[OAUTH-WG] New Software Statement and Client Association Drafts
Phil Hunt <phil.hunt@oracle.com> Fri, 27 September 2013 19:33 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BE9A11E8104 for <oauth@ietfa.amsl.com>; Fri, 27 Sep 2013 12:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.386
X-Spam-Level:
X-Spam-Status: No, score=-6.386 tagged_above=-999 required=5 tests=[AWL=0.212, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2qWaewdv0Rq for <oauth@ietfa.amsl.com>; Fri, 27 Sep 2013 12:33:28 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id E544221F9ED4 for <oauth@ietf.org>; Fri, 27 Sep 2013 12:33:27 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r8RJXQxf032645 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Fri, 27 Sep 2013 19:33:27 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r8RJXO2T023247 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Fri, 27 Sep 2013 19:33:25 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r8RJXODl002741 for <oauth@ietf.org>; Fri, 27 Sep 2013 19:33:24 GMT
Received: from [192.168.1.12] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 27 Sep 2013 12:33:24 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E714BC51-9632-490F-B2BB-5F1574579C3F"
Message-Id: <211F3FEE-3481-4D63-B4EC-8AD7DBFB1638@oracle.com>
Date: Fri, 27 Sep 2013 12:33:23 -0700
To: "oauth@ietf.org WG" <oauth@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Mailer: Apple Mail (2.1510)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Subject: [OAUTH-WG] New Software Statement and Client Association Drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2013 19:33:35 -0000
As promised, Tony and I have put together a draft proposal as an alternative to the dynamic registration draft. The relevant links are: http://datatracker.ietf.org/doc/draft-hunt-oauth-software-statement/ http://datatracker.ietf.org/doc/draft-hunt-oauth-client-association The two draft proposal provides equivalent functionality to dyn reg. Instead of a new RESTful/json endpoint, this proposal is an assertion centric proposal that adds the following features: 1. Provides a way to recognize client software and ensure all copies register the same way (e.g. redirect_url may be locked for all copies of a mobile app) 2. Registration can be implemented in a stateless fashion (using signed assertions) if desired 3. The association draft uses the normal OAuth token endpoint to issue tokens (improving extensibility for future token types) 4. Has simpler implementation logic resulting from defining 3 different client types and a simple method for each 5. Statements allow service providers to pre-approve client software and set policy (or conversely set broadly open policy) 6. Management API can be supported as an extension if desired (e.g. a version of draft-richer-oauth-dyn-reg-management) 7. Makes bearer tokens the default client credential to "raise the bar" security wise and enable stateless registration (though, client_secret could still be supported -- we should discuss) Note: the term "association" is meant to have broader scope than the term "registration". It acknowledges that not all clients may actually "register" prior to accessing services (see next paragraph). The association draft defines 3 client types, each of which is relatively simple to implement (and one of which is just the current "static" registration practice). The other two are "dynamic" and "transient". The big difference is that "transient" is intended for implicit flow (javascript) clients and eliminates the need to go through a registration step. "Dynamic" functions by leveraging the token endpoint to exchange software statement and instance specific parameters for a client credential and client registration information and an optional management API endpoint. We have also tried to provide equivalent functionality as dyn reg by providing approaches for: * An initial registration token * Client credential rotation * Should work for UMA and OpenID use cases as well as published software cases Thanks everyone for your contributions and comments! Phil @independentid www.independentid.com phil.hunt@oracle.com