IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Michael Jones <michael_b_jones@hotmail.com> Thu, 28 March 2024 19:58 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADCB0C14F680 for <oauth@ietfa.amsl.com>; Thu, 28 Mar 2024 12:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.222
X-Spam-Level:
X-Spam-Status: No, score=-5.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFH_PpvFcIBM for <oauth@ietfa.amsl.com>; Thu, 28 Mar 2024 12:58:20 -0700 (PDT)
Received: from BL2PR02CU003.outbound.protection.outlook.com (mail-eastusazolkn19012004.outbound.protection.outlook.com [52.103.11.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA893C14F602 for <oauth@ietf.org>; Thu, 28 Mar 2024 12:58:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EDEigGUa25d2pazJum6E6/O9VT+cB9mH3Gt3Sru6jjGsC0xYuR2t98VaNwKLlOr7Xc454zdhta21L3DBhqZKcjgFOxZaK6Mxmn4gtUHWqoMrd85JtJGECkqfN2/QVQ3AO248MJu3K/YsXqrGptdV1c7tsFFAe3eqgm8a7xP5M5zMRxqeTvELeC474dL2xauX7MasKwCEouzv35pazkXK5lLwgI8FIwu2whDJBjAx2DpEhAlV3ZUNrO0ve8tFHNH3cJ0Gx7ybX6UPFRnEimj2jcfggBLlE5Xjt1GZp83BEbMIuSoCuKphVFTyKS8MHImK7PFRvJ35PTKrmw3VP9hoCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PH60rcynFCQsfCkHvbm1W30BIgsFijgrc1q7px+4hPM=; b=VBZuqGmtaQHxlEgF2cZBQit9kyECJnsXud1u1J5kCe3EXffhIlyUx498XlGGZwheerTLd9c683Qhy7LiFQEhpnEv5+yRaHD/bQH4dQyo3MEj0qSsLFoWU6SnCOCR+Fg0USxMJgB/quqyiOsCVoez3SdxKlWEr1M6ke1W5APaj1gxFlCYduNlKnFAwn015IjROmZXqXif+tuB/0l4++HsnKsLXukme/imaUKt37Zf2CnqSdDxBukbXFxr3bsyHvtQHtCv/C+1VjVOsf2Nrvw6kZy5diZOEHja9/ivtT/GND63rJ9qwbWNgD49zuKhdYYiOZJN5S+pyZOZ92dcUQspSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PH60rcynFCQsfCkHvbm1W30BIgsFijgrc1q7px+4hPM=; b=jcZJE2NoavofBSRnUoo8eaMql5ySQyIG1uCsfdzPn329NnLLvN2DzCIpa/6SVdysummAseSX1/uEKrn6GcP8kiK0tnPGcNguZYgpqkJrlxrkuHzio3J6m2pd5l4ZewXFYpaDmu95b6ooG2yxb5z5OFfUbWf2hbxYsrWA+4zd9TqC4mLgO7wDVfdfOB7D6GULI4zE40wmc9Hp2W8jS0MdKsX568Bv/Am0iHe8pPB8GOTSYv4lHO+lri1FhuRth73QIWtytIeMqt7/SK3GofAybSRKVQro/w32vZekVcsEzMLAcWWIUsLgK84hIeutv2iD7DOvUuAYa2eZWWmal/NqMg==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by SJ0PR02MB7230.namprd02.prod.outlook.com (2603:10b6:a03:29a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.39; Thu, 28 Mar 2024 19:58:16 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::7c2c:4b2:7be3:4f66%4]) with mapi id 15.20.7409.031; Thu, 28 Mar 2024 19:58:16 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Atul Tulshibagwale <atul@sgnl.ai>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
Thread-Index: AQHagEXgCKHWo/BnSESn/vIpUYLzj7FL8Z2AgAGYX2A=
Date: Thu, 28 Mar 2024 19:58:16 +0000
Message-ID: <SJ0PR02MB7439A0FBA95C8DFEDD78EA4FB73B2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CADNypP9QRjmgs5Si4Fj+hSmScwx+4ihQmxfznCCVE4+8F2UFkw@mail.gmail.com> <CANtBS9cNXEsiv8UqPSSeRf8pfUXZea5_bftwwFb5PnfG9YSfoA@mail.gmail.com>
