IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-10.txt

Josh Mandel <jmandel@gmail.com> Tue, 07 May 2013 17:10 UTC

Return-Path: <jmandel@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA5A21F93FC for <oauth@ietfa.amsl.com>; Tue, 7 May 2013 10:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVkui6TF6cbN for <oauth@ietfa.amsl.com>; Tue, 7 May 2013 10:10:15 -0700 (PDT)
Received: from mail-oa0-f43.google.com (mail-oa0-f43.google.com [209.85.219.43]) by ietfa.amsl.com (Postfix) with ESMTP id E7DD221F93F8 for <oauth@ietf.org>; Tue, 7 May 2013 10:10:14 -0700 (PDT)
Received: by mail-oa0-f43.google.com with SMTP id o6so929609oag.16 for <oauth@ietf.org>; Tue, 07 May 2013 10:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=H3DIHLAxkdwU3wWEVIMwyS+h//VJY4qylAUEGvONCiQ=; b=whrRwBZmovSu5P7ja3cqfG20jJr3TDebbDwzMuBoaLZZXgcoMY5gd4tZTCf+dGsddu /qjlDoDN74PWZDxifJII4KeZhzOqdftrcMViAnTtpiOec/I1No1i2LvDfdraqNb+2Nuc UoTZpv8V7Gt29xShkXQJMY9iiz/SdXGrm5OHwv9KOemAB0uRifZFPBYXwBYHPeCPeOVF hofanEQrbpBL6gp95+L3UuOx00UZcziMaw/9UV9Hz2sz3z2HN5YwcCyz/zFcInIxKFkl /HOSAaIpQviZw+if1Lj1bFoi6A0zg6lc3p6vYhXf5qDsVIR0G7xETgkPktn7xdevAftk E4Lw==
X-Received: by 10.60.134.147 with SMTP id pk19mr867830oeb.4.1367946604402; Tue, 07 May 2013 10:10:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.60.118.228 with HTTP; Tue, 7 May 2013 10:09:49 -0700 (PDT)
In-Reply-To: <20130505194505.24986.11173.idtracker@ietfa.amsl.com>
References: <20130505194505.24986.11173.idtracker@ietfa.amsl.com>
From: Josh Mandel <jmandel@gmail.com>
Date: Tue, 07 May 2013 10:09:49 -0700
Message-ID: <CANSMLKHy-zhSX+UXodcPjvUBFkP-t8QdF4ueMu5LKuKk1Z6U+A@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="047d7b41cc186d5db104dc23e33b"
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-10.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 17:10:20 -0000

As I understand it (corrections welcome!) rfc6749 says that public clients:

1.  are defined functionally, as clients "incapable of maintaining the
confidentiality of their credentials" [section 2.1]
2.  "MAY establish a client authentication method" if the server allows.
e.g. client password auth [section 2.3]

Given 1 and 2, it's technical possible for a public client to be assigned a
(not-so-)secret that it uses not for authentication per se, but merely to
go through the motions of client password auth.

(How) Does dyn-reg support the registration of a public client that (for
whatever reason -- code re-use?) seeks to use a client authentication
method? It seems to me that, given the current draft, a registration server
couldn't tell such a client from a confidential client  (
token_endpoint_auth_method, grant_types, and response_types would be
indistinguishable).

Is this use case out of scope?  If so, the spec might benefit from a note
to that effect.  If not, an explicit flag at registration time (conveying
the app's explicitly asserted "public" vs. "confidential" status) might
help servers make better decisions.

  -Josh


On Sun, May 5, 2013 at 12:45 PM, <internet-drafts@ietf.org> wrote:

>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>  This draft is a work item of the Web Authorization Protocol Working Group
> of the IETF.
>
>         Title           : OAuth 2.0 Dynamic Client Registration Protocol
>         Author(s)       : Justin Richer
>                           John Bradley
>                           Michael B. Jones
>                           Maciej Machulak
>         Filename        : draft-ietf-oauth-dyn-reg-10.txt
>         Pages           : 25
>         Date            : 2013-05-05
>
> Abstract:
>    This specification defines an endpoint and protocol for dynamic
>    registration of OAuth 2.0 Clients at an Authorization Server and
>    methods for the dynamically registered client to manage its
>    registration.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg
>
> There's also a htmlized version available at:
> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-10
>
> A diff from the previous version is available at:
> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dyn-reg-10
>
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email