Re: [OAUTH-WG] PAR - Guidance on the request URI structure needed?
Justin Richer <jricher@mit.edu> Mon, 27 April 2020 16:58 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3C183A0F70 for <oauth@ietfa.amsl.com>; Mon, 27 Apr 2020 09:58:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id spebw5fd9FI1 for <oauth@ietfa.amsl.com>; Mon, 27 Apr 2020 09:58:14 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2303C3A0FAB for <oauth@ietf.org>; Mon, 27 Apr 2020 09:58:13 -0700 (PDT)
Received: from [192.168.1.13] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03RGw9In000754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 27 Apr 2020 12:58:10 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <32A77307-BFE4-4A0E-99F6-B9567DF38645@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_76F1507D-3DF0-448D-ACA0-9FE844F9DADF"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 27 Apr 2020 12:58:09 -0400
In-Reply-To: <CALAqi_-xtfcrWg0bvMTae9GkbOzCorNENpPiwt0kjzw5sgn_Mg@mail.gmail.com>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, oauth <oauth@ietf.org>
To: Filip Skokan <panva.ip@gmail.com>
References: <A680BD1A-1E79-40C0-B325-91EEEFD7BDA5@lodderstedt.net> <CALAqi_-xtfcrWg0bvMTae9GkbOzCorNENpPiwt0kjzw5sgn_Mg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9pKqOlnAhfEbytNMGvxgXJ6vT4c>
Subject: Re: [OAUTH-WG] PAR - Guidance on the request URI structure needed?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 16:58:16 -0000
I agree that any URI could be used but that it MUST be understood by the AS to be local to the AS (and not something that can be impersonated by an attacker). I wouldn’t even go so far as RECOMMENDED, but it’s certainly an option. — Justin > On Apr 27, 2020, at 4:41 AM, Filip Skokan <panva.ip@gmail.com> wrote: > > I believe implementers should be free to devise their own URIs and not be locked down to one by the spec, at the same time, and RFC6755 subnamespace would be good for guidance. > > So, I would suggest it be RECOMMENDED to use e.g. `urn:ietf:params:oauth:request_uri:<random>` (Brian's proposal) but also that any URN or URL will do if the circumstances call for it. > > Best, > Filip > > > On Sun, 26 Apr 2020 at 17:20, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote: > Hi all, > > another topic from last week’s virtual meeting. > > Shall there be guidance on the request URI structure? > > Please state your opinion. > > thanks in advance, > Torsten. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] PAR - Guidance on the request URI stru… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Filip Skokan
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Sascha Preibisch
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Justin Richer
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Brian Campbell
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Benjamin Kaduk
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Dave Tonge