Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
Justin Richer <jricher@mit.edu> Wed, 15 May 2019 17:54 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFC5D120359 for <oauth@ietfa.amsl.com>; Wed, 15 May 2019 10:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKap0178M9aD for <oauth@ietfa.amsl.com>; Wed, 15 May 2019 10:54:31 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D630120119 for <oauth@ietf.org>; Wed, 15 May 2019 10:54:30 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id x4FHrrvT005176; Wed, 15 May 2019 13:54:13 -0400
Received: from w92expo18.exchange.mit.edu (18.7.74.72) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Wed, 15 May 2019 13:52:59 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by w92expo18.exchange.mit.edu (18.7.74.72) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 15 May 2019 13:53:38 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Wed, 15 May 2019 13:53:38 -0400
From: Justin Richer <jricher@mit.edu>
To: "Sahler, Frank" <frank.sahler@datev.de>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
Thread-Index: AdUKeoGh7sk3MCGsRg6qQGZqNy3QawA7iSOA
Date: Wed, 15 May 2019 17:53:37 +0000
Message-ID: <439B2D92-5BC1-44C7-B9E9-63C01D015E3E@mit.edu>
References: <8fe77fc8247e4eebb835b0f59bd4671e@datev.de>
In-Reply-To: <8fe77fc8247e4eebb835b0f59bd4671e@datev.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [71.174.62.56]
Content-Type: multipart/alternative; boundary="_000_439B2D925BC144C7B9E963C01D015E3Emitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9GJ82gum1j06pBduEEZPUZ-mEi0>
Subject: Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 17:54:34 -0000
On the surface this is fine, but it hides an important detail: you need to have a client registered with the system in order to make a token request, meaning that the “dcr” token was issued to a different client than the one making the registration request. So that just means that the developer is going to have to copy it by hand into a configuration, or otherwise pass it to the instances at runtime. Is it allowable? Sure, as the RFC doesn’t state (or care) how you got the initial access token for the registration request. Is it standard? Well, the “dcr” scope is specific to this company’s implementation, and it’s a little odd using an automated process to get a token for what will be an automated process. That basically leaves one instance of the application as the “primary” instance and everything else builds off of that. It’s more common to use a software statement, which also locks down a set of client attributes in a signed statement. In fact, in the original version of this part of the specification, which came from the BlueButton+REST project, the “software statement” and “initial access token” were one and the same. This working group decided that the functionality was better separated. — Justin On May 14, 2019, at 1:30 PM, Sahler, Frank <frank.sahler@datev.de<mailto:frank.sahler@datev.de>> wrote: Hello, I read in the dynamic client registration documentation of the company curity (https://developer.curity.io/tutorials/dynamic-client-registration-overview) that they use the scope "dcr" in the authorization request to get an initial access token i.e. a bearer token that only allows access to the registration endpoint. Is this also from your point of view a feasible way to initiate the client registration? Unfortunately the specification says nothing about how to get the token and how its purpose is limited to the registration endpoint. These two points are "out of scope for this specification". Regards Frank Sahler Security Consultant DATEV eG, Nuremberg, Germany ________________________________ Signatur Diese E-Mail wurde mit einem Zertifikat der DATEV eG signiert. Damit können Sie sicher sein, dass die Nachricht so von uns gesendet wurde. Wenn Sie eine Meldung erhalten, dass die Signatur ungültig ist oder nicht geprüft werden kann, fehlt das Zertifikat zu dieser Signatur auf Ihrem Rechner. Informationen zu Zertifikaten und zur digitalen Signatur finden Sie unter https://www.datev.de/zertifikate im Internet. ________________________________ DATEV eG 90329 Nürnberg Telefon +49 911 319-0 E-Mail: info@datev.de<mailto:info@datev.de> Internet: https://www.datev.de<https://www.datev.de/> Sitz: 90429 Nürnberg, Paumgartnerstraße 6-14 Registergericht Nürnberg, GenReg Nr. 70 Vorstand Dr. Robert Mayr (Vorsitzender) Eckhard Schwarzer (stellv. Vorsitzender) Julia Bangerth Prof. Dr. Peter Krug Diana Windmeißer Vorsitzender des Aufsichtsrates: Nicolas Hofmann _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Query on RFC 7591 - dynamic client reg… Sahler, Frank
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Justin Richer
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Sahler, Frank
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Phil Hunt