Re: [OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)
Brian Campbell <bcampbell@pingidentity.com> Fri, 12 September 2014 16:53 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 146701A6FC8 for <oauth@ietfa.amsl.com>; Fri, 12 Sep 2014 09:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5GrK1NzJ2vup for <oauth@ietfa.amsl.com>; Fri, 12 Sep 2014 09:53:47 -0700 (PDT)
Received: from na3sys009aog132.obsmtp.com (na3sys009aog132.obsmtp.com [74.125.149.250]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E43391A073C for <oauth@ietf.org>; Fri, 12 Sep 2014 09:53:46 -0700 (PDT)
Received: from mail-ig0-f177.google.com ([209.85.213.177]) (using TLSv1) by na3sys009aob132.postini.com ([74.125.148.12]) with SMTP ID DSNKVBMlGgOpWbqzKC+x13xnD2QRVoqRwAmT@postini.com; Fri, 12 Sep 2014 09:53:46 PDT
Received: by mail-ig0-f177.google.com with SMTP id h15so858052igd.4 for <oauth@ietf.org>; Fri, 12 Sep 2014 09:53:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=nfYrfrhZIwu7AuntLZXPrT5WyDm8WCDjeMs4kUrRWiI=; b=NlodgewTyCXwcCUEbxgfmAteeaQyo5R4xxDwMdq7TdzqyNeL/cPTd9HsoUoccFdiBN aOJizzIZyOeghake9ipHc3TzoaSz5+qQ8Q2oZDeY94j/QFpFynRTrVq08oW8k7HGvryI 0X4cniNbwVRtlS/KFRyD5CAstVBqTJwp4q06+rrKMR3zbKxRz9HGhdGco706D4loH2qQ v8qI+Wd0zCjTDywYUZzFwco+o2rbAlLTX1cIw4AzaRnA5hhE3zw0ICB2xnIlgAG0qK1S HbEsmQZk6sVfdC8GOzOsEVgYR2pHMQ5WX5533BeJANMxr1tpf0XVgwOuvAY9P9H5azk8 yUOQ==
X-Gm-Message-State: ALoCoQmNrbNbm4PCCZPJgwaZrhGccp/ss2CZHEWXBzxg8lOZpLPIK6XlE3+wZNqiZD8A8DtnX3wQgTly4isIKCOCyM0GP5EC27IjfWR76/FMRU5wFV87vIhy4BlyWpKmIygbvQtglID+
X-Received: by 10.50.111.80 with SMTP id ig16mr3762544igb.43.1410540826154; Fri, 12 Sep 2014 09:53:46 -0700 (PDT)
X-Received: by 10.50.111.80 with SMTP id ig16mr3762531igb.43.1410540826023; Fri, 12 Sep 2014 09:53:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.12.137 with HTTP; Fri, 12 Sep 2014 09:53:15 -0700 (PDT)
In-Reply-To: <AC1D34BF-6EDD-4EFE-A0FD-AE4C2B43B2D4@mitre.org>
References: <CA+k3eCT4u1h9zDa_6z9jx9RpQQvVCyRAO4+NmJPN6FpKWRYWAw@mail.gmail.com> <AC1D34BF-6EDD-4EFE-A0FD-AE4C2B43B2D4@mitre.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 12 Sep 2014 10:53:15 -0600
Message-ID: <CA+k3eCQ3cdv41J8arYR3cht7bSMc2SisZ1UQjpn+JhX63Q_UkQ@mail.gmail.com>
To: "Richer, Justin P." <jricher@mitre.org>
Content-Type: multipart/alternative; boundary="089e014944a4e074bc0502e1203a"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/JKMaEHms5N8lAYiRJSc4gfgwq14
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2014 16:53:50 -0000
Okay, I see 'Changed "expires_at" to "client_secret_expires_at" and "issued_at" to "client_id_issued_at" for greater clarity.' in the document history for -11 (full 'management' was in the draft back then). But to me, it doesn't improve clarity. And it seems limiting. But I seem to be in the minority of people that think that or care. And I'm not sure I even care. So I'll drop it. On Fri, Sep 12, 2014 at 8:08 AM, Richer, Justin P. <jricher@mitre.org> wrote: > It used to be simply "expires_at" but after discussion on the list it was > changed to "client_secret_expires_at", since the client's secret is the > most likely part to expire and need to be refreshed. Of course this refresh > makes the most sense if you're implementing the management spec where you > can actually do something other than re-register, but it's still handy for > the client to know that its server-issued credentials won't be good anymore > at a certain point. > > Since the JWKS is provided by the client and not by the server, the > server doesn't really need to tell the client when it expires. > > The parameter is not passed back if there is no client_secret, such as a > public or implicit client. There's text in the security considerations > about expiring those kinds of clients* but after discussion on the list it > was decided that it's too specific to a server policy to try to signal. > Plus, nobody seems to do that today. Client secrets *do* expire in some > setups, but client IDs don't, in my personal experience. > > -- Justin > > > * And I just noticed that this paragraph still mentions the "delete > action", so we need to clean that part up in the next revision. > > On Sep 11, 2014, at 6:19 PM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > Why does expiration only apply to the client secret[1]? If there's a > need for the AS to set an expiration, isn't it broader than that and apply > to the whole client or the client id? If there's a need to signal an > expiration time on the client secret, doesn't it follow that the client's > JSON Web Key Set (the jwks parameter) might also need to be expired? And > what about strictly implicit clients or other public clients, is there no > case that an AS would want to expire them? > > I realize I've asked this before (more than once) but I've never gotten > an answer. To me, whats in this draft that's on its way to the IESG is > awkward and/or incomplete. > > I believe that either the client_secret_expires_at should be removed from > draft-ietf-oauth-dyn-reg or it should be changed to something that isn't > specific to the client secret - something like client_expires_at or > client_id_expires_at. > > [1] client_secret_expires_at in > https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-20#section-4.1 > > On Wed, Sep 10, 2014 at 5:50 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >> Hi all, >> >> I have just sent the Dynamic Client Registration document to the IESG. >> The final shepherd write-up for the document can be found here: >> http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/shepherdwriteup/ >> >> Ciao >> Hannes >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] client_secret_expires_at redux again (… Brian Campbell
- Re: [OAUTH-WG] client_secret_expires_at redux aga… Richer, Justin P.
- Re: [OAUTH-WG] client_secret_expires_at redux aga… John Bradley
- Re: [OAUTH-WG] client_secret_expires_at redux aga… Brian Campbell