Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

Justin Richer <jricher@mit.edu> Sun, 31 January 2016 18:51 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 163D91B2BBA for <oauth@ietfa.amsl.com>; Sun, 31 Jan 2016 10:51:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHnCyhhJO5Ew for <oauth@ietfa.amsl.com>; Sun, 31 Jan 2016 10:51:27 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 496921B2BB5 for <oauth@ietf.org>; Sun, 31 Jan 2016 10:51:25 -0800 (PST)
X-AuditID: 1209190f-1a7ff7000000099f-bb-56ae57ab3764
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id D6.B7.02463.BA75EA65; Sun, 31 Jan 2016 13:51:24 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u0VIpNUG022236; Sun, 31 Jan 2016 13:51:23 -0500
Received: from [192.168.128.48] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0VIpKlY005501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 31 Jan 2016 13:51:22 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_44F1D92A-7A97-44CC-B109-97D45BA64DE6"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <56AE349F.6040103@lodderstedt.net>
Date: Sun, 31 Jan 2016 13:51:20 -0500
Message-Id: <46E8C558-F030-4049-86E1-D0A61FCA3A10@mit.edu>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com> <56ADFA72.5090407@lodderstedt.net> <56AE105B.9080101@mit.edu> <56AE349F.6040103@lodderstedt.net>
To: Torsten Lodderstadt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuphleLIzCtJLcpLzFFi42IR4hRV1l0Tvi7MYPcVZou90z6xWJx8+4rN 4tWxpywOzB5Llvxk8jjW08/q0brjL3sAcxSXTUpqTmZZapG+XQJXxo+zu1kLNu9krHjUu4i9 gfH6PMYuRk4OCQETifYL3cxdjFwcQgJtTBI/Jy6DcjYySkz5vY8NpEpI4DaTxKSL+V2MHBzM AgkSN89zgYR5BfQkXt26zApiCwukStzb9IYZxGYTUJWYvqaFCaScU0BfovGMDkiYBSi8qXcT WDmzQJRE9+6f7BBjrCRWNP2G2rSbUeJCsylIq4iAocSvOZkQZ8pK7P79iGkCI/8shBtmIblh FthQbYllC18zQ9gGEk87X2ER15d4824O0wJGtlWMsim5Vbq5iZk5xanJusXJiXl5qUW6Jnq5 mSV6qSmlmxjBgS7Jv4Px20GlQ4wCHIxKPLwcBmvDhFgTy4orcw8xSnIwKYnytmsBhfiS8lMq MxKLM+KLSnNSiw8xSnAwK4nwPjVZFybEm5JYWZValA+TkuZgURLn3dUxN0xIID2xJDU7NbUg tQgmK8PBoSTBeywMqFGwKDU9tSItM6cEIc3EwQkynAdo+FmQGt7igsTc4sx0iPwpRkUpcd5i kIQASCKjNA+uF5SIEt4eNn3FKA70ijDvF5AqHmASg+t+BTSYCWiwi+xqkMEliQgpqQbGyXee /BKeLyySlmcZWvirWn/5btMITgE2lvCjTQkcJ2XN6ksX7DsT1L/smoOdoOaZf6klP9quSOdE XP+18m7/npg/F89+XJnamuW/WOL876qHT1XETc0YNdX+7/7+K/hB0k/zKCX3lxO7brd3PY+I tTnLoSty4XOrYLuTecXvc3If+hQdQn8rsRRnJBpqMRcVJwIAqmocKR8DAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JzPULaafNiwK1yGffFfL6qVVQo8>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 18:51:30 -0000

Both RFC7009 and RFC7662 just say that the client/protected resource authenticate just like they would at the token endpoint, punting to RFC6749 on how that happens. Since that’s extensible, and has been extended, that’s what we’re going on.

It’s an unfortunate case where the actual definition is now spread across several documents over time. I’d honestly feel bad for someone writing an OAuth2 server from scratch without a guide.

 — Justin

> On Jan 31, 2016, at 11:21 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> 
> sounds reasonable - but is not covered by the current RFC, which would be the pre-requisite for interop. That's what I wanted to point out. 
> 
> kind regards,
> Torsten.
> 
> Am 31.01.2016 um 14:47 schrieb Justin Richer:
>> It would be for client authentication to the revocation endpoint, if the client were to use client_secret_jwt or private_key_jwt methods to authenticate. Our implementation actually allows this, but we don't let clients choose more than one authentication method across three endpoints (token, revocation, and introspection). 
>> 
>> A value we might want to add for revocation and introspection is "bearer_token", since it makes sense in both cases to give a client an access token to call these endpoints as opposed to credentials. This would need to be added to the token endpoint authentication methods registry.
>> 
>>  -- Justin
>> 
>> On 1/31/2016 7:13 AM, Torsten Lodderstedt wrote:
>>> Hi Mike,
>>> 
>>> the current revocation RFC does not support request signing. So what is the intention of revocation_endpoint_auth_signing_alg_values_supported?
>>> 
>>> best regards,
>>> Torsten.
>>> 
>>> Am 28.01.2016 um 20:27 schrieb Mike Jones:
>>>> The OAuth Discovery specification has been updated to add metadata values for revocation <http://tools.ietf.org/html/rfc7009>, introspection <http://tools.ietf.org/html/rfc7662>, and PKCE <http://tools.ietf.org/html/rfc7636>.  Changes were:
>>>> ·       Added “revocation_endpoint_auth_methods_supported” and “revocation_endpoint_auth_signing_alg_values_supported” for the revocation endpoint.
>>>> ·       Added “introspection_endpoint_auth_methods_supported” and “introspection_endpoint_auth_signing_alg_values_supported” for the introspection endpoint.
>>>> ·       Added “code_challenge_methods_supported” for PKCE.
>>>>  
>>>> The specification is available at:
>>>> ·        <http://tools.ietf.org/html/draft-jones-oauth-discovery-01>http://tools.ietf.org/html/draft-jones-oauth-discovery-01 <http://tools.ietf.org/html/draft-jones-oauth-discovery-01>
>>>>  
>>>> An HTML-formatted version is also available at:
>>>> ·        <http://self-issued.info/docs/draft-jones-oauth-discovery-01.html>http://self-issued.info/docs/draft-jones-oauth-discovery-01.html <http://self-issued.info/docs/draft-jones-oauth-discovery-01.html>
>>>>  
>>>>                                                           -- Mike
>>>>  
>>>> P.S.  This note was also published at  <http://self-issued.info/?p=1531> <http://self-issued.info/?p=1531>http://self-issued.info/?p=1531 <http://self-issued.info/?p=1531> and as @selfissued <https://twitter.com/selfissued>.
>>>>  
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>