Re: [OAUTH-WG] AS Discovery in Distributed Draft
Justin P Richer <jricher@mit.edu> Tue, 06 November 2018 05:57 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16E69130DD2 for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 21:57:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id feAYZxNOCZPL for <oauth@ietfa.amsl.com>; Mon, 5 Nov 2018 21:57:40 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E602C128CF2 for <oauth@ietf.org>; Mon, 5 Nov 2018 21:57:39 -0800 (PST)
X-AuditID: 1209190f-77dff70000001f06-9d-5be12d52f943
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 31.12.07942.25D21EB5; Tue, 6 Nov 2018 00:57:38 -0500 (EST)
Received: from outgoing-exchange-1.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-1.mit.edu (8.14.7/8.9.2) with ESMTP id wA65vaJG014309; Tue, 6 Nov 2018 00:57:37 -0500
Received: from W92EXEDGE5.EXCHANGE.MIT.EDU (W92EXEDGE5.EXCHANGE.MIT.EDU [18.7.73.22]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id wA65voLc014161; Tue, 6 Nov 2018 00:57:51 -0500
Received: from W92EXHUB11.exchange.mit.edu (18.7.73.20) by W92EXEDGE5.EXCHANGE.MIT.EDU (18.7.73.22) with Microsoft SMTP Server (TLS) id 14.3.339.0; Tue, 6 Nov 2018 00:56:46 -0500
Received: from OC11EXPO25.exchange.mit.edu ([169.254.1.63]) by W92EXHUB11.exchange.mit.edu ([18.7.73.20]) with mapi id 14.03.0352.000; Tue, 6 Nov 2018 00:57:34 -0500
From: Justin P Richer <jricher@mit.edu>
To: David Waite <david@alkaline-solutions.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AS Discovery in Distributed Draft
Thread-Index: AQHUdZBElSFnGdM690mDE7xRj+9jzqVCjcqAgAAGH4A=
Date: Tue, 06 Nov 2018 05:57:33 +0000
Message-ID: <3426BA45-12CB-4C5E-BBB7-2F705998BAE7@mit.edu>
References: <CFFB07DA-F980-4B47-95D9-051BF660D736@mit.edu> <FA19C20D-59B9-47F1-B874-C15204CD87BD@alkaline-solutions.com>
In-Reply-To: <FA19C20D-59B9-47F1-B874-C15204CD87BD@alkaline-solutions.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [18.9.1.94]
Content-Type: multipart/alternative; boundary="_000_3426BA4512CB4C5EBBB72F705998BAE7mitedu_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprGJsWRmVeSWpSXmKPExsUixCmqrBuk+zDaYNYaRYvF39+zWJx8+4rN gcnj/o7fTB5LlvxkCmCK4rJJSc3JLEst0rdL4Mr4uuAHa8Ezp4prXXOYGhg/O3QxcnJICJhI tE6bydrFyMUhJLCGSWJv93w2CGc/o8TZbx3MEM5RRokvW88yQjjbGCXa/0+EclYySjy6OJ0V ZBibgLrEtml3mEBsEQE9iXfPbzCD2MwCqhLrV18EiwsLWEpMXf2GGaLGSuLE3YksMPbBj7fZ QGwWARWJDau/gNXwAsVbJmxnB7GFBKok/t87BlbPKeAlMXPKW7CZjAJiEt9PrWGC2CUucevJ fCaI5wQkluw5zwxhi0q8fPyPFcKWlWj5fJMVoj5O4sSV5VC7BCVOznzCMoFRfBaSUbOQlM1C UjaLkQMorimxfpc+RImixJTuh+wQtoZE65y5ULa9xL3XDezIahYwcqxilE3JrdLNTczMKU5N 1i1OTszLSy3SNdHLzSzRS00p3cQIjmZJ/h2Mcxq8DzEKcDAq8fByFDyIFmJNLCuuzD3EKMnB pCTK28HyMFqILyk/pTIjsTgjvqg0J7X4EKMEB7OSCK8SG1A5b0piZVVqUT5MSpqDRUmcd0LL 4mghgfTEktTs1NSC1CKYrAwHh5IEb4gO0FDBotT01Iq0zJwShDQTByfIcB6g4TEgNbzFBYm5 xZnpEPlTjJYcj2Z0zGDmeAcmr5zpnMEsxJKXn5cqJc5bpw3UIADSkFGaBzcTnJzZPcVeMYoD vSjM2wsylgeY2OGmvgJayAS08J4syDfFJYkIKakGRjWtIyfT//1m+PSmqJVxwy7p60wcUdI1 m2wOzHpycNJfK59MzpO2k/4mVK+TlY/frlqa0JZ4cd7+xL/+dYpMm1q/nrjJFctevWL5U1Pf fQE3Mm6GlC2+/3+LtHtP7vXtZ++6tL+Z/vz+nvNfrvwRecGYdOPUBRmx0oaXaUmrX3I2vWbd cHxhWKMSS3FGoqEWc1FxIgDdPBipqQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3UdL19uXlFYJsns8ScQkv6ZD9ik>
Subject: Re: [OAUTH-WG] AS Discovery in Distributed Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2018 05:57:42 -0000
The need is in the distributed OAuth draft, which has more detail of its use case. The problem with using either the token or authorization endpoint as the sole identity of the auth server is that Oauth doesn’t stick to just one of them and there’s no solid way to tie them together apart from AS discovery. — Justin On Nov 6, 2018, at 12:35 AM, David Waite <david@alkaline-solutions.com<mailto:david@alkaline-solutions.com>> wrote: Is there a need for a client to understand the identity of an authorization server? This would seem to mean that the token or authorization endpoint would need to be that identity, rather than the issuer (since now the metadata might not be from an authoritative location) -DW On Nov 5, 2018, at 10:19 PM, Justin P Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote: In the meeting tonight I brought up a response to the question of whether to have full URL or plain issuer for the auth server in the RS response’s header. My suggestion was that we have two different parameters to the header to represent the AS: one of them being the full URL (as_uri) and one of them being the issuer to be constructed somehow (as_issuer). I ran into a similar problem on a system that I built last year where all of our servers had discovery documents but not all of them were easily constructed from an issuer style URL (using OIDC patterns anyway). So we solved it by having two different variables. If the full URL was set, we used that; if it wasn’t, we tried the issuer; if neither was set we didn’t do any discovery. I’m sensitive to Torsten’s concerns about complexity, but I think this is a simple and deterministic solution that sidesteps much of the issue. No pun intended. — Justin _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] AS Discovery in Distributed Draft Justin P Richer
- Re: [OAUTH-WG] AS Discovery in Distributed Draft David Waite
- Re: [OAUTH-WG] AS Discovery in Distributed Draft Justin P Richer
- Re: [OAUTH-WG] AS Discovery in Distributed Draft George Fletcher
- Re: [OAUTH-WG] AS Discovery in Distributed Draft Phil Hunt
- Re: [OAUTH-WG] AS Discovery in Distributed Draft Dick Hardt
- Re: [OAUTH-WG] AS Discovery in Distributed Draft Dick Hardt
- Re: [OAUTH-WG] AS Discovery in Distributed Draft Dick Hardt
- Re: [OAUTH-WG] AS Discovery in Distributed Draft George Fletcher
- Re: [OAUTH-WG] AS Discovery in Distributed Draft Phil Hunt
- Re: [OAUTH-WG] AS Discovery in Distributed Draft n-sakimura
- Re: [OAUTH-WG] AS Discovery in Distributed Draft Dick Hardt