[OAUTH-WG] Re: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

Michael Jones <michael_b_jones@hotmail.com> Wed, 11 September 2024 23:07 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 220E6C18DB88; Wed, 11 Sep 2024 16:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Gg1vnkRkW67; Wed, 11 Sep 2024 16:07:05 -0700 (PDT)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04olkn2044.outbound.protection.outlook.com [40.92.47.44]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90FBBC180B6B; Wed, 11 Sep 2024 16:07:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gGwrdWE3YcpIbT3vk+o+aylZjAaKr0/D2Ymx6l8EBZkqDcwO/dU8wOe/AIqTDhe45DhbKHdrz0eNytMubxEpGC5sMCWwvE6847pFcwycUAIYpVg0A0bmQGaeUCLHNPwLM0WGh/eMYv01aQZQhgWTxqaztaU7TOwUnOs2Zx7vx2r2epWfO7mgQDtIBVy5DN/O3DR1OLXxJmcNyszhVjTIPaXewzXC2qHJL+jvWvet26A2jjiXcuA/0YuPEWpQfW+OBMjrrP2sCVjsENVaBVuAZ8JbTcVDA9ecA7Tvu0MGslEjAin2EqmjCTBHS3eKMyqOXaXqTVYoUyFN1FAEbKj8tA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HVwmpQ5g8e3Dsi0R/E8c/YzaG5osLm7BU+N6WygaZgw=; b=C+SspPPKIQG1YTdbzUFo4LfbWxIYveMcnePFp9OhviE2M6jfCCbG8LljGNv3QnGGZFgnb61sXNeyLEp7QvaQMz0aKQwHB+nZwUq6EOZhtbBSOXrW3vokJcT2dnoIcAnCwN7w4WRhFTRUfm9V4I4HyxEq2Ufvr9ieBEMPV99Wqy77VCndUTfiypSkyVNGRLmwxZWMUhTnijs0l+X51tMeUVA11/jXcNwMJ/z3H6UDUZRP44tR35bjieAd/E0Hka2daiT1u8J7i6hEiANzPSOI6ibwSHce3LvDePermAVizyXjr8ETlt4uy+UD1LrtT4RICr4H3b+QYag0A3JwhyZDng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HVwmpQ5g8e3Dsi0R/E8c/YzaG5osLm7BU+N6WygaZgw=; b=MzbRtaZbNcf8G/TGiyLUYs8GIKfBi42TjOvhxWm5D9OkOSrQFyHGkwpRiSqRswLWHVxKvM0N/wGKo3ekB9yHlE7exWMMYCsa5TUKdSZCEV7pyvdS5QsRmP8JmZaxKTY+i50aeu08y8//kjwBN6xPWd62oWAmAsL4SIEpc5yep/ZQGt2dEs1D/zkC7GV+SSWxM0f9MGd745om5pBC0tXsM0AJXOoylgBNj4rpAg/BVApdvRT3RIYFh22xsC3k0Btw4aUa6xfasatBQ41Sehh0jwSRxoCunvSBTTZvJw8qoxvxGzOwvdcAlPHyuGwekc370uzL1FBUJu4OduzjgRcINw==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by CY4PEPF0000EDF9.namprd02.prod.outlook.com (2603:10b6:92f::1:0:5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.20; Wed, 11 Sep 2024 23:07:03 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%3]) with mapi id 15.20.7939.022; Wed, 11 Sep 2024 23:07:03 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Bo Wu <lana.wubo@huawei.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>
