[OAUTH-WG] Dynamic Client Registration
Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 02 November 2013 10:22 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C4F811E81C6 for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 03:22:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ejzKaOBkMgg for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 03:22:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 98BD311E8186 for <oauth@ietf.org>; Sat, 2 Nov 2013 03:21:46 -0700 (PDT)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MhNk6-1VH14d0rpa-00MZvD for <oauth@ietf.org>; Sat, 02 Nov 2013 11:21:45 +0100
Message-ID: <5274D238.8070803@gmx.net>
Date: Sat, 02 Nov 2013 11:21:44 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:pSNrfZdRfNvXoLVlsL6AG8P3EhK1V1mOYhJ0GYfOjG9yo30ZaVJ /YipArn6k9D+zLjdmxzniNYdaL9xJ0ejKV2nLmr+W+o8iSHE6TLRnSEZ2xc5Mi5IFjd8cpp AiVEjg31Wtd3Ke4ckzkWSylyq77NtYucOCDCYcM4+CiRNpEz/yH36fY1QQjyAmpJqEIhy4q nVkee9G4ZDZ2Q/7fDKNsQ==
Subject: [OAUTH-WG] Dynamic Client Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Nov 2013 10:22:15 -0000
Hi all, reading througth various dynamic client registration document I get the impression that there is one area of potential disconnect, namely in the end user / developer experience. When OpenID started this concept that a random IdP could talk to a random RP it seemed like a great idea. There was no need to exchange secrets and go through this complicated introduction process between the different parties, which sometimes even required business argeements. Those processes were known from Kerberos and also from the SAML identity federations. OpenID looked at the entire step from a technical point of view in an attempt to exchange the necessary information and then you were done with it. However, there was a bit more to this whole process, namely the entire notion of trust. In particular, there was the problem that the IdP would hand out information (personal data) to RPs only based on the user's consent. Of course, things could go wrong and some RPs misused the data given by the RP. The IdP couldn't really do anything about that since it knew nothing about the developer at the RP or the RP itself. So, how does the IdP ensure that it has some way to improve security and privacy of their users without handing out just everything. Of course, the IdP had it's own interest to know to know data is being passed to. Jumping to OAuth many deployments required developers to register and this registration procedure might require lots of information (such as credit card number, phone number, agreeing the terms of service, etc.). So, in many cases it wasn't purely about giving the developer a client-id and a shared secret for the client application. Now, here is the challenge: there are obviously different environments developers produce software for (such as the Web, the mobile app eco-system, and enterprise environments). They might all have different processes and expectations about the entire process. We have pretty much short-cut the entire story to the purely technical parts, namely to sending messages around and defining new attributes and have done very little in describing the process itself that we assume takes place. I know that you have these processes in your head when you write your documents and in discussions I have heard about these processes. Unfortunately, they aren't really documented anywhere. I guess it is needless to say that the expectations about how enterprises plan to deploy software vs. how the same is done for the Web is somewhat different. So, I believe it is useful to chat about these aspects even though they may just lead to a few paragraphs in our documents providing background information rather than actual normative specification text. Ciao Hannes
- [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Eve Maler
- Re: [OAUTH-WG] Dynamic Client Registration William Mills
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Derek Atkins
- Re: [OAUTH-WG] Dynamic Client Registration Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic Client Registration Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Igor Faynberg
- [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- Re: [OAUTH-WG] Dynamic Client Registration John Bradley