IETF Logo Mail Archive

Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt

"Manger, James H" <James.H.Manger@team.telstra.com> Thu, 06 June 2013 03:43 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D170D21F93BA for <oauth@ietfa.amsl.com>; Wed, 5 Jun 2013 20:43:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.399
X-Spam-Level:
X-Spam-Status: No, score=0.399 tagged_above=-999 required=5 tests=[AWL=1.299, BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOGOLNujdClM for <oauth@ietfa.amsl.com>; Wed, 5 Jun 2013 20:42:57 -0700 (PDT)
Received: from ipxcno.tcif.telstra.com.au (ipxcno.tcif.telstra.com.au [203.35.82.208]) by ietfa.amsl.com (Postfix) with ESMTP id 10EC821F9302 for <oauth@ietf.org>; Wed, 5 Jun 2013 20:42:56 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.87,811,1363093200"; d="scan'208,217"; a="133920822"
Received: from unknown (HELO ipccni.tcif.telstra.com.au) ([10.97.216.208]) by ipocni.tcif.telstra.com.au with ESMTP; 06 Jun 2013 13:42:56 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7097"; a="142286246"
Received: from wsmsg3703.srv.dir.telstra.com ([172.49.40.171]) by ipccni.tcif.telstra.com.au with ESMTP; 06 Jun 2013 13:42:55 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3703.srv.dir.telstra.com ([172.49.40.171]) with mapi; Thu, 6 Jun 2013 13:42:55 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: Tim Bray <twbray@google.com>
Date: Thu, 06 Jun 2013 13:42:54 +1000
Thread-Topic: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
Thread-Index: Ac5iZT8e4I0vf2RNThqDHhLDMZvHNgAAFUSQ
Message-ID: <255B9BB34FB7D647A506DC292726F6E1151B105CF2@WSMSG3153V.srv.dir.telstra.com>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <51A7ADAE.4070005@mitre.org> <62636DE9-80BD-4B83-817B-3E6622434FD0@oracle.com> <51A7C00B.6050409@mitre.org> <78BAEE23-FB66-4BA5-A1A5-5626D22AA014@oracle.com> <B33BFB58CCC8BE4998958016839DE27E08F97708@IMCMBX01.MITRE.ORG> <18C751E2-31B2-4C7F-BC9A-49F382F96673@oracle.com> <77A0DA5E-09CE-4A5E-9500-54A0842252FB@oracle.com> <F293690C-1E82-4350-80D4-2E2C0EF86E55@oracle.com> <51A8C0ED.6040607@mitre.org> <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com> <F319CA95-B5A8-4BD5-A8BA-F57BCBA6806B@oracle.com> <51A8E0BD.9090908@mitre.org> <521EB2A2-C786-43BE-9449-A12324347E6D@oracle.com> <002701ce5e33$620faaa0$262effe0$@reminetworks.com> <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com> <51A8FCA6.9050109@mitre.org> <004401ce5e3a$01854b70$048fe250$@reminetworks.com> <CA+ZpN24S9fEfFsgMtu8pN-ct-100+HVSHAfqO4Yy2SksrYt1eA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151B105C72@WSMSG3153V.srv.dir.telstra.com> <CA+ZpN27J2fDajrQX-uZD68L0C7H9teHquTM1qkJ0Wc4=oznZgg@mail.gmail.com>
In-Reply-To: <CA+ZpN27J2fDajrQX-uZD68L0C7H9teHquTM1qkJ0Wc4=oznZgg@mail.gmail.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E1151B105CF2WSMSG3153Vsrv_"
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 03:43:04 -0000

Your “first part” where a developer gets an initial token sounds like a task a developer does using only a standard web browser, knowing their developer password. There is no OAuth here; there is no app interacting (just a human at a browser).

Perhaps I should not have jumped into this thread as I have not been delving deep into registration. I guess it is conceivable that a fancy app development suite is acting as an OAuth client: directing the developer to the AS to authorize the development suite to contact the registration “protected resource” on the developers behalf. Once authorized, the development suite collects a token from the token endpoint. That token is the “initial access token”. That would be OAuth 2 for the first part.
--
James Manger

From: Tim Bray [mailto:twbray@google.com]
Sent: Thursday, 6 June 2013 1:23 PM
To: Manger, James H
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt

I’m really missing something.  You start out with a scope you want a token for for, you get redirected for authentication, it comes back and you do a code flow or a browser flow and you end up getting an access token.  Smells like OAuth 2 to me.  -T

On Wed, Jun 5, 2013 at 8:19 PM, Manger, James H <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote:
Tim Bray wrote:
> FWIW, I just read the spec through with fresh eyes, and I found the explanation of the workflow in 1.4.2 very useful.
>
> - A developer manually registers and then is able to request “Initial tokens” tokens for a dynamic-app-registration-scope,
> - you use that “Initial token” token to register, in exchange you get the client-id & so on, and also a a per-registration “Registration token” for updating that particular registration information
> - you fetch/update/delete your registration information with that registration token.
>
> The first part, where the developer registers & gets a token for a scope, is vanilla OAuth 2. (right?)
Wrong? This doesn't sound like it has any technical connection to OAuth 2. It is a developer browsing to a service portal; presumably logging in with a password, perhaps with a 2nd factor (no OAuth here); and manually copying a credential that can be used with the 'BEARER' HTTP Authentication mechanism. There is no app orchestrating the interaction (the developer just browsed to the portal); there is no programmatic exchange of one app credential for another at an AS token endpoint. The only technical connection to OAuth 2 is that the 'BEARER' HTTP authentication mechanism is branded "OAuth 2" for marketing(?) reasons.

--
James Manger

v2.23.0 | Report a Bug | By Email