Re: [OAUTH-WG] Charter- was Re: Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
Eve Maler <eve@xmlgrrl.com> Wed, 22 May 2013 16:04 UTC
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE3621F86D3 for <oauth@ietfa.amsl.com>; Wed, 22 May 2013 09:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.988
X-Spam-Level:
X-Spam-Status: No, score=0.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ONSin5eMngSD for <oauth@ietfa.amsl.com>; Wed, 22 May 2013 09:04:39 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id BAAD421F9643 for <oauth@ietf.org>; Wed, 22 May 2013 09:04:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id 4CAD014B6C59; Wed, 22 May 2013 09:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Th0W0d6jhYKp; Wed, 22 May 2013 09:04:22 -0700 (PDT)
Received: from [192.168.168.111] (unknown [192.168.168.111]) by mail.promanage-inc.com (Postfix) with ESMTPSA id 2150914B6C23; Wed, 22 May 2013 09:04:22 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_C8D0F9B2-233A-4D73-8FE3-A80E21C1629B"
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <DA5924D0-BFB0-4866-AB21-DC9043ECD385@ve7jtb.com>
Date: Wed, 22 May 2013 09:04:21 -0700
Message-Id: <F5F0738B-6800-4FA7-A074-4D616846B641@xmlgrrl.com>
References: <85AA2C66-108B-4276-92EE-2D7566E54990@oracle.com> <6AF52CCD-4D6B-4696-8465-3345FFFDBE9C@mitre.org> <A1F47E63-DFE6-41A2-9F91-2DB44091D94C@oracle.com> <8EFC7565-0E81-4688-9AEB-459E7503F609@mitre.org> <6D11C230-31F6-4206-8F29-B1F2BFB5C17E@oracle.com> <4E1F6AAD24975D4BA5B16804296739436773435C@TK5EX14MBXC283.redmond.corp.microsoft.com> <B0C50AAD-97F0-4E55-A30D-C011B012A3DB@oracle.com> <519A42B4.2020803@mitre.org> <2B22BE68-6903-4C5B-8B0F-A10EB5BA74FE@oracle.com> <519B7AA5.3070908@mitre.org>, <BC6270E5-9DA7-4887-93C9-65C0D7471C66@oracle.com> <4E1F6AAD24975D4BA5B168042967394367748E19@TK5EX14MBXC283.redmond.corp.microsoft.com>, <E246628C-B5E5-439E-9BA2-F1B047EF15BE@oracle.com> <4E1F6AAD24975D4BA5B168042967394367749249@TK5EX14MBXC283.redmond.corp.microsoft.com> <DA5924D0-BFB0-4866-AB21-DC9043ECD385@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1503)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Charter- was Re: Client Instances of An Application - Was: Re: Last call review of draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2013 16:04:43 -0000
Coming in late to this thread: I agree broadly with Justin, Mike, and John. Having an in-band just-in-time registration capability is valuable. By analogy with user identifiers, it's useful for client identifiers to be issued for the asking as the first rung of an assurance (real-world identification/strong ongoing correlation) ladder. UMA definitely needs this because it requires further, finer-grained authorization to assign any significant access rights to clients and their wielders ("requesting parties") -- getting a token is, by itself, not very meaningful. If you want, you can consider this approach a mitigation of the risks in issuing client IDs for the asking... Eve On 21 May 2013, at 1:28 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > I agree with Mike, I don't think we are loosing anything, only gaining. > > I think it is a false statement to say that having multiple client instances with the same client_id and secret is a feature. > > In reality with public clients or public clients masquerading as private ones the only real way for the AS to tell them apart in OAuth is by redirect_uri. We are not changing that, though we are perhaps making it cleaner that client_id for public clients can't be relied upon in any way. Previously we had what was more or less assumed to be a one to one mapping of client_id to redirect for native clients. > > Once we start assigning unique client_id to instances of clients that are all going to be using the same redirect_uri there are a lot of question a AS has to decide, such as can two client_id register the same redirect_uri? That could well cause all sorts of race conditions on the device if you have two apps fighting over the same custom scheme. > > So I think in reality the piece of information that a registration server that is going to need to look at is the custom url scheme for apps, probably disallowing multiple anonymous registrations for the same custom scheme. > > Getting into the details of how app stores allocate schemes to developers etc is out of scope for this spec. Someone can build something more sophisticated on top of dynamic registration, but there are a lot of issues outside of the simple how is a client registering for a client_id and secret without forcing a manual step through a web portal. > > I honestly don't think adding some new application identifier solves the problem. That information is in the redirect_uri for native apps, and the problem doesn't exist for web server clients. > > John B. > > On 2013-05-21, at 2:28 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > >> What is the loss of information that you’re concerned about? It seems odd to me that you’re asserting that there's information loss when the operations performed by Dynamic Client Registration are equivalent to those that are performed by out-of-band OAuth developer portals today. It’s just automating a formerly manual process. >> >> -- Mike >> >> >> From: Phil Hunt >> Sent: Tuesday, May 21, 2013 11:20 AM >> To: Mike Jones >> Cc: Justin P. Richer, oauth@ietf.org WG >> >> Mike, >> >> There is an operational loss of information in the dynamic registration spec. >> >> Phil >> >> @independentid >> www.independentid.com >> phil.hunt@oracle.com >> On 2013-05-21, at 10:52 AM, Mike Jones wrote: >> >> No information is being thrown away. Developers can use dynamic registration to obtain a client_id and then have all the client instances use that client_id if they choose - just like they can do when doing out-of-band registration with a site’s developer portal. The only difference is that they don’t have to do out-of-band registration anymore! >> >> -- Mike >> Eve Maler http://www.xmlgrrl.com/blog +1 425 345 6756 http://www.twitter.com/xmlgrrl
- [OAUTH-WG] Last call review of draft-ietf-oauth-d… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Richer, Justin P.
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Mike Jones
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Phil Hunt
- [OAUTH-WG] Client Instances of An Application - W… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Mike Jones
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Mike Jones
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… John Bradley
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- [OAUTH-WG] Charter- was Re: Client Instances of A… Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Mike Jones
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Phil Hunt
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Mike Jones
- Re: [OAUTH-WG] Charter- was Re: Client Instances … John Bradley
- Re: [OAUTH-WG] Charter- was Re: Client Instances … Eve Maler
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Derek Atkins
- Re: [OAUTH-WG] Client Instances of An Application… Derek Atkins
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Client Instances of An Application… Torsten Lodderstedt
- Re: [OAUTH-WG] Client Instances of An Application… Phil Hunt
- Re: [OAUTH-WG] Last call review of draft-ietf-oau… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… George Fletcher
- Re: [OAUTH-WG] Client Instances of An Application… George Fletcher
- Re: [OAUTH-WG] Client Instances of An Application… Anganes, Amanda L
- Re: [OAUTH-WG] Client Instances of An Application… Justin Richer
- Re: [OAUTH-WG] Client Instances of An Application… John Bradley