Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
Mike Jones <Michael.Jones@microsoft.com> Fri, 29 January 2016 23:22 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D83C1ACCF3 for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 15:22:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4JH6GtJpylJ for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 15:22:41 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0744.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:744]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910B91ACD4B for <oauth@ietf.org>; Fri, 29 Jan 2016 15:22:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=mqFUGbSD4Qk/xAXRp3TPo/qCuNriBrDZjSm1p6xxcFY=; b=bWPmUWpAjyawzPjJToIQbHyaO1zCFg7OZVJcHcz+J2w+e2JAVtCLDQZfuZANCb5whiYBnnnTBVREiMRdVTlkKQpypIXOpwMv1Pg1zi/nnARn+n7zwAthYUhyidNWbeMkOcXK0CdwmzD66B2YzWuGJnroYaatOx9Do3iCRxudhVM=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB441.namprd03.prod.outlook.com (10.141.141.142) with Microsoft SMTP Server (TLS) id 15.1.396.15; Fri, 29 Jan 2016 23:22:21 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0396.017; Fri, 29 Jan 2016 23:22:21 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
Thread-Index: AdFZ+/MJivXRQw+8SrOHcZb7gBYlNwAk+5sAAAHSQoAAAfAPAAATOC4A
Date: Fri, 29 Jan 2016 23:22:21 +0000
Message-ID: <BY2PR03MB4429A6A763D5A283FC09B70F5DB0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com> <56AB59CA.5070408@connect2id.com> <CABzCy2Cq5czDXCGP5P5UWjcG8JQTwiS9dci2xLzpefUJVNFf0g@mail.gmail.com> <5CDF5150-89C7-4EC7-92C8-EE356C30993F@ve7jtb.com>
In-Reply-To: <5CDF5150-89C7-4EC7-92C8-EE356C30993F@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ve7jtb.com; dkim=none (message not signed) header.d=none;ve7jtb.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.85.157]
x-ms-office365-filtering-correlation-id: d179dda7-ebe2-4875-e2a7-08d3290309e7
x-microsoft-exchange-diagnostics: 1; BY2PR03MB441; 5:59BKmi2Ic8iJlpDEIXEWyANIV5BX8h09+7YRgNdGEuGbqWOoLdmkpgRGfHH87GXFzjywD7Hp/j4635akZJYj3X4u8uAgWWMQypOX29T4FWFO3TdILnVe4QpHlBRNyENVndNHIlXVlVBICcLDm1PwCg==; 24:giEXMxa21pbdUOqFpLzzBHWYQmv4yhMmPysnRViDweUxtMPkeXno4esPuSPbfaCSdrf5NSwSs0Y2zDn/MGBN0P7x8Xf466Tn2/O6cexJj4Y=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB441;
x-microsoft-antispam-prvs: <BY2PR03MB441B77A5243F833294D5854F5DB0@BY2PR03MB441.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BY2PR03MB441; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB441;
x-forefront-prvs: 083691450C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(24454002)(377454003)(479174004)(92566002)(99286002)(3280700002)(2906002)(5003600100002)(76576001)(86362001)(15975445007)(5002640100001)(790700001)(3846002)(3660700001)(4326007)(5004730100002)(1220700001)(93886004)(1096002)(10090500001)(6116002)(586003)(102836003)(2950100001)(77096005)(3470700001)(11100500001)(40100003)(19617315012)(19609705001)(33656002)(5008740100001)(19300405004)(10290500002)(2900100001)(10400500002)(5005710100001)(122556002)(50986999)(54356999)(74316001)(76176999)(19625215002)(189998001)(561944003)(19580405001)(87936001)(5001960100002)(86612001)(16236675004)(66066001)(19580395003)(5001770100001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB441; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4429A6A763D5A283FC09B70F5DB0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2016 23:22:21.4548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB441
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/82L0L4YDpfDx0cdJR31e9a9NBcQ>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 23:22:46 -0000
Do the PKCE authors want to make a concrete proposal for how to represent this in discovery metadata? From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley Sent: Friday, January 29, 2016 6:11 AM To: Nat Sakimura <sakimura@gmail.com> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE The only problem with that is the client may only require it for some types of clients (public) or response types. It may need to be finer grained than that, or define it as required for all public clients using the token endpoint. John B. On Jan 29, 2016, at 10:15 AM, Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>> wrote: Good question. It's probably a good idea to be able to advertise this policy in the discovery. Perhaps in the line of pkce_required or rfc7636_required? The value should be Boolean. Nat from iPhone 2016年1月29日(金) 21:23 Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>>: Thanks Mike, the updated spec looks good! I have a question related to PKCE: The PKCE spec seems to imply that an AS may require public clients to use a code challenge: https://tools.ietf.org/html/rfc7636#section-4.4.1 If an AS has such a policy in place, how is this to be advertised? Or is that supposed to the enforced when the client gets registered (there are no reg params for that at present)? On 28/01/16 19:27, Mike Jones wrote: The OAuth Discovery specification has been updated to add metadata values for revocation<http://tools.ietf.org/html/rfc7009><http://tools.ietf.org/html/rfc7009>, introspection<http://tools.ietf.org/html/rfc7662><http://tools.ietf.org/html/rfc7662>, and PKCE<http://tools.ietf.org/html/rfc7636><http://tools.ietf.org/html/rfc7636>. Changes were: * Added "revocation_endpoint_auth_methods_supported" and "revocation_endpoint_auth_signing_alg_values_supported" for the revocation endpoint. * Added "introspection_endpoint_auth_methods_supported" and "introspection_endpoint_auth_signing_alg_values_supported" for the introspection endpoint. * Added "code_challenge_methods_supported" for PKCE. The specification is available at: * http://tools.ietf.org/html/draft-jones-oauth-discovery-01 An HTML-formatted version is also available at: * http://self-issued.info/docs/draft-jones-oauth-discovery-01.html -- Mike P.S. This note was also published at http://self-issued.info/?p=1531 and as @selfissued<https://twitter.com/selfissued><https://twitter.com/selfissued>. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Vladimir Dzhuvinov _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Discovery metadata values added … Mike Jones
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… John Bradley
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… William Denniss
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Justin Richer
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Justin Richer
- [OAUTH-WG] How can client react to access token n… Sergey Beryozkin
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… William Denniss