In-Reply-To: <CANtBS9cNXEsiv8UqPSSeRf8pfUXZea5_bftwwFb5PnfG9YSfoA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [aMOiTXY89PX90U9NtOoPteudWpzTOUXm/mfOaWutk9IcKXXojOga+8vLpWx9nzJ6S+X65uBquqA=]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|SJ0PR02MB7230:EE_
x-ms-office365-filtering-correlation-id: 1dc16527-82cd-4ba9-b116-08dc4f616890
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wvePV/+MEGKWFuf/6gOmHz3NDCusXvi8SKUo4dqtK4aw1D2A5m3oMuFv5l+vLr1X705yanDOBPmggNX/5hVt/9tXfJNJLypvk3rb9VqAMTFeIy1oeMLuYlew51QH/TS6msK8kTxqtjabrTT3lVugBRiTVe4BYxaiJILHyRd77KW5Z+YON9awFlGKJI29+Tss5q+2GvTBhBsdSJqqEqKhZhfKMPmshARbLSFgFXCuxZhFT/r1dq3cun6P2y434Vag+ZjE3UlFyMmQbivAcNeS1tTmaQdcDfgJTjfsryamc9cdDSwfkvzWCoJJ8PgwqoCGhwFEgxzas9yoRlcjrEV1gbFUgqvCPdPHzkRhdE71KaMNrsxL4MLc3uuuS28AE2dad8BEtoQaUgyyZrkce4dKAYG1zpkLeBTvLgoI1SXS3YAkO2YiNNBp7Yvmp/two7qq0+6kDPLVhFKdJEz36q7paoIUun9GOUK+3YAwu000I04XzIuQ4olW4B1jxFsU+B2hnpxtHup7zJwiiGYaxpLd3op7ge1XyAVCjpRbAhHGNPIu6jglgi4PjwLu/UFXDC5keVDg5NWKhNcrYRmyhpVK3kg9Flwv9Cxjx9Z4f5wnj5BBT6BRFD43FzFAteuHMcUDaspJTKjvG6C6yqma1A614MirSY3BrSCrM/GVo4n23sjT0Rq9lK+Y56ppw6G+WrHaaurDK2HUqXVao3Wbax7w+g==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UDTOzX2dqXQBRU+ktfjakwRBcK8Yo9qhOsL7r5x23s7bjTc7RpbrMnWvJnjz/VeYY79oVvEZmHF+TA9SJKTssh9smmrOgi/MFxOE4ediu45KDOnSK/CFf4kbsN3uDEi9Xfy8rGRr4BBjr51NCdoKOZyp9TycdDPb6DjLXyYXnP5dwHJHyuziaUqgUw/ceiq/qXjWjxpyXogA7JGYL8GCdyLVT5ghxGno3uHgr/AhpWZ4A+EfDl2/AGjk1mI5ZY2wEyes+h5ucdvyyWDIEnJip5UXNyk3LcnnJYBCNx/RaHxOZ4r6kb56zlWbrM9P48gM01w0CYinHjqkoOTUzFotgwAamnbwMgkA1puRDgZXWLBXVV8ZRvC5tPm4ogNT+W1ghs0/EQLsfpis2PzE04IJ3FeShW/4ewVsbHEVdar4SO08OOMjS9GjLKqYqE39PQzFsjsCyi6Ii01ppWCHnvMj8mrSsycJfjHsQOYdNn6yQHkWIc/ttNE9UscwGlF1QjS4+t/JUWclccuLl6hRiDXKcT3Ir7agZojJPESxwwHv71Us5jZZR5bu8Apil5FA6AG8CP1Hfsvw2AsKUuYZhzM/5bLQEPs84iT5wygnbnBz+0RaxCb0es0XMBXRGulXE/4dNz/5CpJRzEopEdLMNMy5Xhf8lxkg6Ly7qIjDedUZOXFhaQdd79lnNlTL948IZArtKzrd6NevtbGyMZ/g2kMiB0HVfIg5VxZXy6N2e9Vv0NzN0mw0kU3AvSz790xiF/hLWksH2BRIiEskQibZeJzvA6u+P47bbsf6r8gNLY2hgs5slg9H1yUW/yPPRh79729y0kxuJCxpBb7xs1UKUZi1jtZIiN0C8DBqGF6TGy6cM3zK1qs5dDH3PwYC7+sdpwdLbm2+OuGh1VEJvtt8V/J0BwB/dlE/PtQgR05qM83+ju/sfOd0n+/COIGwi43iD937B0OXYrDxhR2OBFaGyLA2SN3hPX5GegcjtiglJY48kM242q427Z64min8myLTWsGyamt+vs6y3ygPSsBhbSmRso0IQjZaRpvQ0uu6cVPyO8pr26O50wXFW9A9J4J37i2wtw/bLVA8/LxVWeevKcpsE9JhoOZcSl7QlVCADgDm32XM4rUchxvLV+svBWIYS+mcMLuCh+X3GqZRgzA8Lk/qLAFmRk2DdwVMUlj4o4RVR0asUu65pRczI7SgUlEFJMUIiqlZ83J5sYxu7glLid9Jkk724bLN7xdZ3B1fzNr9eeNZZrYHjRZa94y/zDRsDh8QgrcrAhR2wVfCzOUv6bk7X0evIC8q4DnpH9BjCT03eflmbCjUuCSeuxpKQU8JfhJ6
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439A0FBA95C8DFEDD78EA4FB73B2SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-3d941.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 1dc16527-82cd-4ba9-b116-08dc4f616890
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2024 19:58:16.4304 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR02MB7230
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9BkcP6v5flTc6WGr2zbpbJp9Azo>
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 19:58:24 -0000

