Re: [OAUTH-WG] OAuth Discovery
Vladimir Dzhuvinov <vladimir@connect2id.com> Thu, 26 November 2015 14:31 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B3F1B3A45 for <oauth@ietfa.amsl.com>; Thu, 26 Nov 2015 06:31:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kXqnCMWCfNPb for <oauth@ietfa.amsl.com>; Thu, 26 Nov 2015 06:30:58 -0800 (PST)
Received: from p3plsmtpa06-08.prod.phx3.secureserver.net (p3plsmtpa06-08.prod.phx3.secureserver.net [173.201.192.109]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D0921B3A43 for <oauth@ietf.org>; Thu, 26 Nov 2015 06:30:58 -0800 (PST)
Received: from [192.168.0.106] ([77.77.164.50]) by p3plsmtpa06-08.prod.phx3.secureserver.net with id mEWw1r00B15ZTut01EWxfT; Thu, 26 Nov 2015 07:30:58 -0700
To: oauth@ietf.org
References: <BY2PR03MB4420981B312D92924AD6BFFF5050@BY2PR03MB442.namprd03.prod.outlook.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
X-Enigmail-Draft-Status: N1110
Organization: Connect2id Ltd.
Message-ID: <565717A0.7080805@connect2id.com>
Date: Thu, 26 Nov 2015 16:30:56 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <BY2PR03MB4420981B312D92924AD6BFFF5050@BY2PR03MB442.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------040202020508060105020808"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/D_Z1SumYXNy1YDNsxD8CL7gB4eQ>
Subject: Re: [OAUTH-WG] OAuth Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 14:31:05 -0000
Good work, Mike, John, Nat! I see that the introspection and revocation endpoints are included now (they've been missing in OpenID discovery). Regarding client authentication, would it make sense to let token_endpoint_auth_methods_supported apply to the introspection and revocation endpoints as well? token_endpoint_auth_methods_supported OPTIONAL. JSON array containing a list of client authentication methods supported by this token endpoint. Client authentication method values are used in the "token_endpoint_auth_method" parameter defined in Section 2 of [RFC7591] <http://tools.ietf.org/html/rfc7591#section-2>. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 <http://tools.ietf.org/html/draft-jones-oauth-discovery-00#section-2.3.1> of OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>]. Vladimir On 26.11.2015 01:37, Mike Jones wrote: > I'm pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification. This fills a hole in the current OAuth specification set that is necessary to achieve interoperability. Indeed, the Interoperability section of OAuth 2.0 <https://tools.ietf.org/html/rfc6749#section-1.8> states: > > In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery). Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate. > > > > This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability. > > This specification enables discovery of both endpoint locations and authorization server capabilities. > > This specification is based upon the already widely deployed OpenID Connect Discovery 1.0<http://openid.net/specs/openid-connect-discovery-1_0.html> specification and is compatible with it, by design. The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints. It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location. Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect. > > The specification is available at: > > * http://tools.ietf.org/html/draft-jones-oauth-discovery-00 > > An HTML-formatted version is also available at: > > * http://self-issued.info/docs/draft-jones-oauth-discovery-00.html > > -- Mike > > P.S. This note was also posted at http://self-issued.info/?p=1496 and as @selfissued<https://twitter.com/selfissued>. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] OAuth Discovery Vladimir Dzhuvinov
- [OAUTH-WG] OAuth Discovery Mike Jones
- Re: [OAUTH-WG] OAuth Discovery William Denniss
- Re: [OAUTH-WG] OAuth Discovery John Bradley
- Re: [OAUTH-WG] OAuth Discovery Mike Jones
- Re: [OAUTH-WG] OAuth Discovery Justin Richer
- Re: [OAUTH-WG] OAuth Discovery John Bradley
- Re: [OAUTH-WG] OAuth Discovery Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Discovery Bill Mills
- Re: [OAUTH-WG] OAuth Discovery Mike Jones
- Re: [OAUTH-WG] OAuth Discovery Phil Hunt
- Re: [OAUTH-WG] OAuth Discovery John Bradley
- Re: [OAUTH-WG] OAuth Discovery Prateek Mishra
- Re: [OAUTH-WG] OAuth Discovery Mike Jones
- Re: [OAUTH-WG] OAuth Discovery Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Discovery Phil Hunt
- Re: [OAUTH-WG] OAuth Discovery John Bradley
- Re: [OAUTH-WG] OAuth Discovery Brian Campbell
- Re: [OAUTH-WG] OAuth Discovery Bill Mills