Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs

Filip Skokan <panva.ip@gmail.com> Mon, 08 June 2020 07:55 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ECB73A0962 for <oauth@ietfa.amsl.com>; Mon, 8 Jun 2020 00:55:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZgHbgdwTbbGh for <oauth@ietfa.amsl.com>; Mon, 8 Jun 2020 00:54:59 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 414833A095F for <oauth@ietf.org>; Mon, 8 Jun 2020 00:54:54 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id c35so12620763edf.5 for <oauth@ietf.org>; Mon, 08 Jun 2020 00:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=PJ4G+yYgbGiMGfIRcqUD019pac/6ZnKPcGAyRbqVfW0=; b=HD9hK0bsS+fYjH3JX4vfVo9RfnT0kJgbXVDpIwqY/yim9frRszA2FOKoATMx8jDSVw 4QtDIEetmZqdmKjo9bKNaTPtjIJqKCWuq/U8BRU6zY1KewstXYA20h54kLVtqQLSDDFj JJZ0Kkn5AbOvhovlLl6NUZXXxKtqmc2vWqWcbZ0oHkSl/6lMdek4Eou009abzA9gRm+0 D6dAXnZaBDsgJwXqplhnZz88M4JGJouQos7zwlkFUbcZYfSxA9OANt+iys6yMaQIa4tD wqR6dI4nrFHoFMEMywoKjEnUwhdaN/irBqoH2U0Fm2qOIxF01TZ/Y+iU8eSUQ8aS29M0 RdJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=PJ4G+yYgbGiMGfIRcqUD019pac/6ZnKPcGAyRbqVfW0=; b=TI4RPN3JV1142znuWZb6kUFaYXyD30lbvmoYixeVrgJHLURgI+AnlRfg9IxfR5bZ7c e66bmNitEUKPD0EzVZo/z4e4j3HQwB/njr+F82u/w7oh211K0ZLofBVtyraO6NhkmNSE wqFDqj71tc5umKpOCXrYxh6h4YEsOyDtzvA5Uhm2oPFgaY1E8Mc6l3zMHuamE+9O3s26 eiO4O55TmTuL38tTXPg0vZ0kjAao5jRQSiQd8htnlbaZsa13eXfms43om8XaZgcarCDW Or4CYkGUFs+UCgNXz/gBodEXoCNpG0EuoYsQjtQ5m4haolRId6kIds0Bxyr5Q7jZdXrh ujVA==
X-Gm-Message-State: AOAM5301wjyCz/447F705fExOWIsb7HzWvGfKhSvGRkDBbEgQ733zdxQ cxf40X+FLob5CCKps/F6LDPMdktTmw==
X-Google-Smtp-Source: ABdhPJwgOCSi3reR+A8XlHIYcXjGpK+AJZ1i3MXSmEkhCV5+CIl0sYDbRWNsZKvgas6hbd+j3A4lgA==
X-Received: by 2002:a05:6402:2d5:: with SMTP id b21mr21797110edx.293.1591602891435; Mon, 08 Jun 2020 00:54:51 -0700 (PDT)
Received: from [100.66.206.216] (ip-37-188-244-216.eurotel.cz. [37.188.244.216]) by smtp.gmail.com with ESMTPSA id j11sm10229978ejf.53.2020.06.08.00.54.50 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jun 2020 00:54:50 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-E2A82EF0-0E42-480A-97CB-8F88988427EB"
Content-Transfer-Encoding: 7bit
From: Filip Skokan <panva.ip@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 08 Jun 2020 09:54:50 +0200
Message-Id: <E276B0D3-0AB1-436E-95CB-5811D80053E9@gmail.com>
References: <79d39d11-f812-07bb-7a60-5c3bf7162c0a@danielfett.de>
Cc: oauth@ietf.org
In-Reply-To: <79d39d11-f812-07bb-7a60-5c3bf7162c0a@danielfett.de>
To: Daniel Fett <fett@danielfett.de>
X-Mailer: iPhone Mail (17F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/B7_uazbgqbecT92E96MHa7ZLbAs>
Subject: Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 07:55:01 -0000

Some products publish both, but they don’t always return the same content, eventho as far as i can tell they should be aliases. 

The uri normalization of 8414 is also implemented wrong in some cases, since it differs from OIDC as far as issuer path component is concerned.

I find it best for AS to have just one or both with the same content, client software doing discovery can check both locations. 

Odesláno z iPhonu

> 8. 6. 2020 v 9:46, Daniel Fett <fett@danielfett.de>:
> 
> 
> Hi all,
> 
> RFC8414 says that the URI where the OAuth metadata document is published is
> 
> formed by inserting a well-known URI string into the authorization
>    server's issuer identifier between the host component and the path
>    component, if any.  By default, the well-known URI string used is
>    "/.well-known/oauth-authorization-server".
> 
> I found that some OAuth servers and clients instead follow the convention used by OpenID Connect, where the suffix "/.well-known/openid-configuration" (or "/.well-known/oauth-authorization-server") is appended to the issuer URL.
> 
> Is this a common deviation from the spec? 
> 
> Do you know how specific products handle this? 
> 
> Does it make sense to serve the metadata document from both locations?
> 
> -Daniel
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth