IETF Logo Mail Archive

Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-discovery

David Waite <david@alkaline-solutions.com> Tue, 10 July 2018 18:39 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2199B1311AC for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2018 11:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jE2tFfvAQCq5 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2018 11:39:54 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id D725F1311A2 for <oauth@ietf.org>; Tue, 10 Jul 2018 11:39:54 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:34dc:ce77:12b5:b66c] (unknown [IPv6:2601:282:202:b210:34dc:ce77:12b5:b66c]) by alkaline-solutions.com (Postfix) with ESMTPSA id 4F65731623; Tue, 10 Jul 2018 18:39:54 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <273B4B99-866D-4F6D-A2A8-3410B4ED2A3D@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CC80AE4F-C576-42BC-B7C2-034453A82F01"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 10 Jul 2018 12:39:53 -0600
In-Reply-To: <CAEdHPxrSNT0N4CiaDv+rzhh44m0g4zqUNwFq85tp6kMeVC7h-w@mail.gmail.com>
Cc: oauth@ietf.org
To: Andres Torres <janthoe@gmail.com>
References: <CAEdHPxrSNT0N4CiaDv+rzhh44m0g4zqUNwFq85tp6kMeVC7h-w@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FXQCF5QYvCYBZKMtrPE5aOp5pVU>
Subject: Re: [OAUTH-WG] Mail regarding draft-ietf-oauth-discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 18:40:10 -0000


> On Jul 10, 2018, at 12:19 PM, Andres Torres <janthoe@gmail.com> wrote:

> In terms of API design the final result is confusing. The resource /.well-known/oauth-authorization-server becomes a collection of resources where issuer is a subresource.. However, 
> /.well-known/oauth-authorization-server should be a subresource of the issuer/tenant. It is my understanding that .well-known is a prefix for known resources in a given service. Multiple instances of a service (ie: tenants) can be hosted using the same hostname in the form {issuer|tenant-identifier}/.well-known/{known-resource}. This way a proper resource hierarchy can be maintained in the URI namespace and heterogeneous services can be deployed under the same hostname.

This is/was actually how it was done within OpenID Connect. However, the only structured URL components allowed within IETF specifications are underneath a /.well-known root. Since a multi-tenant application may have a different issuer per tenant all within one origin, this transformation was created such that each can have their own metadata.

Another option would have been to have the issuer URL be the discovery URL, but this would require an issuer of https://example.com <https://example.com/> to modify the root of their service to respond to requests for metadata (such as in response to the requirements of an Accepts header).

A third option might be to define an ‘issuer’ parameter and behavior on the metadata endpoint, such that servers which host only one issuer could ignore it, but a server with multiple issuers could require and act on this parameter.

-DW

v2.23.0 | Report a Bug | By Email