Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt

Phil Hunt <phil.hunt@oracle.com> Fri, 31 May 2013 16:28 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFC3121F8FAF for <oauth@ietfa.amsl.com>; Fri, 31 May 2013 09:28:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.58
X-Spam-Level:
X-Spam-Status: No, score=-1.58 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, J_CHICKENPOX_15=0.6, MIME_QP_LONG_LINE=1.819, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vs-w6wqfAc+U for <oauth@ietfa.amsl.com>; Fri, 31 May 2013 09:28:26 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id DC6F521F87CD for <oauth@ietf.org>; Fri, 31 May 2013 09:28:22 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r4VGSJnj018579 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 31 May 2013 16:28:20 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4VGSKv6000467 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 31 May 2013 16:28:20 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4VGSKvR000463; Fri, 31 May 2013 16:28:20 GMT
Received: from [192.168.4.225] (/64.134.196.255) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 31 May 2013 09:28:19 -0700
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <0354062A-DEB8-4272-861B-43DC48887F54@ve7jtb.com> <2E872A80-1B5B-468D-910C-1D6E9DFEFF78@oracle.com> <9F86FCC6-E737-4086-8821-81A94AEC4BE2@oracle.com> <54C61883-4A00-441E-B6DB-2B4156B969F4@ve7jtb.com> <2674C9F9-0C49-4EC3-A69D-20AAC35E8AB8@oracle.com> <2F891558-6DDF-4FFB-B2D3-F1219EB6CFAF@oracle.com> <51A79B69.9090702@mitre.org> <7BB78EA6-B0F4-4A9E-853C-DB978C9DFB0B@oracle.com> <51A7A18F.1040104@mitre.org> <4CCD92A5-0800-4E4C-8952-C8B88E22C811@oracle.com> <51A7ADAE.4070005@mitre.org> <62636DE9-80BD-4B83-817B-3E6622434FD0@oracle.com> <51A7C00B.6050409@mitre.org> <78BAEE23-FB66-4BA5-A1A5-5626D22AA014@oracle.com> <B33BFB58CCC8BE4998958016839DE27E08F97708@IMCMBX01.MITRE.ORG> <18C751E2-31B2-4C7F-BC9A-49F382F96673@oracle.com> <B33BFB58CCC8BE49989! 58016839DE27E08F977D8@IMCMBX01.MITRE.ORG> <77A0DA5E-09CE-4A5E-9500-54A0842252FB@oracle.com> <51A8B9C4.8020200! @mitre.org> <F293690C-1E82-4350-80D4-2E2C0EF86E55@oracle.com> ! <51A8C0ED.6040607@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <51A8C0ED.6040607@mitre.org>
Content-Type: multipart/alternative; boundary=Apple-Mail-50F20398-83B0-4D92-A1BC-9A02322DA15E
Content-Transfer-Encoding: 7bit
Message-Id: <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 31 May 2013 12:28:18 -0400
To: Justin Richer <jricher@mitre.org>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 16:28:32 -0000

I disagree. 

There is absolutely no need for a registration access token. 

Get rid of it and just use access tokens as per 6749. If you can't follow 6749 and need new issuing methods, what are others to say regarding inventing new methods?

I have not heard a good reason for the special process or one good enough to warrant a new method for issuing an access token. Does the broader group realize this is what the spec says?

Yes, i heard a lot saying OIDC does it this way. But that is a political reason, not a technical reason. Still, compatibility is always a strong objective.  Even so, oidc could keep using their method just fine. There is no obligation here to do the same. 

The only reason so far was expiry of client creds. Well, why not require the client to update prior to expiry? It makes no sense to have another token with longer expiry. B'sides, even expired the client can re-register from scratch. 

Why force the client to persist multiple tokens and creds? That is far far too complex. 

Finally if you get rid of registration access token the spec size will drop roughly in half IMO. This suggests simplicity to me. 

Apologies for my rant. Maybe we should park this for now. We are going in circles. 

