Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

Mike Jones <Michael.Jones@microsoft.com> Fri, 29 January 2016 23:22 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D83C1ACCF3 for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 15:22:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4JH6GtJpylJ for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 15:22:41 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0744.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:744]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910B91ACD4B for <oauth@ietf.org>; Fri, 29 Jan 2016 15:22:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mqFUGbSD4Qk/xAXRp3TPo/qCuNriBrDZjSm1p6xxcFY=; b=bWPmUWpAjyawzPjJToIQbHyaO1zCFg7OZVJcHcz+J2w+e2JAVtCLDQZfuZANCb5whiYBnnnTBVREiMRdVTlkKQpypIXOpwMv1Pg1zi/nnARn+n7zwAthYUhyidNWbeMkOcXK0CdwmzD66B2YzWuGJnroYaatOx9Do3iCRxudhVM=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.396.15; Fri, 29 Jan 2016 23:22:21 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0396.017; Fri, 29 Jan 2016 23:22:21 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
Thread-Index: AdFZ+/MJivXRQw+8SrOHcZb7gBYlNwAk+5sAAAHSQoAAAfAPAAATOC4A
Date: Fri, 29 Jan 2016 23:22:21 +0000
Message-ID: <BY2PR03MB4429A6A763D5A283FC09B70F5DB0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com> <56AB59CA.5070408@connect2id.com> <CABzCy2Cq5czDXCGP5P5UWjcG8JQTwiS9dci2xLzpefUJVNFf0g@mail.gmail.com> <5CDF5150-89C7-4EC7-92C8-EE356C30993F@ve7jtb.com>
In-Reply-To: <5CDF5150-89C7-4EC7-92C8-EE356C30993F@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.85.157]
x-ms-office365-filtering-correlation-id: d179dda7-ebe2-4875-e2a7-08d3290309e7
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:59BKmi2Ic8iJlpDEIXEWyANIV5BX8h09+7YRgNdGEuGbqWOoLdmkpgRGfHH87GXFzjywD7Hp/j4635akZJYj3X4u8uAgWWMQypOX29T4FWFO3TdILnVe4QpHlBRNyENVndNHIlXVlVBICcLDm1PwCg==; 24:giEXMxa21pbdUOqFpLzzBHWYQmv4yhMmPysnRViDweUxtMPkeXno4esPuSPbfaCSdrf5NSwSs0Y2zDn/MGBN0P7x8Xf466Tn2/O6cexJj4Y=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <BY2PR03MB441B77A5243F833294D5854F5DB0@BY2PR03MB441.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 083691450C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(24454002)(377454003)(479174004)(92566002)(99286002)(3280700002)(2906002)(5003600100002)(76576001)(86362001)(15975445007)(5002640100001)(790700001)(3846002)(3660700001)(4326007)(5004730100002)(1220700001)(93886004)(1096002)(10090500001)(6116002)(586003)(102836003)(2950100001)(77096005)(3470700001)(11100500001)(40100003)(19617315012)(19609705001)(33656002)(5008740100001)(19300405004)(10290500002)(2900100001)(10400500002)(5005710100001)(122556002)(50986999)(54356999)(74316001)(76176999)(19625215002)(189998001)(561944003)(19580405001)(87936001)(5001960100002)(86612001)(16236675004)(66066001)(19580395003)(5001770100001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4429A6A763D5A283FC09B70F5DB0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2016 23:22:21.4548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/82L0L4YDpfDx0cdJR31e9a9NBcQ>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 23:22:46 -0000

Do the PKCE authors want to make a concrete proposal for how to represent this in discovery metadata?

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Friday, January 29, 2016 6:11 AM
To: Nat Sakimura <sakimura@gmail.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

The only problem with that is the client may only require it for some types of clients (public) or response types.

It may need to be finer grained than that, or define it as required for all public clients using the token endpoint.

John B.


On Jan 29, 2016, at 10:15 AM, Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>> wrote:

Good question.

It's probably a good idea to be able to advertise this policy in the discovery.

Perhaps in the line of

pkce_required or rfc7636_required?
The value should be Boolean.

Nat from iPhone

2016年1月29日(金) 21:23 Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>>:
Thanks Mike, the updated spec looks good!

I have a question related to PKCE:

The PKCE spec seems to imply that an AS may require public clients to use a code challenge:

https://tools.ietf.org/html/rfc7636#section-4.4.1

If an AS has such a policy in place, how is this to be advertised? Or is that supposed to the enforced when the client gets registered (there are no reg params for that at present)?

On 28/01/16 19:27, Mike Jones wrote:

The OAuth Discovery specification has been updated to add metadata values for revocation<http://tools.ietf.org/html/rfc7009><http://tools.ietf.org/html/rfc7009>/rfc7009>, introspection<http://tools.ietf.org/html/rfc7662><http://tools.ietf.org/html/rfc7662>/rfc7662>, and PKCE<http://tools.ietf.org/html/rfc7636><http://tools.ietf.org/html/rfc7636>/rfc7636>.  Changes were:



*       Added "revocation_endpoint_auth_methods_supported" and "revocation_endpoint_auth_signing_alg_values_supported" for the revocation endpoint.



*       Added "introspection_endpoint_auth_methods_supported" and "introspection_endpoint_auth_signing_alg_values_supported" for the introspection endpoint.



*       Added "code_challenge_methods_supported" for PKCE.



The specification is available at:



*       http://tools.ietf.org/html/draft-jones-oauth-discovery-01



An HTML-formatted version is also available at:



*       http://self-issued.info/docs/draft-jones-oauth-discovery-01.html



                                                          -- Mike



P.S.  This note was also published at http://self-issued.info/?p=1531 and as @selfissued<https://twitter.com/selfissued><https://twitter.com/selfissued>.







_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth



--

Vladimir Dzhuvinov
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth