Re: [OAUTH-WG] OAuth 2.0 Discovery Location

Thomas Broyer <t.broyer@gmail.com> Wed, 24 February 2016 15:01 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9874B1A03F9 for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2016 07:01:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p_6SQWW4My96 for <oauth@ietfa.amsl.com>; Wed, 24 Feb 2016 07:01:14 -0800 (PST)
Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB7A21ACEB3 for <oauth@ietf.org>; Wed, 24 Feb 2016 07:01:13 -0800 (PST)
Received: by mail-lf0-x22d.google.com with SMTP id m1so13635134lfg.0 for <oauth@ietf.org>; Wed, 24 Feb 2016 07:01:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=ymqWEdilIyyeympSpWc0nuQ5+tzmfEQNg4ky4DSGnJk=; b=Dphk0iJioO9dkzX/4jzKgzZVUntmo9jbkprqbruSoukOzROPUg+f+d23U5515ukYzw Tu9WUuknaPZ60hOPMW6ynV/iSPTGjb+XmQdvdooSBlbGUk2uZGKbF5H4zU00BfzYLgRc ArEmvVhN9LGXfO7Z07ZqW3ZXaaSUdKMTJA59eGmzJkWfm0rOe/uWtf0rw1rKZ+kpdYRp l8wM8IlkbG1Yg6WviZJ4zI8/XlJWlRqsWIejrqUcJaGcXmpu0QYIduoaA5rc1W+Xw1OE MRRybdxWWbPDJhQZ7F3Ff7LCiYs4VYBX1A7H54oH9FLHhgIllY3/26s3fSKkRtl/nDHS 7RGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=ymqWEdilIyyeympSpWc0nuQ5+tzmfEQNg4ky4DSGnJk=; b=j9Oj0+o6pXq/jgWQanDEZXH4nQIk1yU5e9SI3R6/Wroa8tMV+Us+EoH/xt8itxoBFf FQGqGOZJmVVFTF/QjLHtpfRbAkXzItKeQB/gFIXSDe5FidcMDMikeQOsW7GOA0FgZLY+ uM8wN9Ig0X/Z9WzVpgCD+EvhOSeRSNCbu3kWNIi3DO4LG0EsiMNrgb1x8ZpZyoBpdfcT ar/tKJ+X+9safZgeXZ1ND9d1hd7omgt8bnQ/46DPDIFFbD/gXDKwj8h18nsjhFWqTX/V LKZbH8vO9+FI0hRfK7uwrvl8NrPyKX9FSa3AUesBVXNSJWdbF0B9wTaZoBp18uNTV5UY cXdQ==
X-Gm-Message-State: AG10YOSOdipH7Oc40tr1eQoe1HSSFfxFS7px0doyvs13KySdIz8iVMw8jWt/eoaDt4g8pIrErbITXqxpfJVe1Q==
X-Received: by 10.25.43.20 with SMTP id r20mr14862562lfr.30.1456326068693; Wed, 24 Feb 2016 07:01:08 -0800 (PST)
MIME-Version: 1.0
References: <E3BDAD5F-6DE2-4FB9-AEC0-4EE2D2BF8AC8@mit.edu> <CAEayHEMspPw3pu9+ZudkMp9pBPy2YYkiXfPvFpSwqZDVyixWxQ@mail.gmail.com> <CABzCy2CpSB2Nrs-QoaEwpqtG4J8UNeAYNy1rion=mp5PQD2dmg@mail.gmail.com>
In-Reply-To: <CABzCy2CpSB2Nrs-QoaEwpqtG4J8UNeAYNy1rion=mp5PQD2dmg@mail.gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Wed, 24 Feb 2016 15:00:58 +0000
Message-ID: <CAEayHEN460jz4BSoxKZ9t7JLc016oAeFkWkcxTD0Gte=Ed141w@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>, Justin Richer <jricher@mit.edu>, "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=001a114116bc03cd39052c8556ea
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/7E2b4UbQBmTd-rejzxJHBsMfn_A>
Subject: Re: [OAUTH-WG] OAuth 2.0 Discovery Location
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 15:01:20 -0000

Hi Nat,

On Wed, Feb 24, 2016 at 12:54 PM Nat Sakimura <sakimura@gmail.com> wrote:

>
> 2016年2月22日(月) 18:44 Thomas Broyer <t.broyer@gmail.com>om>:
>
>
>> (well, except if there are several ASs each with different scopes; sounds
>> like an edge-case to me though; maybe RFC6750 should instead be updated
>> with such a parameter such that an RS could return several
>> WWW-Authenticate: Bearer, each with its own "scope" and "duri" value?)
>>
>
> Yeah, I guess it is an edge case. I would rather like to see these authz
> servers to develop a trust framework under which they can agree on a single
> set of common scope parameter values.
>

Well, except that adding the "duri" and "auri" metadata links to the
"WWW-Authenticate: Bearer" response header(s) would easily solve those
issues (without judging here whether they're edge-case or not), and I don't
really see any other use-case for that metadata outside the unauthorized
use of a resource (your draft admits it's the "typical use-case").