IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

Anthony Nadalin <tonynad@microsoft.com> Wed, 22 May 2013 22:49 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBB2111E8153 for <oauth@ietfa.amsl.com>; Wed, 22 May 2013 15:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.534
X-Spam-Level:
X-Spam-Status: No, score=0.534 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zM4T6c+CzfZN for <oauth@ietfa.amsl.com>; Wed, 22 May 2013 15:49:36 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com [207.46.163.236]) by ietfa.amsl.com (Postfix) with ESMTP id EAE9E11E815B for <oauth@ietf.org>; Wed, 22 May 2013 15:49:35 -0700 (PDT)
Received: from BL2FFO11FD018.protection.gbl (10.173.161.201) by BL2FFO11HUB013.protection.gbl (10.173.160.105) with Microsoft SMTP Server (TLS) id 15.0.698.0; Wed, 22 May 2013 22:49:33 +0000
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD018.mail.protection.outlook.com (10.173.161.36) with Microsoft SMTP Server (TLS) id 15.0.698.0 via Frontend Transport; Wed, 22 May 2013 22:49:33 +0000
Received: from tx2outboundpool.messaging.microsoft.com (157.54.51.113) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.2.318.3; Wed, 22 May 2013 22:49:17 +0000
Received: from mail8-tx2-R.bigfish.com (10.9.14.243) by TX2EHSOBE006.bigfish.com (10.9.40.26) with Microsoft SMTP Server id 14.1.225.23; Wed, 22 May 2013 22:48:09 +0000
Received: from mail8-tx2 (localhost [127.0.0.1]) by mail8-tx2-R.bigfish.com (Postfix) with ESMTP id 73FDD1C027C for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 22 May 2013 22:48:09 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -24
X-BigFish: PS-24(zzbb2dI98dI9371Ic89bh936eI1e83Mc857hdb82hzz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6h1082kzz1033IL17326ah18c673h8275bh8275dhz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1bceh1d07h1d0ch1d2eh1d3fh9a9j1155h)
Received-SPF: softfail (mail8-tx2: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT003.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB041; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en;
Received: from mail8-tx2 (localhost.localdomain [127.0.0.1]) by mail8-tx2 (MessageSwitch) id 136926288744974_12920; Wed, 22 May 2013 22:48:07 +0000 (UTC)
Received: from TX2EHSMHS029.bigfish.com (unknown [10.9.14.247]) by mail8-tx2.bigfish.com (Postfix) with ESMTP id F07F040010D; Wed, 22 May 2013 22:48:06 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by TX2EHSMHS029.bigfish.com (10.9.99.129) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 22 May 2013 22:48:06 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.311.1; Wed, 22 May 2013 22:48:04 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) with Microsoft SMTP Server (TLS) id 15.0.698.13; Wed, 22 May 2013 22:48:02 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.8.74]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.8.74]) with mapi id 15.00.0698.010; Wed, 22 May 2013 22:48:02 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration
Thread-Index: AQHOVWw2HOVR1MGBX02Be07cmNz/cpkOMHcAgAAH54CAAA6lAIAAGIDAgAAAQ4CAAytGAIAAIbEAgAALjfCAABDGgIAACMHw
Date: Wed, 22 May 2013 22:48:01 +0000
Message-ID: <be7043660ea2476ab64b7e42895c8793@BY2PR03MB041.namprd03.prod.outlook.com>
References: <519A3C9A.8060305@mitre.org> <9D2C4D6F-EBC0-4313-B3B1-5981A865A604@oracle.com> <519A4607.1030900@mitre.org> <DF861D80-C924-427D-9678-08AF9CCB5A61@oracle.com> <a71babc7649b457e899f07954756a635@BY2PR03MB041.namprd03.prod.outlook.com> <519A6715.9040904@mitre.org> <148ab6ca581c49358e1ba8ecdbd791b3@BY2PR03MB041.namprd03.prod.outlook.com> <519D2BE4.6080303@mitre.org> <8ae4313deafe4397b0b312ef38dcf182@BY2PR03MB041.namprd03.prod.outlook.com> <CC5D3E75-98BE-48D8-B755-66AB97186AF6@oracle.com>
In-Reply-To: <CC5D3E75-98BE-48D8-B755-66AB97186AF6@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.46.126.7]
Content-Type: multipart/alternative; boundary="_000_be7043660ea2476ab64b7e42895c8793BY2PR03MB041namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB041.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%ORACLE.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC104.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(24454002)(189002)(479174002)(377454002)(377424003)(78114002)(199002)(76482001)(512874002)(47976001)(54316002)(46102001)(71186001)(81342001)(56816002)(56776001)(81542001)(77982001)(74366001)(59766001)(31966008)(49866001)(74502001)(47736001)(47446002)(79102001)(54356001)(74662001)(50986001)(4396001)(16236675002)(74876001)(69226001)(74706001)(74316001)(15202345002)(44976003)(16676001)(561944002)(66066001)(63696002)(20776003)(80022001)(33646001)(53806001)(6806003)(65816001)(51856001)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB013; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0854128AF0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2013 22:49:42 -0000

My mistake, was to say, We already have OpenID Connect doing dynamic registration, I don’t think there is a need to force it into OAuth.

