[OAUTH-WG] Re: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

Michael Jones <michael_b_jones@hotmail.com> Wed, 11 September 2024 02:25 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59EFC14F68D; Tue, 10 Sep 2024 19:25:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aOJBTG5aD81R; Tue, 10 Sep 2024 19:25:39 -0700 (PDT)
Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azolkn19010015.outbound.protection.outlook.com [52.103.12.15]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C8EAC15198B; Tue, 10 Sep 2024 19:25:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SehmAOhwhBCGJ+DLLd8H5vzWX54eZleCNRtKzvIi0yBH4DYVl+VXCMrfusRUV+VEmHWprlTv6hOe3Kp1vb+vN6MUGClb9bGo/ZRRxpQ8VBA/eRBS023DGSOYWn9zY1MlvF5NxpKVHxXXDvY73zjy2/eVKgMXSbuSXC/VwTuelsQGyQeVv+Zh7t6FWWFQ0tBSf1zSQ5zQogkMx8bnQwQybAf2vBPVnqIe+KPTzZbkYtM7WpTJ/jZQlCsh0LNwPHZLAVH8HCo8elURBPhReLx8VAkptro79KqZWk8PqIMVdLdbTEkE3BuR21XPylwoOXvdZ8lWw5ehMoJ9x/S8H53YXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=z5K57/MusPDjzlCfqsNy9CCER+6Ac8qqjYzZAcvIqWk=; b=SY90l8qhHy1VuKDStSL0TdzDgt+XaXrr6oTuCq2xZJagUJJ7wmidd5cFxckFVFlzq2H2te0+O0ljbxovCV1p2DsIzPica3MkGNB9TenPJbqS0wIpzV3pbBa7RPq1COCYasmwytgWlXX3iwUG8Mjh9+zefKd2AHZcREu5FYxNZHkYjgnhBuxGBI3iWlVJBGTqtjwOotXArjd4M1/7FF3C8govnfz1eekAcg8X2c60JShNIii6tCOkh1mLNOrklCxy4vW/UJM9WKuJ55F0zSeWQ3SZAaTiDVD1KOdBJ1L1ah4qYvUNx0AR1BYLupbzI4Utn/f/fBM1YwgUvHgyF3K+7A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z5K57/MusPDjzlCfqsNy9CCER+6Ac8qqjYzZAcvIqWk=; b=C7Me6n/eQyhIRcQ/AcZj8nW7eCrsSh+SsDOCZRakb55+sbEDcFTnxAXMdmn/J3APLPL4JaSMCZ+zNGL7rLPhVQi2UMDvpTT9mDsUHVkXdpBh5NOErk0adw/mnggoD9mkAE48IDU3S9V33VW6efJoh6G0XyM+s0S/qv7imKr2w/mmW4q5kESn4TGO5K0XHS3anvb2HG8MvJJn9fcBeGWo3sswebrgOP8EBL5sCWOXeMV1q2/rgRI+4wcgUGqEXjgfJZX7LeYJZkwA/yfP0Ahi5avCVM0epoZZvz8mWpFZDKMYgWQpCncjdrgnrwOusyDrPvhOLnz0DUC48V53hBwqQw==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by CO6PR02MB7697.namprd02.prod.outlook.com (2603:10b6:303:ad::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.24; Wed, 11 Sep 2024 02:25:32 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%3]) with mapi id 15.20.7939.022; Wed, 11 Sep 2024 02:25:32 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Bo Wu <lana.wubo@huawei.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>
Thread-Topic: Opsdir last call review of draft-ietf-oauth-resource-metadata-08
Thread-Index: AQHa+hJmOkXDd+LTj0GlyBMBXBmFFrJR380w
Date: Wed, 11 Sep 2024 02:25:32 +0000
Message-ID: <SJ0PR02MB743976BC0D1849638E4769FBB79B2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <172493598435.69923.1519783976733419021@dt-datatracker-68b7b78cf9-q8rsp>
In-Reply-To: <172493598435.69923.1519783976733419021@dt-datatracker-68b7b78cf9-q8rsp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [FmkMWsmlEvEPDcr4c9p7MAEaidfG9vdPj4B51Kj6BOr4SjN7dxVa5mGXqcrwQA2p]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|CO6PR02MB7697:EE_
x-ms-office365-filtering-correlation-id: c184ab60-9ddf-41ac-1caf-08dcd20902ab
x-microsoft-antispam: BCL:0;ARA:14566002|461199028|15080799006|19110799003|8060799006|7092599003|440099028|3412199025|4302099013|102099032|1602099012;