Thread-Topic: Opsdir last call review of draft-ietf-oauth-resource-metadata-08
Thread-Index: AQHa+hJmOkXDd+LTj0GlyBMBXBmFFrJR380wgAFp21A=
Date: Wed, 11 Sep 2024 23:07:03 +0000
Message-ID: <SJ0PR02MB743924F507AD1B1915B9AD24B79B2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <172493598435.69923.1519783976733419021@dt-datatracker-68b7b78cf9-q8rsp> <SJ0PR02MB743976BC0D1849638E4769FBB79B2@SJ0PR02MB7439.namprd02.prod.outlook.com>
In-Reply-To: <SJ0PR02MB743976BC0D1849638E4769FBB79B2@SJ0PR02MB7439.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [5p3EgKXWd5VO3PJEqeD40qiIZSLZ0C5G]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|CY4PEPF0000EDF9:EE_
x-ms-office365-filtering-correlation-id: 071700b0-4d93-4a1b-fe40-08dcd2b672e8
x-microsoft-antispam: BCL:0;ARA:14566002|15080799006|7092599003|19110799003|461199028|8060799006|1602099012|3412199025|4302099013|102099032|440099028;
x-microsoft-antispam-message-info: RG1hE9i9mGr1qBgT8LIXH5Brdtkio1pqUq7QKCUJpY0rD+/YxxQpMBPUHmA1vvr3FaaF8IjZQwrtYnypsT3AzgDo5mhAtpzFRE0ksk+p9xzOJ7kYqksIHhWn1+hR43UJbRXxwFz2AoDjDGFNJUWOXwy2jrqCb4tpHU17hJs5uj9Nz38W6i/ESrfpVqT5gpREaVlTyZukCsqH08Rb1oZfrnOnTNzkWUtJtSmiI91RexqCAWGafYyuhyUAu3D93Xu3dnWSJPyOBK+Z8jldU6Xd4HxMwb/zLpaTQIhBZjkWBitrEOo/SvcNQ6L/Iy9QT4hWwvbP3NUCV3mK/RXUt5pnDm1vSn4UkX0FuGEtPVuOnYibJ5sYHpJ74AacjEWoZPiRVR0qLP2xVLiglBieDbAXXk4ftSV7gcOUJpLJxkKmVvz2ooomaaSxE0Cs5q1GDxyZmNfWSccmmZEl1KMSj+D71PSH+03e6wdVWtxR5t7eITWVu/DeASK8OIWixc/ws2e2t/aIa8LX6VMujMZv0XZv5mMY7pi0wLcd7DbqeVjLqKRmo5pLJYDSn8MCaJA+QUPx6OXxaCXLWMFH5WTKbafUSRYFSC6AexTPpMJk3FBMQqmKAkYxuA/yjorWu8In3n9en3DbGUBpQN9nh8S/pfzRJZZLYvhKMMWzr0czYSQfuowR3lFDtuMN5ag23EyZVNLJOEaypQe55Lx4l67j24BgRZHu6o3PiXqkfe3IBFQaFHlzfS5HTRmbqxpG3b/UpiYhintq5bfIp45g1ME7R0AqYLFx8LtZspuQcEqPXm668DvvrcmdxR64r3Ws4IKz1juoq2vpJjXyoSb+ZBIBmit84g==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ObZh8n8N4tG2JanEjYR5YvSwXaY6hPxYa8jF27DMKIHjt2suYmU+V+CdpRPULTVm2H3Ss11A6YEMqLzRQ2T0TZ7WYqQPe2YW3enLXYA97hhiKiviIPO+9weh4Oc2ZOhc4ztZ/qmHvPX/+qrWB7c7S808qsrK0B1zzKlxq5mhv6dvIa3LLV11q8Z5h43j4drae9dXxxFoeF0c0m7ruTOBJEKOW+3GD4wNT4EqS/IVX9xaReAOx/9z/XxB+6bTFQAsct1fHbtvaEJZODUaVDjdYCfM88eloAct1CyhPk57lZQ74GkwqTsLObhA0zDoVsumuzMfiGdHgeqJYDEAdIH3VMq0Z01fbF8pcA2+IOkXml4w/cLJoLvypiJIeP1hHm6+g1tpp9dO04Nd19RS0OVuYH64ytje9gInyD4MdrlfnBd//v1hcfkMDjXLZKCWMiWpE05Bc3Rq05GCSvOh7ZdfTs0G5fxWdv6g/IlW4ESz/BfOvav2wKfDwWcQlTFEEIdSLGPTQLEjt5Sv4mxC6wJEOF0uqT7zV4BXFoKdM24A8m+y+u3fsP/86biXboLWbfMGeYvatT6xBvlomVwWEbkO6V9DV+mkSzFCUsq+rTR1VniCruXVtdT58r0X2DAo7RM8nDya3YjRV/Sih73fYOjWhwTkrsMzsQ08wXFQnUhOIU61sW2db7msoLXSUz/1kVzd+bzuONBMTZl60/xq5GhBMulclJJJ1t1CN0I7e460C6+ihBrcnuSGWYvFZuxmppxORTfqw9ZrnTTOzgPocZO+uIPCREzVzKtVtbRhsPW4w22hP72Dl4wMQu9IedlyoY5LDB34AaTpJ3l6FgjEwRMBU0lvKveexOQ3qSxGvhJv0fp4dsEBeZ3eXKeG/WyJfXDhqxPlT28SeMDcR+qqYxxb6kfGl9ICJaOhdAhLdlcd/JPpfhZJcEC7elQYvRuLsGwOyXoTIaDUPC11ySQnrWJ3gYNnbwQ7TQiei/7b681o8u04MpUFETybJ4WggI3IUnW+aihu/YJrKVKM8dOw8qhQriUPqkde8y5czg2WsznH/9J5yXfQbxrJz4rk6lhKPqlQHwlJWsAY7zi7iU0Cc/pmjQlPZsSBfpBeST7IGbpgFseyGGqieLbbvKmJI31vr+dkHKs/FCpg98ZGGuLvf0Ol62b3EcEXIBGiqWTgQt+Kn4ouvukk+H0S+5yOyYc4iMgEdZ2YRzWudAGNHiN+1yh9HdBrwx1p7TsUbQfHDu0pgSA=
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 071700b0-4d93-4a1b-fe40-08dcd2b672e8
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2024 23:07:03.3319 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PEPF0000EDF9
Message-ID-Hash: Q7A54GLU2XFOIFBONXOQOXH5IIYHNXHY
X-Message-ID-Hash: Q7A54GLU2XFOIFBONXOQOXH5IIYHNXHY
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-oauth-resource-metadata.all@ietf.org" <draft-ietf-oauth-resource-metadata.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Opsdir last call review of draft-ietf-oauth-resource-metadata-08
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/81J89DAkXWEPMHIUXMa6X55FmKU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Bo, your review comments are addressed in https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/51/commits/699182c7c4d6c4e06e99c1463ae51a18cc64f4fa, which is part of https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/51, and https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/commit/fe6fd613eae34e3c63acbec340d21de21a3a1176, which adds sequence numbers to the diagram.