From: Phil Hunt [mailto:phil.hunt@oracle.com]
Sent: Wednesday, May 22, 2013 3:16 PM
To: Anthony Nadalin
Cc: Justin Richer; oauth@ietf.org
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

I'm having trouble understanding
We already have OAuth doing dynamic registration, I don’t think there is a need to force it into OAuth.


I would be open to a scim dyn reg version. Particularly to discuss instance metadata mgt which scim is good at and the credential managemenr/bootstrap process as it pertains to oauth.  Never-the-less the overwhelming priority has been apparently to simply standardize oidc and uma implementations as is. This I am not comfortable with but i can live with if there is give and take.

I feel the subject is well in charter and is an important issue due to the life-cycle management issues behind clients and the need to make public clients the security equiv. of confidential clients.

Phil

On 2013-05-22, at 14:22, Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote:
I totally disagree with your characterization of SCIM, while it can be used from server to server (provision one system to another) it can also be client to endpoint (initial provisioning and JIT provisioning). SCIM is fairly simple (but can be complex), I also have concerns about SCIM not being 100% restful but that does not stop us from using it. I also agree that we should let OAuth do what it’s good at and don’t try to force it into something that it’s not. We already have OAuth doing dynamic registration, I don’t think there is a need to force it into OAuth.


From: Justin Richer [mailto:jricher@mitre.org]
Sent: Wednesday, May 22, 2013 1:35 PM
To: Anthony Nadalin
Cc: Phil Hunt; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

I'm not sure why you don't think it's in scope, it's in the working group's charter:

  http://www.ietf.org/dyn/wg/charter/oauth-charter.html

So ... it's definitely in scope, and has been for over a year and a half. This is the tenth version of this document-- an IETF Working Group document at that-- that's been posted to the group with every revision and there has been significant conversation around it, especially over the last six months since I took over the editor role. There are also a handful of implementations of this, and while most of them are built to do OpenID Connect or UMA (which are directly built on OAuth), I know there are some that also do plain OAuth. (Not the least of which is one that I have personally implemented and deployed.)

SCIM doesn't solve client management particularly well, since it's made for users more than anything. The usage model of SCIM is also quite different -- it's really intended to be used between two servers to transfer information, as opposed to handling self-asserted claims. I understand that some implementations like UAA have done their static registration using a SCIM profile, but it's not dynamic registration, really. I think it's too much of a square-peg-round-hole problem, at least with SCIM as it is today; so let SCIM do what it's good at, and don't try to force it into something it's not.

Furthermore, be careful not to conflate SCIM with REST. Ultimately, Dynamic Registration was meant to be a fairly simple REST/JSON API that would be easy to implement, especially for clients. Just because SCIM is RESTful doesn't mean it's a good structure for other RESTful APIs. Namely, I don't think the extra structure and hooks with SCIM really buy you anything here, especially with the additions and changes you'd have to make to SCIM.

And finally, nobody to date has actually written a proposal that is even remotely SCIM based.

 -- Justin
On 05/22/2013 02:39 PM, Anthony Nadalin wrote:
So, I really don’t understand why dynamic registration is in scope, I understand this relative to OpenID Connect but not OAuth, if this is indeed in scope then I would have expected that the endpoint be based upon SCIM and not something else like what has been done here.

From: Justin Richer [mailto:jricher@mitre.org]
Sent: Monday, May 20, 2013 11:10 AM
To: Anthony Nadalin
Cc: Phil Hunt; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

Tony, can you be more specific? What needs to be changed in your opinion? What text changes would you suggest?

 -- Justin
On 05/20/2013 02:09 PM, Anthony Nadalin wrote:
Agree

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt
Sent: Monday, May 20, 2013 9:42 AM
To: Justin Richer
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

This draft isn't ready for LC.

Phil

On 2013-05-20, at 8:49, Justin Richer <jricher@mitre.org<mailto:jricher@mitre.org>> wrote:
But also keep in mind that this is last-call, and that we don't really want to encourage avoidable drastic changes at this stage.

 -- Justin




On 05/20/2013 11:21 AM, Phil Hunt wrote:
Keep in mind there may be other changes coming.

The issue is that new developers can't figure out what token is being referred to.

Phil

On 2013-05-20, at 8:09, Justin Richer <jricher@mitre.org<mailto:jricher@mitre.org>> wrote:
Phil Hunt's review of the Dynamic Registration specification has raised a couple of issues that I felt were getting buried by the larger discussion (which I still strongly encourage others to jump in to). Namely, Phil has suggested a couple of syntax changes to the names of several parameters.


1) expires_at -> client_secret_expires_at
2) issued_at -> client_id_issued_at
3) token_endpoint_auth_method -> token_endpoint_client_auth_method


I'd like to get a feeling, especially from developers who have deployed this draft spec, what we ought to do for each of these:

 A) Keep the parameter names as-is
 B) Adopt the new names as above
 C) Adopt a new name that I will specify

In all cases, clarifying text will be added to the parameter *definitions* so that it's more clear to people reading the spec what each piece does. Speaking as the editor: "A" is the default as far as I'm concerned, since we shouldn't change syntax without very good reason to do so. That said, if it's going to be better for developers with the new parameter names, I am open to fixing them now.

Naming things is hard.

 -- Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email