x-microsoft-antispam-message-info: vD1UeIBh1u5BoBWm9FNWMzsA/+M9W+zw+rsmYjz1TT5fuJdSsIEHyFMcFs10N4fg2xPmiFGu2AU9h06+NpXXyhEy16n685apxZi91VPN1q4xHv0JGtcV7/uzMxjk+2JBgwzvJP3Zcrrc7dMzsCBqpOQaXHLROpRRTHtDiHmJU5sBSjOOath9DnlRa7dleY0wzU42pEIovcgFxT27wcWi6Bp44Bgc8Ps5rNC2cIucDhgR/dgleDGUPG+dHTYW3RFEqKRjtjfePSUg0gR035qTifRt/orK2Z/uN69PU1XjW2HOXsn8B9TCsqnEL0ZCm/gdnkacpp3NB8UnpCeKv6N8hTlgmwUKcq9VSXP/uIPdGdcQgPqs7slC4RGiCN5KqrntLBax/EdRw2QdGjAba3mGCyKar6k1mUC1pwpA/a/MiI/VPJeQ3dlCNgP2HyoAknhch66DTDMTabSbcM9d5n7WWxE71tTzqPFxd5Utxcp/9aV8pwTP1ef/6QHdL9rRICJ6/8KHkf5GCidQ71rnzeI1yYxkKK+2fA0fVaISNereatledIRL/Np8Cq/loclNPTEMrTvYRLhfxtkrIhNFTMtyo+OlVDnq+O4SiYlukLFBlMGTp60IsPtUCbVthri11z/VSbGCFFZKq6oOe2r7DsYiAZvzmMgneDFYy197VWGiG9cXKsej1sJLijyX02/AZl4lwUlzI4hCVRipvGO7rdY3JBDlahbG28zKkifaDEwr63m+0KlENiAXqkCuyi/FVg5et4dfUtL4vxgFy22x9HjtUvJSG4k1nSFhi2jaMw6ExXNpp0wqX1qtf5Evy5f04E+b
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 5OqTUOkRkZuQ74Nl0oAUW7Ggkm+cTsIqBVrLtUpED/AI2JHx1a6ZSlnSs3yxOt7f1yQfDmhQ7bJMLG/VRupVXquJkue0LQbsbJHJmmJy1XnVYoedf5GJs7nj0QmvT57I5/bohWQi4oHpGWuK7P1vxCx81gjRuJ4RUvlclf4DyBtFzLJQLIOAbq//3NfKUUmc56bE7PNfwEWrBrAKHUzgsu4tdWVnIgmXbnbe1f5FQaKLAhVgCWh0wGGHEw48UtrHpHsAWGxguNrnq11trh/QFq4gQ8Mjckh4xFnN/ZLNGTeASe/nqF88IT47CKfG60RqvhXlg6UsfkgrB5tusg26scIfwhRZ9osZp6d/YOoQbmlA+33Xkgc3Sl3m6krTw6yITHVMZN3tJrITX2f2+401KcLdrMwZr8jdohm1JHjIuSw3oeJpXFS4x2Wj88pj6t8Dewqea3AXe7MEDCD3EEB/gcVaqCWJlRk9hGn6M4+ZJqNEbZPuPIk+kbWFiaBXCj3sL+qgDGuFUe/zqxpTSGKxf7tCADmsEc+kiByi+b3KbNDCMy7vJra6LdpaXNx/9960ME2TcF1kfPY6H5VKMbMdWpNrd3uypzQjnAnuDe2VHWwmEnYu2xafZtfh+oVWkJm1AsYmT6ZRHQVkDcFgMJJdIx6RLo4Gvp9O1zvu0uSvohMPhS/5TseXIgxROVQIuF81ZgSSx7GqwU+AMVD10TrtuK4tVqg7bgndRlPIWHLw016HIhn7glg7zwMsP5KbiJEnHHmLc/3Mx3GQOXZKp2GJXoTwvjX7hG4Hshl8Y4AKpp30jC+Z7Oyk+y0qJMVp74E3mLvidVZxr3h0mR40bVrGu+Nof1/gke7RA8wC1gdJ6h4W+ahxwrCc5zEHJloVsiyYQelS4N2qgDSrZPZFcdZQ32SrZB7vcbJf1hUqaibsONi2iOBCdhPQ5tg1OSvQCTE208+/MsM8PfeqZxrx/UBELjsvRHR7Dt+FoNTAEhGYIhg9AlCSme8nb/8c+c+cFOJAbcu5ol3AFj3ewkIyWAljFDamIa9pTqcCQTFOz+DpowtcY0FrxkNqlW+aOrLRRCZ54LSz2hYkD7oMmIRlTOisRksyXVEo4maJUaKcHo0tZohJONSfj6uRzhbBVxxol9qa+8LaOS3YS20AmnvzCW2I1IM2dNhZXUXe02SHcbKdzvP4g4us/6LLSXgWT1SKg0sMtqNddd+R7DrohOIKEyfsiAWNs1TVmXE6E/+RcFNGXuhVnLDh3jQFo2H0sHMr8+MiCOkdIZQXc4yea6u2UcooP9smcFjqZO4U0KDsgmq6Bb8GfAwDCMaaPpMjQ42RVSZ3
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: c184ab60-9ddf-41ac-1caf-08dcd20902ab
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2024 02:25:32.0447 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR02MB7697
Message-ID-Hash: GZ3FWSQEPH3MLYWHGWPXEY4IQBYQBYCH
X-Message-ID-Hash: GZ3FWSQEPH3MLYWHGWPXEY4IQBYQBYCH
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-oauth-resource-metadata.all@ietf.org" <draft-ietf-oauth-resource-metadata.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Opsdir last call review of draft-ietf-oauth-resource-metadata-08
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7ELpai4CIfdyPlC7QSvcAtO7cO0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Thanks for your review, Bo.  My replies are inline below, prefixed by "Mike>".

