IETF Logo Mail Archive

Re: [OAUTH-WG] A Proposal for Dynamic Registration

Anthony Nadalin <tonynad@microsoft.com> Tue, 06 August 2013 23:20 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B8F521F9984 for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 16:20:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.057
X-Spam-Level:
X-Spam-Status: No, score=-1.057 tagged_above=-999 required=5 tests=[AWL=-0.590, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwJb0YkaX9XS for <oauth@ietfa.amsl.com>; Tue, 6 Aug 2013 16:20:12 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8F021F9425 for <oauth@ietf.org>; Tue, 6 Aug 2013 16:20:12 -0700 (PDT)
Received: from mail76-ch1-R.bigfish.com (10.43.68.250) by CH1EHSOBE015.bigfish.com (10.43.70.65) with Microsoft SMTP Server id 14.1.225.22; Tue, 6 Aug 2013 23:20:11 +0000
Received: from mail76-ch1 (localhost [127.0.0.1]) by mail76-ch1-R.bigfish.com (Postfix) with ESMTP id 4561C34008E for <oauth@ietf.org>; Tue, 6 Aug 2013 23:20:11 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -17
X-BigFish: VS-17(zz9371I542I1418Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz1de098h1033IL1de096h8275dh15d4I1de097hz2fh2a8h683h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail76-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail76-ch1 (localhost.localdomain [127.0.0.1]) by mail76-ch1 (MessageSwitch) id 1375831208743941_21136; Tue, 6 Aug 2013 23:20:08 +0000 (UTC)
Received: from CH1EHSMHS022.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.241]) by mail76-ch1.bigfish.com (Postfix) with ESMTP id B1B40140047 for <oauth@ietf.org>; Tue, 6 Aug 2013 23:20:08 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS022.bigfish.com (10.43.70.22) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 6 Aug 2013 23:20:08 +0000
Received: from CO9EHSOBE031.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.3.136.1; Tue, 6 Aug 2013 23:20:07 +0000
Received: from mail56-co9-R.bigfish.com (10.236.132.242) by CO9EHSOBE031.bigfish.com (10.236.130.94) with Microsoft SMTP Server id 14.1.225.22; Tue, 6 Aug 2013 23:19:00 +0000
Received: from mail56-co9 (localhost [127.0.0.1]) by mail56-co9-R.bigfish.com (Postfix) with ESMTP id 8A6E4DC00DF for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue, 6 Aug 2013 23:19:00 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51444003)(13464003)(55885003)(377454003)(189002)(199002)(16406001)(53806001)(69226001)(74876001)(4396001)(79102001)(561944002)(47736001)(49866001)(81542001)(74316001)(74502001)(81342001)(47446002)(31966008)(74662001)(76482001)(54316002)(56776001)(77096001)(54356001)(80976001)(56816003)(74706001)(80022001)(65816001)(77982001)(59766001)(74366001)(51856001)(47976001)(46102001)(50986001)(63696002)(76576001)(83072001)(19580385001)(19580395003)(33646001)(19580405001)(76786001)(76796001)(83322001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::7d; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail56-co9 (localhost.localdomain [127.0.0.1]) by mail56-co9 (MessageSwitch) id 1375831138402742_4731; Tue, 6 Aug 2013 23:18:58 +0000 (UTC)
Received: from CO9EHSMHS026.bigfish.com (unknown [10.236.132.252]) by mail56-co9.bigfish.com (Postfix) with ESMTP id 5194F500047; Tue, 6 Aug 2013 23:18:58 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by CO9EHSMHS026.bigfish.com (10.236.130.36) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 6 Aug 2013 23:18:57 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.341.1; Tue, 6 Aug 2013 23:18:56 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 6 Aug 2013 23:18:53 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) with mapi id 15.00.0745.000; Tue, 6 Aug 2013 23:18:53 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmIzgQQ
Date: Tue, 06 Aug 2013 23:18:53 +0000
Message-ID: <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org>
In-Reply-To: <52016822.2090703@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ed43::7d]
x-forefront-prvs: 0930AAFAD9
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC107.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC107.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 23:20:25 -0000

I think that the IETF meeting and session on Dynamic Registration showed how fractured it was and how we don't have consensus on what needs to be done and how it needs to be done. I would not support moving any draft further along in the IETF process. I looked on mailing list and could not find out where any dynamic registration document went to WGLC, so maybe someone can point me to that.

