>> -bill >>> >>> >>> >>> ----- Original Message ----- >>>> From: Goix Laurent Walter <laurentwalter.goix@telecomitalia.it> >>>> To: Peter Saint-Andre <stpeter@stpeter.im>; William Mills >> <wmills@yahoo-inc.com> >>>> Cc: O Auth WG <oauth@ietf.org>; Apps Discuss >> <apps-discuss@ietf.org> >>>> Sent: Wednesday, June 13, 2012 9:44 AM >>>> Subject: R: [apps-discuss] [OAUTH-WG] OAuth discovery registration. >>>> >>>> T hank you William for this initiative. >>>> >>>> I had similar concerns than Peter on authn vs authz. >>>> >>>> Under section 4.1.1 I would suggest to use "oauth2-authorize" >> instead >>>> of "oauth2-authenticator", to be consistent with the >>>> "oauth2-token" pattern and with the concepts of the oauth2 >> draft. >>>> >>>> The header of the pages still reference sasl/gss-api and would need to >> be >>>> updated. >>>> >>>> Also, an example and/or use case section could be beneficial, e.g. to >> describe >>>> its usage in an xrd document. Other use cases may be mentioned as well >> probably. >>>> >>>> I have also noticed that your draft is mentioned as >> "informational". >>>> It is indeed your target or only a typo? >>>> >>>> Thanks >>>> walter >>>> >>>>> -----Messaggio originale----- >>>>> Da: apps-discuss-bounces@ietf.org >> [mailto:apps-discuss-bounces@ietf.org] >>>> Per >>>>> conto di Peter Saint-Andre >>>>> Inviato: mercoledì 13 giugno 2012 17.48 >>>>> A: William Mills >>>>> Cc: O Auth WG; Apps Discuss >>>>> Oggetto: Re: [apps-discuss] [OAUTH-WG] OAuth discovery >> registration. >>>>> >>>>> On 6/13/12 9:27 AM, William Mills wrote: >>>>>> >>>>>> Since for the OAUTH SASL mechanism I need discovery for clients >> to >>>>>> work, and I had to rip the in-band discovery out of that >> mechanism, >>>>>> and I need it defined somewhere, I've drafted a small doc >> for the >>>>>> registration of link relation types for OAuth. It's too >> late in >>>> the >>>>>> process to get this into the core OAuth 2 spec, and it >> doesn't >>>> really >>>>>> fit in the WebFinger. Submission info provided below. >>>>> >>>>> Hi Bill, overall this looks good. A few nits: >>>>> >>>>> OLD >>>>> This document defines the LRDD [RFC5988] link type >> registrations for >>>>> the OAuth [I-D.ietf-oauth-v2] authentication framework. These >> link >>>>> types are used during the endpoint discovery process using Web >> Host >>>>> Metadata [I-D.hammer-hostmeta] and Webfinger >>>>> [I-D.jones-appsawg-webfinger] by clients needing to discover >> the >>>>> authentication endpoints for a service or site. It >> additionally >>>>> defines link type registrations for OAuth 1.0a [RFC5849]. >>>>> >>>>> NEW >>>>> This document defines the Link-based Resource Descriptor >>>>> Documents (LRDD) [RFC6415] link type registrations for the >>>>> OAuth [I-D.ietf-oauth-v2] authorization framework. These link >>>>> types are used during the endpoint discovery process using Web >>>>> Host Metadata [RFC6415] and Webfinger >>>>> [I-D.jones-appsawg-webfinger] by clients needing to discover >> the >>>>> authorization, token, and access token endpoints for an OAuth2 >>>>> service or site. It additionally defines link type >> registrations for >>>>> OAuth >>>>> 1.0a [RFC5849] request initiation endpoints, authorization >> endpoints, >>>>> and token endpoints. >>>>> >>>>> In Section 4.1.1, you register an "OAuth 2 Authentication >>>> Endpoint", >>>>> however draft-ietf-oauth-v2 defines only an authorization endpoint, >> a >>>>> token endpoint, and an access token endpoint. Whence this >>>>> "authentication endpoint"? Is it just a typo? >>>>> >>>>> Also, is the lack of a link type for OAuth2 access token endpoints >> an >>>>> oversight? It seems so. >>>>> >>>>> You have "Reference: [[this document]]" but I think you >> want: >>>>> >>>>> Reference: draft-ietf-oauth-v2 >>>>> >>>>> and >>>>> >>>>> Reference: RFC 5849 >>>>> >>>>> You can remove the reference for draft-hammer-hostmeta (RFC 6415 >> has >>>>> what you need). >>>>> >>>>> Peter >>>>> >>>>> -- >>>>> Peter Saint-Andre >>>>> https://stpeter.im/ >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> apps-discuss mailing list >>>>> apps-discuss@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/apps-discuss >>>> >>>> Questo messaggio e i suoi allegati sono indirizzati esclusivamente alle >> persone >>>> indicate. La diffusione, copia o qualsiasi altra azione derivante dalla >> >>>> conoscenza di queste informazioni sono rigorosamente vietate. Qualora >> abbiate >>>> ricevuto questo documento per errore siete cortesemente pregati di >> darne >>>> immediata comunicazione al mittente e di provvedere alla sua >> distruzione, >>>> Grazie. >>>> >>>> This e-mail and any attachments is confidential and may contain >> privileged >>>> information intended for the addressee(s) only. Dissemination, copying, >> printing >>>> or use by anybody else is unauthorised. If you are not the intended >> recipient, >>>> please delete this message and any attachments and advise the sender by >> return >>>> e-mail, Thanks. >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> Eve Maler http://www.xmlgrrl.com/blog >> +1 425 345 6756 http://www.twitter.com/xmlgrrl >> > Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl
- [OAUTH-WG] OAuth discovery registration. William Mills
- Re: [OAUTH-WG] OAuth discovery registration. Peter Saint-Andre
- Re: [OAUTH-WG] OAuth discovery registration. Eran Hammer
- Re: [OAUTH-WG] OAuth discovery registration. Peter Saint-Andre
- [OAUTH-WG] R: [apps-discuss] OAuth discovery regi… Goix Laurent Walter
- Re: [OAUTH-WG] R: [apps-discuss] OAuth discovery … William Mills
- Re: [OAUTH-WG] R: [apps-discuss] OAuth discovery … Eran Hammer
- Re: [OAUTH-WG] OAuth discovery registration. William Mills
- Re: [OAUTH-WG] [apps-discuss] OAuth discovery reg… Eve Maler
- Re: [OAUTH-WG] OAuth discovery registration. Eran Hammer
- Re: [OAUTH-WG] [apps-discuss] OAuth discovery reg… William Mills
- Re: [OAUTH-WG] OAuth discovery registration. William Mills
- Re: [OAUTH-WG] [apps-discuss] OAuth discovery reg… Eve Maler
- Re: [OAUTH-WG] OAuth discovery registration... -0… William Mills