IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details

Phil Hunt <phil.hunt@oracle.com> Wed, 28 August 2013 16:43 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9765411E8199 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.238
X-Spam-Level:
X-Spam-Status: No, score=-5.238 tagged_above=-999 required=5 tests=[AWL=-0.035, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HA0kcy4iJATc for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:43:35 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id E9EB821F8DA3 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:43:34 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGhWAZ030712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:43:33 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGhVnu014578 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:43:31 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGhVfH014570; Wed, 28 Aug 2013 16:43:31 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:43:31 -0700
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <521E2834.4010102@mitre.org>
Date: Wed, 28 Aug 2013 09:43:40 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E9A4949D-5969-4667-8ACF-945F2D16BDFD@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <521E2834.4010102@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:43:39 -0000

So why are you fighting so hard against standardizing software assertions?  You're affectively already using the solution for BB+.  

The fact that a standardized initial_access_token eliminates most of the registration endpoint seems to be your primary objection.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 9:41 AM, Justin Richer <jricher@mitre.org> wrote:

> Yes, that already works. And you could accomplish that with the current dynamic registration spec, too -- it's just that client assertions were deemed too-underspecified to include in the base draft, and nobody's stepped up to offer a full writeup and extension of using other auth mechanisms (outside of OpenID Connect).
> 
> -- Justin
> 
> On 08/28/2013 12:38 PM, Sergey Beryozkin wrote:
>> On 28/08/13 17:33, George Fletcher wrote:
>>> So I understand that you'd rather that OAuth doesn't require a
>>> client_secret and that's fine. However, I don't think we should impose
>>> that thinking on the rest of the world who have already implemented it
>>> and have it working and scaling without issues. If the core of this
>>> discussion is around replacing client_id and client_secret with a
>>> client_assertion then lets have that discussion separately and not bury
>>> it in the dynamic registration discussion.
>>> 
>>> Could you not profile OAuth2 to support a flow that allows for retrieval
>>> of access and refresh tokens using code + client_assertion? Doesn't seem
>>> like that hard a profile and then the rest of this could fall out pretty
>>> easily.
>>> 
>> That is already supported AFAIK, something like
>> 
>> grant_type=authorization_code
>> &code=12345678
>> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer 
>> &client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
>> 
>> probably the same works with JWT
>> 
>> Sergey
>> 
>> 
>>> Thanks,
>>> George
>>> 
>>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>> 
>>>> I do think that this is the rare-edge use case, we would not want
>>>> require client-secret, we already have that mess today with OAuth and
>>>> trying not to continue the proliferation, we solve this today with our
>>>> STS and assertion swaps/transformations, it scales, performs and we
>>>> don’t have the management debacle this specification creates
>>>> 
>>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>>> Behalf Of *George Fletcher
>>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>>> *To:* Phil Hunt
>>>> *Cc:* oauth mailing list
>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>> 
>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>> 
>>>>    Please define the all in one case. I think this is the edge case and is in fact rare.
>>>> 
>>>> 
>>>> 
>>>>    I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>> 
>>>> 
>>>> 
>>>>    Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>> 
>>>> If you have a mobile app that needs to do the code flow... which
>>>> requires a client_secret in order to retrieve the access token and
>>>> refresh token, how does the app do this without per app instance
>>>> registration?
>>>> 
>>>> I'd argue that almost all user facing mobile apps will want the above
>>>> flow and that's not a small, rare edge case.
>>>> 
>>>> Thanks,
>>>> George
>>>> 
>>>>    position.
>>>> 
>>>> 
>>>> 
>>>>    Phil
>>>> 
>>>> 
>>>> 
>>>>    On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org> <mailto:jricher@mitre.org>  wrote:
>>>> 
>>>> 
>>>> 
>>>>        Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>> 
>>>> 
>>>> 
>>>>        This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>> 
>>>> 
>>>> 
>>>>        Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>> 
>>>> 
>>>> 
>>>>        -- Justin
>>>> 
>>>> 
>>>> 
>>>>        On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>> 
>>>>            Sorry. I meant also to say i think there are 2 registration steps
>>>> 
>>>>            1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>> 
>>>> 
>>>> 
>>>>            Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>> 
>>>> 
>>>> 
>>>>            2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>> 
>>>> 
>>>> 
>>>>            Phil
>>>> 
>>>> 
>>>> 
>>>>            On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com> <mailto:phil.hunt@oracle.com>  wrote:
>>>> 
>>>> 
>>>> 
>>>>                I have a conflict I cannot get out of for 2pacific.
>>>> 
>>>> 
>>>> 
>>>>                I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>> 
>>>> 
>>>> 
>>>>                I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>> 
>>>> 
>>>> 
>>>>                Phil
>>>> 
>>>> 
>>>> 
>>>>                On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com> <mailto:hannes.tschofenig@nsn.com>  wrote:
>>>> 
>>>> 
>>>> 
>>>>                    Here are the conference bridge / Webex details for the call today.
>>>> 
>>>>                    We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>> 
>>>> 
>>>> 
>>>>                    Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>> 
>>>> 
>>>> 
>>>>                    Topic: OAuth Dynamic Client Registration
>>>> 
>>>>                    Date: Wednesday, August 28, 2013
>>>> 
>>>>                    Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>> 
>>>>                    Meeting Number: 703 230 586
>>>> 
>>>>                    Meeting Password: oauth
>>>> 
>>>> 
>>>> 
>>>> -------------------------------------------------------
>>>> 
>>>>                    To join the online meeting
>>>> 
>>>> -------------------------------------------------------
>>>> 
>>>>                    1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>> 
>>>>                    2. Enter your name and email address.
>>>> 
>>>>                    3. Enter the meeting password: oauth
>>>> 
>>>>                    4. Click "Join Now".
>>>> 
>>>> 
>>>> 
>>>>                    To view in other time zones or languages, please click the link:
>>>> 
>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>> 
>>>> 
>>>> 
>>>>                    To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>> 
>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>> 
>>>> 
>>>> 
>>>> -------------------------------------------------------
>>>> 
>>>>                    To join the teleconference only
>>>> 
>>>> -------------------------------------------------------
>>>> 
>>>>                    Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>> 
>>>>                    Conference Code: 944 910 5485
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> 
>>>>                    OAuth mailing list
>>>> 
>>>>                    OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> 
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> _______________________________________________
>>>> 
>>>>                OAuth mailing list
>>>> 
>>>>                OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>> 
>>>>                https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>>            _______________________________________________
>>>> 
>>>>            OAuth mailing list
>>>> 
>>>>            OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>> 
>>>>            https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>>    _______________________________________________
>>>> 
>>>>    OAuth mailing list
>>>> 
>>>>    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>> 
>>>>    https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> George Fletcher <http://connect.me/gffletch>
>>>> 
>>> 
>>> -- 
>>> George Fletcher <http://connect.me/gffletch>
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>> 
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.46.0 | Report a Bug | By Email | System Status