Phil

On 2013-05-31, at 11:25, Justin Richer <jricher@mitre.org> wrote:

> Phil,
> 
> We *can* keep it straight just fine, but I just need you to be clear about which part you're objecting to because the answers are different. Please use the terms as defined in the document so that we all know which component we're talking about. I'm sure you'd agree than in specification work such as this, precision of language and labels is key for communication between parties. This is precisely why there's a Terminology section right up front, so that when I say "Registration Access Token" you can know that I mean a very specific thing, and when I say "Initial Registration Token" I mean a very different specific thing. So I'm asking you, please, use the defined terms so that we can avoid this unnecessary confusion.
> 
> But anyway, what you're talking about below, "the token the client uses to update is profile" *IS* the Registration Access Token. That's all that that token is used for. You're not asking for it to go away, you're asking for it to come from the Token Endpoint instead of the response from the Registration Endpoint. I don't see how the client *can* get it from the normal token process without jumping through specialized hoops to make that happen. I've implemented the draft the way that it is right now, both client and server side, and it works. Others have implemented it, too. We've done interop testing, and it works. This is a proven pattern and from where I sit there is both rough consensus and running code.
> 
> I believe that I've already pointed out how the solutions you've proposed so far won't work in practice, for various reasons, many of which have already been brought up and discussed previously. If you have another way for the client to get its Registration Access Token, please propose it; but I haven't seen anything yet that will fly.
> 
>  -- Justin
> 
> On 05/31/2013 11:10 AM, Phil Hunt wrote:
>> Justin,
>> 
>> This is my primary objection! We can't keep it straight. Their should be no such thing as a registrstion access token!  Just the token the client obtains to update its profile through the normal token request process. 
>> 
>> Phil
>> 
>> On 2013-05-31, at 10:55, Justin Richer <jricher@mitre.org> wrote:
>> 
>>> Which token are you referring to here?
>>> 
>>> If it's the Initial Registration Token, then you could get that through the normal token server no problem. (The lifecycle writeups don't call this out explicitly but I would be willing to do so.) Or you could get it elsewhere. Doesn't matter, just like it doesn't matter with any other OAuth2 protected resource.
>>> 
>>> If it's the Registration Access Token, then having the token come from the token endpoint would require a lot more work and complexity on behalf of both of the client and server. Either you end up with public clients getting secrets they shouldn't need or with granting clients access to the client_credentials flow when they shouldn't actually have it. Plus it adds extra round trips which don't buy you anything.
>>> 
>>>  -- Justin
>>> 
>>> On 05/31/2013 10:15 AM, Phil Hunt             wrote:
>>>> The preference is to have the access token for registration issued by the normal token server rather then by the registration endpoint. 
>>>> 
>>>> In the current draft it is obtained through a unique process and must outlive the client. 
>>>> 
>>>> Phil
>>>> 
>>>> On 2013-05-30, at 19:47, "Richer, Justin P." <jricher@mitre.org> wrote:
>>>> 
>>>>> I don't understand any of the comments below -- it already *is* an OAuth2 protected resource without any special handling. Your access tokens can be short-lived, long-lived,                   federated, structured, random blobs ... totally doesn't matter. They are access tokens being used to access a normal protected resource. Full stop.
>>>>> 
>>>>> Anything else is out of scope. The lifecycle discussions at the beginning are merely examples of some ways you *could* use it and are non-normative and non-exhaustive.
>>>>> 
>>>>> You seem to be asking for something that's already in the draft.
>>>>> 
>>>>>  -- Justin
>>>>> 
>>>>> From: Phil Hunt [phil.hunt@oracle.com]
>>>>> Sent: Thursday, May 30, 2013 7:31 PM
>>>>> To: Richer, Justin P.
>>>>> Cc: John Bradley; oauth@ietf.org WG
>>>>> Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
>>>>> 
>>>>> 
>>>>> 
>>>>> Phil
>>>>> 
>>>>> On 2013-05-30, at 16:11, "Richer, Justin P." <jricher@mitre.org> wrote:
>>>>> 
>>>>>> Comments inline, marked by [JR].
>>>>>> 
>>>>>> From: Phil Hunt [phil.hunt@oracle.com]
>>>>>> Sent: Thursday, May 30, 2013 5:25 PM
>>>>>> To: Richer, Justin P.
>>>>>> Cc: John Bradley; oauth@ietf.org WG
>>>>>> Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
>>>>>> 
>>>>>> See below.
>>>>>> Phil
>>>>>> 
>>>>>> @independentid
>>>>>> www.independentid.com
>>>>>> phil.hunt@oracle.com
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 2013-05-30, at 2:09 PM, Justin Richer wrote:
>>>>>> 
>>>>>>> OK, I think see part of the hang up. I have not seen the scenario that you describe, where you trade a 3rd                                       party token for a "local" token. I have seen where access tokens are federated directly at the PR. (Introspection lets you do some good things with that pattern.)