IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

Phil Hunt <phil.hunt@oracle.com> Mon, 20 May 2013 18:27 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F03FB21F8648 for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 11:27:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.115
X-Spam-Level:
X-Spam-Status: No, score=-6.115 tagged_above=-999 required=5 tests=[AWL=0.483, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEVrzjp+6Wfo for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 11:27:05 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id A757C21F8523 for <oauth@ietf.org>; Mon, 20 May 2013 11:27:05 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r4KIR4Sp023155 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 20 May 2013 18:27:04 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4KIR3Xt026241 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 20 May 2013 18:27:04 GMT
Received: from abhmt111.oracle.com (abhmt111.oracle.com [141.146.116.63]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4KIR3aR009635; Mon, 20 May 2013 18:27:03 GMT
Received: from [192.168.1.89] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 20 May 2013 11:27:03 -0700
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/alternative; boundary="Apple-Mail=_4ED4F43C-8B87-4BFE-A929-3397DB3AAA83"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <278419A3-8FFE-45F6-81A8-90D5CFFC13CB@oracle.com>
Date: Mon, 20 May 2013 11:27:07 -0700
Message-Id: <DA490296-52A3-4522-B237-2E2BA69B5FB2@oracle.com>
References: <519A3C9A.8060305@mitre.org> <9D2C4D6F-EBC0-4313-B3B1-5981A865A604@oracle.com> <519A4607.1030900@mitre.org> <DF861D80-C924-427D-9678-08AF9CCB5A61@oracle.com> <519A5261.1010506@mitre.org> <4E1F6AAD24975D4BA5B168042967394367742D5A@TK5EX14MBXC283.redmond.corp.microsoft.com> <278419A3-8FFE-45F6-81A8-90D5CFFC13CB@oracle.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.1283)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 18:27:11 -0000

Further to my last…

Justin has already committed to breaking changes.  This may have been lost or buried in the long review thread.

Specifically - The client authentication types specified are undocumented (client_secret_jwt and private_key_jwt) as they were all Holder-of-Key authentication methods.  The OAuth drafts currently only have bearer drafts and dyn reg does not support these profiles.  Justin has acknowledged this.

It seems to me, that since the token_endpoint_auth_method is broken, the current implementations are actually implementing the draft correctly or servers are just ignoring it the parameter.

There are concerns with this draft.  I plan to make specific suggestions (some breaking) later this week.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2013-05-20, at 10:51 AM, Phil Hunt wrote:

> -1
> 
> The draft has features that are unclear and will double the operational cost. The fact that it works doesn't mean it is ready from the wg perspective. 
> 
> For the production use, has anyone outside of oidc implemented and placed in production?
> 
> As a non-oidc implementer, I can't make the same assumptions (like discovery) that oidc umplementers have. 
> 
> Phil
> 
> On 2013-05-20, at 9:48, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
>> The deployment evidence doesn’t support your position, Phil.  There are over a dozen interoperable implementations already deployed.  Those deployments demonstrate that the spec, as written, is already doing one thing well – enabling clients (as defined by RFC 6749) to register with Authorization Servers, obtaining client_id and optionally client_secret values that enable those clients to use those Authorization Servers.  Doing one thing well is exactly what we should be striving for, and the evidence says that we’ve achieved that.
>>  
>> It’s time to ship it!
>>  
>>                                                                 -- Mike
>>  
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
>> Sent: Monday, May 20, 2013 9:42 AM
>> To: Phil Hunt
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration
>>  
>> I, of course, disagree. But that's what we're trying to figure out as a working group, after all.
>> 
>>  -- Justin
>> 
>> On 05/20/2013 12:41 PM, Phil Hunt wrote:
>> This draft isn't ready for LC. 
>> 
>> Phil
>> 
>> On 2013-05-20, at 8:49, Justin Richer <jricher@mitre.org> wrote:
>> 
>> But also keep in mind that this is last-call, and that we don't really want to encourage avoidable drastic changes at this stage. 
>> 
>>  -- Justin
>> 
>> 
>> On 05/20/2013 11:21 AM, Phil Hunt wrote:
>> Keep in mind there may be other changes coming. 
>>  
>> The issue is that new developers can't figure out what token is being referred to. 
>> 
>> Phil
>> 
>> On 2013-05-20, at 8:09, Justin Richer <jricher@mitre.org> wrote:
>> 
>> Phil Hunt's review of the Dynamic Registration specification has raised a couple of issues that I felt were getting buried by the larger discussion (which I still strongly encourage others to jump in to). Namely, Phil has suggested a couple of syntax changes to the names of several parameters. 
>> 
>> 
>> 1) expires_at -> client_secret_expires_at
>> 2) issued_at -> client_id_issued_at
>> 3) token_endpoint_auth_method -> token_endpoint_client_auth_method
>> 
>> 
>> I'd like to get a feeling, especially from developers who have deployed this draft spec, what we ought to do for each of these:
>> 
>>  A) Keep the parameter names as-is
>>  B) Adopt the new names as above
>>  C) Adopt a new name that I will specify
>> 
>> In all cases, clarifying text will be added to the parameter *definitions* so that it's more clear to people reading the spec what each piece does. Speaking as the editor: "A" is the default as far as I'm concerned, since we shouldn't change syntax without very good reason to do so. That said, if it's going to be better for developers with the new parameter names, I am open to fixing them now.
>> 
>> Naming things is hard.
>> 
>>  -- Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>  
>>  
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email