Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence

John Bradley <ve7jtb@ve7jtb.com> Thu, 18 February 2016 14:19 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD95A1AC3CA for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 06:19:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EPtrl99AdVMA for <oauth@ietfa.amsl.com>; Thu, 18 Feb 2016 06:19:14 -0800 (PST)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F94A1AC3DF for <oauth@ietf.org>; Thu, 18 Feb 2016 06:19:12 -0800 (PST)
Received: by mail-vk0-x233.google.com with SMTP id e6so45240428vkh.2 for <oauth@ietf.org>; Thu, 18 Feb 2016 06:19:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=RnM3WYt32y338cvY0ypttvwJyFx9IIIvsCgsvEFTYyU=; b=VsIv4OaAhzvnnx+aMbPW+EU2V3EkDgq12iILxzi8FEGsyXDRL0aoplDRtZjk0FuqOr Wfo+tAFjKyKgsqXwSXBSXQrLB0Pa9izTr5NvV4OFXrtlVVcT5uLZ3pZv64IUv5P3a3Vh YlG0mjf37VN0NEDXgsYhiKxNOVidgZoZW46GfqnoHGj7kcUdG1P5rF1fCYdI2+dKEkp8 yrN1vBaXjto0AWC3x3c4OfFZps5sFg7+w47msE66i6BL+liGY+FGCMIW5IsHpQ29yUv1 VeymPWF1WIpisP2hmF9s7tCAQqJdcuS7ugl2H/kEB1JIDy9AUoZJlEbsTe/tMvboY1Gm +90A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=RnM3WYt32y338cvY0ypttvwJyFx9IIIvsCgsvEFTYyU=; b=WbnmJ1gbu49rZsFW6vvoxkUktWxj3IyUcoLOOMeEQEzmxgAi05oK3tvFv1ndcQGwYx 6AMEfJBO8dsE5vNFYmJEtjZ6PTX32xQtg54NZVU9OYNtGBCadsnu2PSO+Sc5obwfFevL F6IU0seNs32KGAH9SfbwWmy/PQuy95Tk4t3QhE8rLhqrwRFuf9lEZckriHRjfC5A2mkx NlSrsWXlzg6TQ8zUGl/bhBOXi3MjZIGHkhVZQTj4ouzS7Vxh7C7tmOtBv0M2DQx72e+D glVBFe2KYzelU4PnBDK3Xyr94Orjku2tvLJvurddVTRNFJqxMwKFjiFL5t9Z7zO9Oove 8pxA==
X-Gm-Message-State: AG10YORBShQhZUu8+R/JhQqDueFfwK9bde3pOP2HJ2GlDmLl+zVeY2AWTjeh4PbzFMxhcA==
X-Received: by 10.31.44.77 with SMTP id s74mr6123602vks.4.1455805151892; Thu, 18 Feb 2016 06:19:11 -0800 (PST)
Received: from [192.168.12.59] (ip-64-134-184-168.public.wayport.net. [64.134.184.168]) by smtp.gmail.com with ESMTPSA id v19sm757939vkd.22.2016.02.18.06.19.10 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 18 Feb 2016 06:19:10 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_6ADD2369-3884-4482-859A-CF187414C116"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <A52BE40A-DEF2-48D6-9612-5BD035104DDB@oracle.com>
Date: Thu, 18 Feb 2016 09:19:09 -0500
Message-Id: <ACE3AB4B-7400-443B-AFFF-4832BADB371B@ve7jtb.com>
References: <BY2PR03MB44236EF33376F8C2BB135E8F5AF0@BY2PR03MB442.namprd03.prod.outlook.com> <533A97B6-F83D-4DBD-A015-81CD438EAE5F@oracle.com> <6E34B5BC-3E23-4E0F-8008-93797B15EB84@ve7jtb.com> <A52BE40A-DEF2-48D6-9612-5BD035104DDB@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/FK7ctbqUpbXMGcYIzA2eT5A7_O4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery spec pared down to its essence
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2016 14:19:18 -0000

Can you clarify what you mean by “resource service x”?

Is that the RS base URI for the resource,  a specific URI that the client is requesting?

That is getting UMA ish. 

The concept of a base RS URI is a rat hole that I prefer not to go down, as it is something everyone thinks exists but like SCIM if it exists it is protocol or deployment specific.

The notion that you would send the URI you are planning on requesting to a Webfinger server to find the OAuth server, is probably going to have privacy issues.

I suspect that you need to hand back a error from the resource to say where the AS is, or have a .well-known for the RS.

RS discovery probably wants to be separate from AS discovery.  (Yes I do think we need something,  UMA rpt or something like it might be a way to go)

John B.

> On Feb 18, 2016, at 9:06 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> Maybe SCIM was a bad example.  It functions as a RESTful resource in the context of OAuth.
> 
> I find the use of OIDC to be confusing as an example (and the default) because it is both an OAuth resource and a security service.  It is a modification of OAuth.
> 
> Start thinking about every application ever written that uses OAuth. Are we expecting 100s of thousands of these to each register?
> 
> To me, this specification is a fine specification for OIDC and it should be published there because the specification defines how to discovery OAuth and OpenID information.
> 
> Likewise you suggest it is ok for SCIM to do the same. 
> 
> How do we expect normal applications to set up and do discovery?
> 
> It seems to me that an “OAUTH” discovery spec should have a parameter to ask, I want to discover OAuth configuration for resource service X.
> 
> That still allows me to have a separate discovery service that says, tell me about resource service X itself.
> 
> BTW. I think we are FAR from Last Call on this topic.
> 
> Phil
> 
> @independentid
> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
> 
> 
> 
> 
> 
>> On Feb 18, 2016, at 6:55 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>> 
>> Diffrent protocols like Connect and SCIM may have different configurations, endpoints , keys , authentication methods, scopes etc.
>> 
>> It should be posable to have them as one document, but forcing them to use one document is going to cause a explosion of claim registration for discovery.
>> 
>> I think it is better for SCIM to register one well known than to have to register 20 claims with scim prefixes or something silly like that.
>> 
>> Name-spacing the claims by allowing them to be in different well known files is not unreasonable.
>> 
>> Remember some of these protocols may be hosted on SaaS so there is no guarantee that all protocols will have the same OAuth Config.
>> 
>> Nothing stops a protocol from doing what it likes with webfinger if it wants to use that for discovery.
>> 
>> In principal I like the idea of having another protocol as an example.
>> 
>> My only concern is that I haven’t seen any discussion of your SCIM discovery document in the SCIM WG.  
>> I personally think sorting out discovery for SCIM is a good idea,  but OAUTh is but one of several authentication methods for SCIM, and there are probably other non OAuth things that want to be described.
>> 
>> I would feel better about using it as an example if it were adopted by the WG and some general interest shown.
>> 
>> I encourage you to do that so we can use it as a example.
>> 
>> John B.
>> 
>>> On Feb 18, 2016, at 8:35 AM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>> wrote:
>>> 
>>> I still find the following text objectionable and confusing…
>>>    By default, for historical reasons, unless an application-specific
>>>    well-known URI path suffix is registered and used for an application,
>>>    the client for that application SHOULD use the well-known URI path
>>>    suffix "openid-configuration" and publish the metadata document at
>>>    the path formed by concatenating "/.well-known/openid-configuration"
>>>    to the authorization server's issuer identifier.  As described in
>>>    Section 5 <http://tools.ietf.org/html/draft-ietf-oauth-discovery-01#section-5>, despite the identifier
>>>    "/.well-known/openid-configuration", appearing to be OpenID-specific,
>>>    its usage in this specification is actually referring to a general
>>>    OAuth 2.0 feature that is not specific to OpenID Connect.
>>> 
>>> Further, as a default “openid-configuration” as the default further gives people the impression that a plain OAuth server *is* an authentication server and that the normal access token received is evidence of a successful authentication.
>>> 
>>> It would be better to point out that application may include oauth discovery in their discovery URI and that OAuth is an example of this. It might be good to include two examples.  E.g. OIDC and SCIM (as another referenceable example).
>>> 
>>>  GET /.well-known/openid-configuration
>>> and
>>>  GET /.well-known/scim
>>> Retrieve the OAuth configuration for the application openid and scim respectively.
>>> 
>>> The use of:
>>>  GET /.well-known/oauth2/
>>> Should be the default used when there is no known application based well-known application based URI discovery.
>>> 
>>> Of course, the concern I raised earlier is that this approach of application specific URIs ends up requiring every application to make an IANA registration if they don’t want to use the default of “oauth2” (or “openid-configuration”).  Is that what the authors expect?
>>> 
>>> It seemed better to me to use the webfinger syntax to allow the client to say “I want the designated OAuth configuration for the resource service X” would be a better design that avoids extensive IANA registration.
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Feb 17, 2016, at 11:48 PM, Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
>>>> 
>>>> In response to working group input, this version of the OAuth Discovery specification has been pared down to its essence – leaving only the features that are already widely deployed.  Specifically, all that remains is the definition of the authorization server discovery metadata document and the metadata values used in it.  The WebFinger discovery logic has been removed.  The relationship between the issuer identifier URL and the well-known URI path relative to it at which the discovery metadata document is located has also been clarified.
>>>>  
>>>> Given that this now describes only features that are in widespread deployment, the editors believe that this version is ready for working group last call.
>>>>  
>>>> The specification is available at:
>>>> ·       http://tools.ietf.org/html/draft-ietf-oauth-discovery-01 <http://tools.ietf.org/html/draft-ietf-oauth-discovery-01>
>>>>  
>>>> An HTML-formatted version is also available at:
>>>> ·       http://self-issued.info/docs/draft-ietf-oauth-discovery-01.html <http://self-issued.info/docs/draft-ietf-oauth-discovery-01.html>
>>>>  
>>>>                                                           -- Mike & Nat & John
>>>>  
>>>> P.S.  This notice was also posted at http://self-issued.info/?p=1544 <http://self-issued.info/?p=1544> and as @selfissued <https://twitter.com/selfissued>.
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>