                                Thanks again!
                                -- Mike

-----Original Message-----
From: Michael Jones <michael_b_jones@hotmail.com>
Sent: Tuesday, September 10, 2024 7:26 PM
To: Bo Wu <lana.wubo@huawei.com>; ops-dir@ietf.org
Cc: draft-ietf-oauth-resource-metadata.all@ietf.org; last-call@ietf.org; oauth@ietf.org; Deb Cooley <debcooley1@gmail.com>
Subject: RE: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

Thanks for your review, Bo.  My replies are inline below, prefixed by "Mike>".

-----Original Message-----
From: Bo Wu via Datatracker <noreply@ietf.org>
Sent: Thursday, August 29, 2024 5:53 AM
To: ops-dir@ietf.org
Cc: draft-ietf-oauth-resource-metadata.all@ietf.org; last-call@ietf.org; oauth@ietf.org
Subject: Opsdir last call review of draft-ietf-oauth-resource-metadata-08

Reviewer: Bo Wu
Review result: Has Nits

Hi,

I'm the assigned Ops reviewer. I think this document is ready with nits.

Here are some nits and questions:

nits:

1)
The Figure 1 Sequence Diagram does not seem to match the text in the steps.
For example, step 5 in the diagram corresponds to step 5 and the first half of step 6 in the text description, and there is no "user agent" (step 8) in the diagram. Therefore, it is recommended that sequence numbers be added to the diagram.

Mike> I'll plan to work with Aaron Parecki to add numbers to the diagram, if possible.  (It may be tricky, because there are both SVG https://drafts.oauth.net/draft-ietf-oauth-resource-metadata/draft-ietf-oauth-resource-metadata.html#name-sequence-diagram and ASCII ART https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-08.txt versions of the diagram.)  This issue is tracked at https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/issues/49.

2)
s/The resource value returned/The "resource" value returned

Mike> In both cases, the word "resource" is in a fixed-width font as a result of denoting it as <spanx style="verb">resource</spanx> in the XML source (which will be transformed to <tt>resource</tt> in the XML2RFC v3 source) to mark it as being a protocol element.  In xml2rfc v1 this would have resulted a fixed width font in the HTML output and "resource" in the .txt output, but the newer tooling omits the double quotes in the .txt output for some reason.  I'm prone to go with the choices made by the IETF's tooling and not manually add the double quotes.

3)
s/specific member names such as resource/specific member names such as "resource"

Mike> Same situation.  "resource" here is already in a fixed-width font because its source is <spanx style="verb">resource</spanx>.

Some questions:

1)

Section 1 Introduction

 The metadata for a protected resource is retrieved from a well-known
   location as a JSON [RFC8259] document, which declares information
   about its capabilities and optionally, its relationships to other
   services.

Do other services refer to authorization servers? If yes, then it is recommended to use authorization servers directly.

Mike> Yes, the metadata for Authorization Servers is also retrieved from a well-known URL, as described at https://www.rfc-editor.org/rfc/rfc8414.html#section-3.  This specification follows that pattern.  The "authorization_servers" value is a set of AS issuer identifiers, as defined in RFC 8414.  That enables retrieving their metadata in that way.

2)
Section 1 Introduction

The means by which the client obtains the location of the protected resource is out of scope. In some cases, the location may be manually configured into the client.

In Section 5.3, there is also text:

   This specification is intended to be deployed in scenarios where the
   client has no prior knowledge about the resource server,

It seems that text in Introduction means that the resource server is prior knowledge of the client if I understand correctly. Am I correct?

Mike> Actually, the client may learn about the resource server at runtime as a result of user interface actions by the person using the client.  The client might be, for instance, an e-mail reader and the resource might be an e-mail server.  The client can be pointed at any of thousands of e-mail servers worldwide, which would be the resources.

Aaron Parecki did a good job explaining that motivating use case several IETFs ago.  I'll try to dig that up and we'll consider describing it in the draft.

3)

 Section 1.2. Terminology

 Resource Identifier:

The Protected resource's resource identifier, which is a URL that uses the https scheme and has no query or fragment components.
Protected resource metadata is published at a .well-known location [RFC8615] derived from this resource identifier, as described in Section 3.

resource
REQUIRED. The protected resource's resource identifier, which is a URL that uses the https scheme and has no query or fragment components. Using these well-known resources is described in Section 3.

The two descriptions look almost same. Perhaps the reference of the definition can be used, for example:

 Resource Identifier:
The Protected resource's resource identifier, which is a URL (see Section 2).

Mike> I agree that adding the reference makes sense.

4)

Section 5.3 Client Identifier and Client Authentication

There are some existing methods by which an unrecognized client can make use of an authorization server, such as using Dynamic Client Registration [RFC7591] to register the client prior to initiating the authorization flow. Future extensions might define alternatives, such as using URLs to identify clients.

On “Future extensions",does this mean the extensions of RFC 7591?

Mike> Good point.  We mean future extensions to OAuth.  I'll clarify in the draft.

Thanks,
Bo Wu

Thanks again for your useful review!

                                -- Mike