Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt

Tim Bray <twbray@google.com> Thu, 06 June 2013 03:23 UTC

Return-Path: <twbray@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E861021F91AB for <oauth@ietfa.amsl.com>; Wed, 5 Jun 2013 20:23:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.622
X-Spam-Level:
X-Spam-Status: No, score=0.622 tagged_above=-999 required=5 tests=[FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t5NsGL72d2bI for <oauth@ietfa.amsl.com>; Wed, 5 Jun 2013 20:23:40 -0700 (PDT)
Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id 464E621F911B for <oauth@ietf.org>; Wed, 5 Jun 2013 20:23:40 -0700 (PDT)
Received: by mail-ie0-f178.google.com with SMTP id at1so1909003iec.9 for <oauth@ietf.org>; Wed, 05 Jun 2013 20:23:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=zAPxCwaq/L6xsCGiy/gNDzMzpI6lP1tFBcrtySXKEnA=; b=Ezx2OSmmURU5n2LZ9vy+7UB0tjLGVZi/rkVfPxxHPwxKI1HMHxSYBT7v0zS8LJQnEd U3ES3SKzGRji0/56XZi4z0sy4ojWhPzZU+Br4ul+1nw1aXioScvMf6zx8/atIjtGaY8z M/JFwOLC7YVeHCS89xbJN8ZkPL0Aidr6vwRN+pIWxaeV7zC1iOFigB3dhyRXQ6FYjCtW g61fc7E15dpUlzIa0Eg0aG2hrgzLemsE1iH6sarWtoWmD+LshgJQCZzCTKd9AxEE9wuY ugrtYG1wFDCq9glqVL3U+RAUWDo2cd9VNRoGcCKVeXRfk9iQoLEXrWDr/wx+5aoqP9s0 YZEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=zAPxCwaq/L6xsCGiy/gNDzMzpI6lP1tFBcrtySXKEnA=; b=fcz67tRKOubNYZEBwsF6Nw+VTzZLNFQxuB2/Mygctt3mg67sm514lUrm+38BRS66m0 /hakL9Ok6gqj26lmNa2gLtSOzjv9vf4JMwqXbxF/SDMyspjOAMD6gSZOMgdkPMxs0y42 QpmgGJp3u6kVFWXCjHVP2qyIc02L09lMTi8G2Yky+AFAn6WK3i+EDmjrtcTvnZCPo3wt C6jDeaJGsGmehYIx9nzciyc+ULSYnRN2IUh0gsyNHME5ev4dPODvsKHERTEZISRKD+go F1SovzH1lx0lLQndT9o8B6ybi36grfRyqsvk09F4Gecfhfnqfi7Q2BTvMgnbzwBwG41b s65g==
X-Received: by 10.50.49.5 with SMTP id q5mr4680736ign.106.1370489019840; Wed, 05 Jun 2013 20:23:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.23.103 with HTTP; Wed, 5 Jun 2013 20:23:09 -0700 (PDT)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1151B105C72@WSMSG3153V.srv.dir.telstra.com>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <51A7ADAE.4070005@mitre.org> <62636DE9-80BD-4B83-817B-3E6622434FD0@oracle.com> <51A7C00B.6050409@mitre.org> <78BAEE23-FB66-4BA5-A1A5-5626D22AA014@oracle.com> <B33BFB58CCC8BE4998958016839DE27E08F97708@IMCMBX01.MITRE.ORG> <18C751E2-31B2-4C7F-BC9A-49F382F96673@oracle.com> <77A0DA5E-09CE-4A5E-9500-54A0842252FB@oracle.com> <F293690C-1E82-4350-80D4-2E2C0EF86E55@oracle.com> <51A8C0ED.6040607@mitre.org> <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com> <F319CA95-B5A8-4BD5-A8BA-F57BCBA6806B@oracle.com> <51A8E0BD.9090908@mitre.org> <521EB2A2-C786-43BE-9449-A12324347E6D@oracle.com> <002701ce5e33$620faaa0$262effe0$@reminetworks.com> <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com> <51A8FCA6.9050109@mitre.org> <004401ce5e3a$01854b70$048fe250$@reminetworks.com> <CA+ZpN24S9fEfFsgMtu8pN-ct-100+HVSHAfqO4Yy2SksrYt1eA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151B105C72@WSMSG3153V.srv.dir.telstra.com>
From: Tim Bray <twbray@google.com>
Date: Wed, 05 Jun 2013 20:23:09 -0700
Message-ID: <CA+ZpN27J2fDajrQX-uZD68L0C7H9teHquTM1qkJ0Wc4=oznZgg@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="047d7bdc180232a1f304de73d7c9"
X-Gm-Message-State: ALoCoQkgsohNswpGa8Rl2FsntRVEt0TQz0LfLvTcJFU15CFzgcmi8lCgL84KGW3SaxgJWp/OAT+iCz0fgrdOnpAOV6CT21Y3I5uEDFoVJHsbFuIPgRQDV6rmhnfosezxUROoq1XYgbcYwK3gIpbZtw6FoHaLZ3GNPiQlWqyzIvrcFaT0LcDoMd4uikU9lgfbwl6BKRL7doPt
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 03:23:41 -0000

I’m really missing something.  You start out with a scope you want a token
for for, you get redirected for authentication, it comes back and you do a
code flow or a browser flow and you end up getting an access token.  Smells
like OAuth 2 to me.  -T


On Wed, Jun 5, 2013 at 8:19 PM, Manger, James H <
James.H.Manger@team.telstra.com> wrote:

> Tim Bray wrote:
> > FWIW, I just read the spec through with fresh eyes, and I found the
> explanation of the workflow in 1.4.2 very useful.
> >
> > - A developer manually registers and then is able to request “Initial
> tokens” tokens for a dynamic-app-registration-scope,
> > - you use that “Initial token” token to register, in exchange you get
> the client-id & so on, and also a a per-registration “Registration token”
> for updating that particular registration information
> > - you fetch/update/delete your registration information with that
> registration token.
> >
> > The first part, where the developer registers & gets a token for a
> scope, is vanilla OAuth 2. (right?)
>
> Wrong? This doesn't sound like it has any technical connection to OAuth 2.
> It is a developer browsing to a service portal; presumably logging in with
> a password, perhaps with a 2nd factor (no OAuth here); and manually copying
> a credential that can be used with the 'BEARER' HTTP Authentication
> mechanism. There is no app orchestrating the interaction (the developer
> just browsed to the portal); there is no programmatic exchange of one app
> credential for another at an AS token endpoint. The only technical
> connection to OAuth 2 is that the 'BEARER' HTTP authentication mechanism is
> branded "OAuth 2" for marketing(?) reasons.
>
> --
> James Manger
>