Re: [OAUTH-WG] PAR metadata
Brian Campbell <bcampbell@pingidentity.com> Tue, 31 December 2019 15:56 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1828E1200E6 for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 07:56:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rzsU26HUH-R3 for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 07:56:20 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05A951200DE for <oauth@ietf.org>; Tue, 31 Dec 2019 07:56:20 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id y1so27226314lfb.6 for <oauth@ietf.org>; Tue, 31 Dec 2019 07:56:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Hv6ZXbjkpKY12XUqJTMqnHj4UaVYQ8t9+3vOCZSRdjg=; b=X2mlTaSvcO7E4zDF5f81ivoL1OwR6PW5DHObqo4mQVEXZDnkdPGnOH9+gQW7lW9+7p d2jymnx+TB1tzTUz45M571Oc7WxcCLL/lWub06P0GpszdPQDMARppERoW/3j5H7ihC0J O6dBXILVQ3emfzDn/Af58lKMh+HnTVncpkG7ZiZaEjzx3/72ZF7EHXUaRJr+6PjgenO0 Z+4ufrAqpsbQ7mwLPtNMw16y5uPfmQkamtEPJalWYL+GXtXIhjChZK5j1woIu1utFgDn folDTCkPSKVGVmFb1cKG4rb/6r/aJDt9r9BvJMTX6xs72MU3w3RDD4OAOR0d6F7dG7Hz Imcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Hv6ZXbjkpKY12XUqJTMqnHj4UaVYQ8t9+3vOCZSRdjg=; b=rKgnK+LXQkoJkDjrB1MNmWjI65thcxFkAhtiUTOCfspj+wkBtavfxZjGKZn4GzAknB czwHose0VU14Pc29dQZDETY/ow1/rmOhIXuY1corpgsI68kUusu3z4niPS4knDcINgqL 06E+pH6gmMs3QHxdyedwXaQXaAwW1DSZzrjx0kEnoXfOKIeoAbALQFCa4ZxrIzDZux8C f6R3OOxqaX8SYR0es1NPyZ33MaUDhdWjoNTlYLxRfoTxVqDNX+cQQV2EOZjeQQsM3amP a+a8RSorrCOz3LbZx5aeA9fJb+a5zIFhVa5MfxwzDXEKl+N9Pb1gj7wshOur23EdSAm6 dFZQ==
X-Gm-Message-State: APjAAAVXnqlT/6mFZ+PS2/Z0EkbycstFb4WBnHf2mZF3enYlaJeSNtdB 5pBTePVHO32zItSeAUkcUPLknHrucG5SoefruYXpxbzAeq2U+VON8WsaKzAct+K+1rnhx3kE116 6nweHDCjJKvg7tg==
X-Google-Smtp-Source: APXvYqxNWPBV3M+FvmFJ7pWaq+wXR0mlewsTvD8c56e+hPxq46FrvLCtn3Bkv8J+5S/RgtqopJiZNbCKbVvD9CuBCAU=
X-Received: by 2002:a19:5057:: with SMTP id z23mr41031108lfj.132.1577807778215; Tue, 31 Dec 2019 07:56:18 -0800 (PST)
MIME-Version: 1.0
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net> <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com>
In-Reply-To: <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 31 Dec 2019 08:55:51 -0700
Message-ID: <CA+k3eCR156BLMkqFXAWU3vKfJbdUtKer36Yz9525hf4nVOGL0Q@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>, Dave Tonge <dave.tonge@moneyhub.com>, Nat Sakimura <nat@sakimura.org>, Roland Hedberg <roland@catalogix.se>
Content-Type: multipart/alternative; boundary="000000000000251a35059b0200a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/84V1lkrAsQ1nydxCS0hW3ThQebk>
Subject: Re: [OAUTH-WG] PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 15:56:23 -0000
Yeah, I agree. The insights in that comment Filip referenced (copied below) are very very wise and explain why we should not define pushed_authorization_endpoint_auth_methods_supported and pushed_authorization_endpoint_auth_signing_alg_values_supported metadata. There's some historical weirdness to how client authentication has come to be represented (and named) in metadata. Client registration metadata has only a token_endpoint_auth_method, which despite the name has become the de facto place in the client data model to say how the client will authenticate to the AS when making any direct client -> AS call. The parameter name is a bit unfortunate but I believe it makes sense to have a single (backchannel) authentication method per client. RFC 8414 took a different direction and has revocation_endpoint_auth_methods_supported and introspection_endpoint_auth_methods_supported etc., which I believe was a mistake. I don't see a clear use case for needing or allowing a different set of auth methods for the different endpoints. And having a bunch of _supported parameters for different endpoints seems likely to clutter up the metadata document with a bunch of redundant info. I'd propose that some text be added into CIBA core that says that, for the backchannel authentication endpoint, the AS supports the same client authentication methods as indicated with token_endpoint_auth_methods_supported. And state that, for a client, the token_endpoint_auth_method is the authentication method registered for its client_id regardless of the endpoint being called. On Tue, Dec 31, 2019 at 8:22 AM Filip Skokan <panva.ip@gmail.com> wrote: > I don't think we need a *_auth_method_* metadata for every endpoint the > client calls directly, none of the new specs defined these (e.g. device > authorization endpoint or CIBA), meaning they also didn't follow the scheme > from RFC 8414 where introspection and revocation got its own metadata. In > most cases the unfortunately named `token_endpoint_auth_method` and its > related metadata is what's used by clients for all direct calls anyway. > > The same principle could be applied to signing (and encryption) algorithms >> as well. > > > This I do not follow, auth methods and their signing is dealt with by > using `token_endpoint_auth_methods_supported` and > `token_endpoint_auth_signing_alg_values_supported` - there's no encryption > for the `_jwt` client auth methods. > Unless it was meant to address the Request Object signing and encryption > metadata, which is defined and IANA registered > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#table-client-metadata> by > OIDC. PAR only references JAR section 6.1 and 6.2 for decryption/signature > validation and these do not mention the metadata (e.g. > request_object_signing_alg) anymore since draft 07. > > PS: I also found this comment > <https://bitbucket.org/openid/mobile/issues/102#comment-48494839> related > to the same question about auth metadata but for CIBA. > > Best, > *Filip* > > > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <torsten@lodderstedt.net> > wrote: > >> Hi all, >> >> Ronald just sent me an email asking whether we will define metadata for >> >> pushed_authorization_endpoint_auth_methods_supported and >> pushed_authorization_endpoint_auth_signing_alg_values_supported. >> >> The draft right now utilises the existing token endpoint authentication >> methods so there is basically no need to define another parameter. The same >> principle could be applied to signing (and encryption) algorithms as well. >> >> What’s your opinion? >> >> best regards, >> Torsten. > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Filip Skokan
- [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Filip Skokan
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR metadata Vladimir Dzhuvinov
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Justin Richer