Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery

Phil Hunt <phil.hunt@oracle.com> Fri, 05 February 2016 00:40 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F2E1B2ACB for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 16:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MANGLED_PREMTR=2.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epa_-mkQQmIG for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 16:40:20 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17BB61B2ACA for <oauth@ietf.org>; Thu, 4 Feb 2016 16:40:20 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u150eIlb014699 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 5 Feb 2016 00:40:18 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u150eIeX016962 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 5 Feb 2016 00:40:18 GMT
Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id u150eHlU018699; Fri, 5 Feb 2016 00:40:17 GMT
Received: from [192.168.1.22] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 04 Feb 2016 16:40:17 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail=_9AE0ED39-1589-4D6F-BF38-F2D6596F8472"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <2DE2E1FE-BBB0-489B-9479-888A7D36E6C8@mit.edu>
Date: Thu, 4 Feb 2016 16:40:15 -0800
Message-Id: <087DD3F7-79AD-4513-B777-F14164992136@oracle.com>
References: <569E2298.3010508@gmx.net> <BY2PR03MB44237A6E59B1E76D9B7D14CF5D10@BY2PR03MB442.namprd03.prod.outlook.com> <CAAP42hATYHF1meMjJ_Exu=G5d-xWXcky2nNwny1DwWqxf3ZE6Q@mail.gmail.com> <0B9E9D6E-67A9-4956-BFA2-9A90CD39087A@oracle.com> <E04315CD-4FD3-4B06-BD33-22FF6DC5EB38@adm.umu.se> <2DE2E1FE-BBB0-489B-9479-888A7D36E6C8@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3112)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/IsN-xKcGMZOTVzCYnNlowDyCR6o>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 00:40:22 -0000

I thought about this when doing the SCIM discovery document. Initially I only had cases for plain ./well-known.  But I found there are two types of clients. I decided later that mobile and web apps have different needs.

E.g. a mobile app might ask anonymously or on behalf of an already authenticated subject.  ./well-known works fine.

A web app that works on behalf of multiple users (e.g. is an OIDC client), might find that the answer varies based on the user acnt it wants to ask on behalf of.  The webfinger?rel=oauth&acnt:<someid> model works much better.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>





> On Feb 4, 2016, at 4:34 PM, Justin Richer <jricher@mit.edu> wrote:
> 
> +1, if we define a webfinger/rel at all.
> 
> I would rather we just define the service discovery document, the thing that lives under .well-known.
> 
> — Justin
> 
> 
>> On Feb 4, 2016, at 4:01 AM, Roland Hedberg <roland.hedberg@umu.se> wrote:
>> 
>> +1
>> 
>>> 4 feb 2016 kl. 08:10 skrev Phil Hunt <phil.hunt@oracle.com>om>:
>>> 
>>> +1 for adoption.
>>> 
>>> However I would like a rel value distinct from OpenID (see separate email). While the mechanics of discovery is the same, I believe some clients will want to distinguish between OAuth AS’s and OIDC OPs.  Further, I would expect over time that different discovery features may be required. Locking them together seems like a pre-mature or rush choice.
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Feb 3, 2016, at 10:44 PM, William Denniss <wdenniss@google.com> wrote:
>>>> 
>>>> +1 for adoption of this document by the working group
>>>> 
>>>> On Wed, Feb 3, 2016 at 10:27 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
>>>> I support adoption of this document by the working group.  I'll note that elements of this specification are already in production use by multiple parties.
>>>> 
>>>>                               -- Mike
>>>> 
>>>> -----Original Message-----
>>>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
>>>> Sent: Tuesday, January 19, 2016 3:49 AM
>>>> To: oauth@ietf.org
>>>> Subject: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery
>>>> 
>>>> Hi all,
>>>> 
>>>> this is the call for adoption of OAuth 2.0 Discovery, see
>>>> https://tools.ietf.org/html/draft-jones-oauth-discovery-00
>>>> 
>>>> Please let us know by Feb 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group.
>>>> 
>>>> Note: If you already stated your opinion at the IETF meeting in Yokohama then you don't need to re-state your opinion, if you want.
>>>> 
>>>> The feedback at the Yokohama IETF meeting was the following: 19 for / zero against / 4 persons need more information.
>>>> 
>>>> Ciao
>>>> Hannes & Derek
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>