Hi Atul,

I’ve created https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/23 addressing many of your comments.  Dispositions of all the comments are described inline below.

                                                                Thanks again,
                                                                -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Atul Tulshibagwale
Sent: Wednesday, March 27, 2024 12:01 PM
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Hi all,
I'd committed to reviewing the draft at IETF 119, so here is my feedback up to section 3.1:

  1.  Section 1: The sentence "Each protected resource publishing metadata about itself makes its own metadata document available at a well-known location rooted at the protect resource's URL, even when the resource server implements multiple protected resources." has two issues:

     *   Typo: "protected resource's URL" instead of "protect resource's URL"
Corrected

     *   This contradicts the statement in section 3, which states the "well-known" should be inserted between the host and path components
Corrected

  1.  Section 1: The sentence "The means by which the client obtains the location of the protected resource metadata document is out of scope" conflicts with Section 3, which says "Protected resources MUST make ... (it) available at a path ...".
This was actually about locating the resource – not its metadata.  Corrected.

  1.  Section 2, "authorization_servers": since this is normative language, instead of saying "Protected resources MAY choose not to advertise some supported authorization servers even when this parameter is used.", should we say "the list of OAuth authorization servers MAY be a subset of the authorization servers supported by the protected resource."
The “MAY choose not to advertise” language comes from RFC 8414 (OAuth 2.0 Authorization Server Metadata), where it is used in the “scopes_supported” description.  It’s likewise used in this specification’s “scopes_supported” description and the “authorization_servers” description.  I’m reluctant to use different language than RFC 8414 does for expressing the same concept unless you believe the current language is in some way factually wrong.

  1.  Section 3, paragraph 1: The last sentence, i.e. "The well-known URI path suffix used MUST be registered in the IANA "Well-Known URIs" registry" is a bit confusing. Should it say something like "If not using the default well-known URI, such URI path suffix MUST be registered..." This last sentence of paragraph 1 can actually be dropped, and the first sentence in the 2nd paragraph can be updated to refer to the IANA well-known registry.
This language comes from RFC 8414 and therefore I’m reluctant to change it.

  1.  Section 3, paragraph 2: The first sentence should capitalize "MAY" in "...application-specific ways may define and register..."
Corrected

  1.  Section 3, paragraph 2: The first sentence can drop the word "used" here: "...URI path suffixes used to publish..." The sentence will make more sense with that word dropped.
Corrected

  1.  Section 3, paragraph 2: The last sentence is additional non-normative language, and could be removed, or could be moved to the "IANA Considerations" section
Again, this parallels language in RFC 8414.

  1.  Section 3, paragraph 3: "...specify what well-known URI string..." should be changed to "...specify what well-known URI path-suffix..."
Corrected.  Note that the correction also makes the language parallel to the corresponding language RFC 8414.

  1.  Section 3, paragraph 3: Instead of saying "...publish its metadata at multiple well-known locations'', should we say "...publish its metadata using multiple well-known path-suffixes''?
Again, this parallels language in RFC 8414.

  1.  Section 3.1, last paragraph: The sentence "This is required in some multi-tenant hosting configurations" may be removed as it is not the only situation in which a host may have multiple OPRM documents.
Again, this parallels language in RFC 8414.
I will continue the review but I wanted to update the WG on my review so far.

Atul

On Wed, Mar 27, 2024 at 5:54 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote:
All,

This is a WG Last Call for the OAuth 2.0 Protected Resource Metadata document.
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-03.html

Please, review this document and reply on the mailing list if you have any comments or concerns, by April 12.

Regards,
  Rifaat & Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email