Re: [OAUTH-WG] PAR metadata
Filip Skokan <panva.ip@gmail.com> Tue, 31 December 2019 15:22 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3022E12003E for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 07:22:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eo4blVx17WHj for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 07:22:35 -0800 (PST)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D212D120013 for <oauth@ietf.org>; Tue, 31 Dec 2019 07:22:35 -0800 (PST)
Received: by mail-oi1-x230.google.com with SMTP id 18so11178057oin.9 for <oauth@ietf.org>; Tue, 31 Dec 2019 07:22:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Cma+CzNfACevxmZYe0UTSLsh8d84zJ/nWHrd1q7E9c=; b=t6pY8zu8mMkT0gYm5wI989sxru+8QjDzDzW8U+mDZZddMCy5fYpCkb4cJUk8iQKcsb yHD7Lhno8a6vFNafWfAnc0ZvEuHImq4SxZdzD9GBtIF74WYS/KVbHu/JRRv9fIB9QJE9 vwkUFMOd1m5R2JLIxCgvtuKwGOZqFkxlJEUUoUD0wSpYFBtR4rEdBHej6wpJugaRtbWb 0MCNGzB4TUxehTktbSypQUk/EM5c1DOrRICBaeD3ar6b1o0HMVDiGOUjTUEyWCDCREZQ CQNCrJHhYIL0h3oOQ5Rj+CDkrg+KWs3Y5gQphkxrykSpBMl5qmFjn7Evsn9Ze0NeB9lY dU+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Cma+CzNfACevxmZYe0UTSLsh8d84zJ/nWHrd1q7E9c=; b=jNA7p/Ba2/TkZ7OI+wm5yIAYOEkyxHcQxb1dvAy9a+TYytr19RAkcGSsORat86ryCo HFjXivkkaw1/NoPXtJh5mN1h0PpdDXp/w52Ec3MDIg8FiKDrgYV8zATE8l9pcpiKsH40 u1+IArK02XrN6egXROcguePLXY+DBO5UPDkOfF99OGbVc9gmqiivyoDIVRG3AzZhmBlg oivR6pLRC8utnMEj0e0SibJe1mSp4P/3apkow5YghbsgWYChOzk4wj2tro5HAsdZdm6l bkb+YUrLse2dNCcVexvL2Ge/bXGOSw8btTKG+PmUecMvMuiq4qBHPJ96KBQq4jcSLhGn twhQ==
X-Gm-Message-State: APjAAAXNHDTdQT5/MVDCtf1eVymivpgobx3lVk6sFYRzO1wZ2yefSdoU cbpU7XgFozar/zBupXCsBQOBL9gxzobD9naeWw==
X-Google-Smtp-Source: APXvYqywHtKL7yQZzNtsKYkaWHF07/xkXegpaysaTD03Y4JjUukbb5Qr7s0w2Ag72BbALGKlrnS6UJIctxqic9fYnzw=
X-Received: by 2002:aca:ea46:: with SMTP id i67mr794515oih.149.1577805755023; Tue, 31 Dec 2019 07:22:35 -0800 (PST)
MIME-Version: 1.0
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net>
In-Reply-To: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net>
From: Filip Skokan <panva.ip@gmail.com>
Date: Tue, 31 Dec 2019 16:22:23 +0100
Message-ID: <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>, Dave Tonge <dave.tonge@moneyhub.com>, Nat Sakimura <nat@sakimura.org>, Brian Campbell <bcampbell@pingidentity.com>, Roland Hedberg <roland@catalogix.se>
Content-Type: multipart/alternative; boundary="0000000000008d854a059b018794"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AepmNAY6hppUzoZSl4-bfMJus4E>
Subject: Re: [OAUTH-WG] PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 15:22:38 -0000
I don't think we need a *_auth_method_* metadata for every endpoint the client calls directly, none of the new specs defined these (e.g. device authorization endpoint or CIBA), meaning they also didn't follow the scheme from RFC 8414 where introspection and revocation got its own metadata. In most cases the unfortunately named `token_endpoint_auth_method` and its related metadata is what's used by clients for all direct calls anyway. The same principle could be applied to signing (and encryption) algorithms > as well. This I do not follow, auth methods and their signing is dealt with by using `token_endpoint_auth_methods_supported` and `token_endpoint_auth_signing_alg_values_supported` - there's no encryption for the `_jwt` client auth methods. Unless it was meant to address the Request Object signing and encryption metadata, which is defined and IANA registered <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#table-client-metadata> by OIDC. PAR only references JAR section 6.1 and 6.2 for decryption/signature validation and these do not mention the metadata (e.g. request_object_signing_alg) anymore since draft 07. PS: I also found this comment <https://bitbucket.org/openid/mobile/issues/102#comment-48494839> related to the same question about auth metadata but for CIBA. Best, *Filip* On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi all, > > Ronald just sent me an email asking whether we will define metadata for > > pushed_authorization_endpoint_auth_methods_supported and > pushed_authorization_endpoint_auth_signing_alg_values_supported. > > The draft right now utilises the existing token endpoint authentication > methods so there is basically no need to define another parameter. The same > principle could be applied to signing (and encryption) algorithms as well. > > What’s your opinion? > > best regards, > Torsten.
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Filip Skokan
- [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Filip Skokan
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR metadata Vladimir Dzhuvinov
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Justin Richer