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
Sent: Tuesday, August 6, 2013 2:18 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] A Proposal for Dynamic Registration

At last week's IETF meeting, there was quite a lot of talk about the Dynamic Registration draft as well as a few other related drafts in this space. I would like to propose to the group what I think would be a positive working structure among the different approaches that would let us move everything forward. The source documents in discussion here are the WG's Dynamic Registration (draft 14) and Phil Hunt's individual submission of a SCIM-based alternative with some software assertion components to it. I suggest we refactor these into three documents:

  - OAuth Dynamic Registration
  - SCIM-based OAuth Dynamic Registration
  - Software Statements for OAuth Dynamic Registration

I think that they all have their place in the world, and this is how I see them fitting together:


OAuth Dynamic Registration

What it is: Essentially the draft we have today, draft 14. This draft 
defines a standalone RESTful API for dealing with client registrations, 
it allows for open registration as well as protected registration, and 
perhaps most importantly we know that it works because people have 
implemented it as part of several different APIs. This could have an 
informational pointer to the SCIM draft and the Software Statements 
draft. We could call this one "core" or "basic" or some other modifier, 
but I don't think that's necessary because it already does what it says 
on the tin.

What it needs to concentrate on: This needs to be a "base" document with 
extension hooks in key places (such as the client metadata, which is 
already extensible, and places that have been made extensible like the 
token_endpoint_auth_method, and perhaps others). It needs to get its job 
done, allowing for full specification of the simple case in an 
interoperable way (anonymous registration of self-asserted client 
metadata to receive a client identifier and manage the registration) and 
be extensible and flexible enough for the more complex cases.

What we should do: I think that we should continue shepherding this 
document through WGLC in the OAuth WG because there are no specific open 
issues in the spec (that I, the editor, am aware of) and I've seen what 
I would personally consider to be rough consensus on it (not unanimous, 
but that's not necessary anyway).



SCIM-based OAuth Dynamic Registration:

What it is: Most of Phil's draft, this defines a SCIM profile for 
managing OAuth clients dynamically. This will accomplish the same kinds 
of things that the OAuth Dynamic Registration Draft will accomplish, but 
in a SCIM-like manner. This will have a normative dependency on SCIM (of 
some version), and probably an informational dependency on OAuth Dynamic 
Registration. This could have an informational pointer to the Software 
Statements draft. This draft is very useful if you're already deploying 
a SCIM based system, and if you're investing in SCIM then it's going to 
be a smaller step to support this than it would be the base draft. 
However, I strongly believe that SCIM is a really big jump for 
implementing basic functionality that this is trying to accomplish.

What it needs to concentrate on: Tracking with the overall SCIM 
specification (on which it depends) and tracking with the data model and 
general usage of the OAuth Dynamic Registration protocol (wherever it 
makes sense to do so).

What we should do: I think that this draft should be picked up and 
worked on as an IETF document, but I think that it probably makes more 
sense for that work to be done inside of the SCIM working group. The 
reasons for this are twofold: First, this draft really should look and 
feel like SCIM, and to do that it really needs the attention of the 
group that's defining SCIM. Second, SCIM isn't completed and likely 
won't be for some time to come, and this draft needs to track with that 
protocol as it moves through the IETF process.



Software Statements for OAuth Dynamic Registration

What it is: Section 4 of Phil's draft (plus a few other bits, discussed 
here), this defines a method for presenting signed and/or verifiable 
claims to the registration server's endpoint. This is most useful when 
an authorization server can verify the claims being presented, such as 
being able to discover the signing key from the "iss" claim and validate 
the signature. This could also be used (with some additional 
specification) by a discovery-based system that could fix ahead of time 
some of the claims for a given piece of software (like we've done with 
BlueButton+). In some circumstances, this assertion could even contain 
all relevant bits of the registration, leaving the rest of the metadata 
fields blank. This is essentially the "use the assertion as the 
registration" flow that Phil discussed at the meeting, from what I 
understand. In all of these cases, it can give us a higher assurance for 
the registration and means to tie together multiple instances of a piece 
of software across a network.

What it needs to concentrate on: Making the software statements 
interoperable. I don't think this is going to be an easy task, and I 
think it's going to be a long process to get it *right* for all players.

What we should do: I think that this draft should be picked up by the 
OAuth Working Group as a WG document, and it should be built as an 
extension to both the OAuth Dynamic Registration and SCIM-based OAuth 
Dynamic Registration documents. I think it's important, but it's added 
functionality on top of either the RESTful or the SCIM-based 
registration documents, and as such it should have a normative reference 
to both of them with detailed profiles of how to use them.






So in all, we've got three main documents, each with different purposes 
and concentrations, and with different timelines. I don't see any 
problem with these coexisting, and I think doing things this way can 
cover all of our known use cases and let us actually progress these 
documents and move forward.

  -- Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email