Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-10.txt
Josh Mandel <jmandel@gmail.com> Tue, 07 May 2013 17:10 UTC
Return-Path: <jmandel@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA5A21F93FC for <oauth@ietfa.amsl.com>; Tue, 7 May 2013 10:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVkui6TF6cbN for <oauth@ietfa.amsl.com>; Tue, 7 May 2013 10:10:15 -0700 (PDT)
Received: from mail-oa0-f43.google.com (mail-oa0-f43.google.com [209.85.219.43]) by ietfa.amsl.com (Postfix) with ESMTP id E7DD221F93F8 for <oauth@ietf.org>; Tue, 7 May 2013 10:10:14 -0700 (PDT)
Received: by mail-oa0-f43.google.com with SMTP id o6so929609oag.16 for <oauth@ietf.org>; Tue, 07 May 2013 10:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=H3DIHLAxkdwU3wWEVIMwyS+h//VJY4qylAUEGvONCiQ=; b=whrRwBZmovSu5P7ja3cqfG20jJr3TDebbDwzMuBoaLZZXgcoMY5gd4tZTCf+dGsddu /qjlDoDN74PWZDxifJII4KeZhzOqdftrcMViAnTtpiOec/I1No1i2LvDfdraqNb+2Nuc UoTZpv8V7Gt29xShkXQJMY9iiz/SdXGrm5OHwv9KOemAB0uRifZFPBYXwBYHPeCPeOVF hofanEQrbpBL6gp95+L3UuOx00UZcziMaw/9UV9Hz2sz3z2HN5YwcCyz/zFcInIxKFkl /HOSAaIpQviZw+if1Lj1bFoi6A0zg6lc3p6vYhXf5qDsVIR0G7xETgkPktn7xdevAftk E4Lw==
X-Received: by 10.60.134.147 with SMTP id pk19mr867830oeb.4.1367946604402; Tue, 07 May 2013 10:10:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.60.118.228 with HTTP; Tue, 7 May 2013 10:09:49 -0700 (PDT)
In-Reply-To: <20130505194505.24986.11173.idtracker@ietfa.amsl.com>
References: <20130505194505.24986.11173.idtracker@ietfa.amsl.com>
From: Josh Mandel <jmandel@gmail.com>
Date: Tue, 07 May 2013 10:09:49 -0700
Message-ID: <CANSMLKHy-zhSX+UXodcPjvUBFkP-t8QdF4ueMu5LKuKk1Z6U+A@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="047d7b41cc186d5db104dc23e33b"
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-10.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2013 17:10:20 -0000
As I understand it (corrections welcome!) rfc6749 says that public clients: 1. are defined functionally, as clients "incapable of maintaining the confidentiality of their credentials" [section 2.1] 2. "MAY establish a client authentication method" if the server allows. e.g. client password auth [section 2.3] Given 1 and 2, it's technical possible for a public client to be assigned a (not-so-)secret that it uses not for authentication per se, but merely to go through the motions of client password auth. (How) Does dyn-reg support the registration of a public client that (for whatever reason -- code re-use?) seeks to use a client authentication method? It seems to me that, given the current draft, a registration server couldn't tell such a client from a confidential client ( token_endpoint_auth_method, grant_types, and response_types would be indistinguishable). Is this use case out of scope? If so, the spec might benefit from a note to that effect. If not, an explicit flag at registration time (conveying the app's explicitly asserted "public" vs. "confidential" status) might help servers make better decisions. -Josh On Sun, May 5, 2013 at 12:45 PM, <internet-drafts@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Web Authorization Protocol Working Group > of the IETF. > > Title : OAuth 2.0 Dynamic Client Registration Protocol > Author(s) : Justin Richer > John Bradley > Michael B. Jones > Maciej Machulak > Filename : draft-ietf-oauth-dyn-reg-10.txt > Pages : 25 > Date : 2013-05-05 > > Abstract: > This specification defines an endpoint and protocol for dynamic > registration of OAuth 2.0 Clients at an Authorization Server and > methods for the dynamically registered client to manage its > registration. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-10 > > A diff from the previous version is available at: > http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dyn-reg-10 > > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-1… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Richer, Justin P.
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Richer, Justin P.
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Josh Mandel
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Richer, Justin P.
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Richer, Justin P.
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Richer, Justin P.
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… John Bradley