-----Original Message-----
From: Bo Wu via Datatracker <noreply@ietf.org> 
Sent: Thursday, August 29, 2024 5:53 AM
To: ops-dir@ietf.org
Cc: draft-ietf-oauth-resource-metadata.all@ietf.org; last-call@ietf.org; oauth@ietf.org
Subject: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

Reviewer: Bo Wu
Review result: Has Nits

Hi,

I'm the assigned Ops reviewer. I think this document is ready with nits.

Here are some nits and questions:

nits:

1)
The Figure 1 Sequence Diagram does not seem to match the text in the steps.
For example, step 5 in the diagram corresponds to step 5 and the first half of step 6 in the text description, and there is no "user agent" (step 8) in the diagram. Therefore, it is recommended that sequence numbers be added to the diagram.

Mike> I'll plan to work with Aaron Parecki to add numbers to the diagram, if possible.  (It may be tricky, because there are both SVG https://drafts.oauth.net/draft-ietf-oauth-resource-metadata/draft-ietf-oauth-resource-metadata.html#name-sequence-diagram and ASCII ART https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-08.txt versions of the diagram.)  This issue is tracked at https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/issues/49.

2)
s/The resource value returned/The "resource" value returned

Mike> In both cases, the word "resource" is in a fixed-width font as a result of denoting it as <spanx style="verb">resource</spanx> in the XML source (which will be transformed to <tt>resource</tt> in the XML2RFC v3 source) to mark it as being a protocol element.  In xml2rfc v1 this would have resulted a fixed width font in the HTML output and "resource" in the .txt output, but the newer tooling omits the double quotes in the .txt output for some reason.  I'm prone to go with the choices made by the IETF's tooling and not manually add the double quotes.

3)
s/specific member names such as resource/specific member names such as "resource"

Mike> Same situation.  "resource" here is already in a fixed-width font because its source is <spanx style="verb">resource</spanx>.

Some questions:

1)

Section 1 Introduction

 The metadata for a protected resource is retrieved from a well-known
   location as a JSON [RFC8259] document, which declares information
   about its capabilities and optionally, its relationships to other
   services.

Do other services refer to authorization servers? If yes, then it is recommended to use authorization servers directly.

Mike> Yes, the metadata for Authorization Servers is also retrieved from a well-known URL, as described at https://www.rfc-editor.org/rfc/rfc8414.html#section-3.  This specification follows that pattern.  The "authorization_servers" value is a set of AS issuer identifiers, as defined in RFC 8414.  That enables retrieving their metadata in that way.

2)
Section 1 Introduction

The means by which the client obtains the location of the protected resource is out of scope. In some cases, the location may be manually configured into the client.

In Section 5.3, there is also text:

   This specification is intended to be deployed in scenarios where the
   client has no prior knowledge about the resource server,

It seems that text in Introduction means that the resource server is prior knowledge of the client if I understand correctly. Am I correct?

Mike> Actually, the client may learn about the resource server at runtime as a result of user interface actions by the person using the client.  The client might be, for instance, an e-mail reader and the resource might be an e-mail server.  The client can be pointed at any of thousands of e-mail servers worldwide, which would be the resources.

Aaron Parecki did a good job explaining that motivating use case several IETFs ago.  I'll try to dig that up and we'll consider describing it in the draft.

3)

 Section 1.2. Terminology

 Resource Identifier:

The Protected resource's resource identifier, which is a URL that uses the https scheme and has no query or fragment components.
Protected resource metadata is published at a .well-known location [RFC8615] derived from this resource identifier, as described in Section 3.

resource
REQUIRED. The protected resource's resource identifier, which is a URL that uses the https scheme and has no query or fragment components. Using these well-known resources is described in Section 3.

The two descriptions look almost same. Perhaps the reference of the definition can be used, for example:

 Resource Identifier:
The Protected resource's resource identifier, which is a URL (see Section 2).

Mike> I agree that adding the reference makes sense.

4)

Section 5.3 Client Identifier and Client Authentication

There are some existing methods by which an unrecognized client can make use of an authorization server, such as using Dynamic Client Registration [RFC7591] to register the client prior to initiating the authorization flow. Future extensions might define alternatives, such as using URLs to identify clients.

On “Future extensions",does this mean the extensions of RFC 7591?

Mike> Good point.  We mean future extensions to OAuth.  I'll clarify in the draft.

Thanks,
Bo Wu

Thanks again for your useful review!

				-- Mike