IETF Logo Mail Archive

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Anthony Nadalin <tonynad@microsoft.com> Fri, 11 March 2016 16:01 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAB8D12D777 for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 08:01:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.013
X-Spam-Level:
X-Spam-Status: No, score=-0.013 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGawf6l6dTnB for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 08:01:34 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0125.outbound.protection.outlook.com [65.55.169.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A92C812D71B for <oauth@ietf.org>; Fri, 11 Mar 2016 08:01:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Un2+yrCyhXvh6eTsjOclZtrfgjaoEIoA2qZi2nKUxCM=; b=ePWdlIsHDyZl+ovMCiGRZn7W0vRXavsbQEvIm/9ng+v5eY9PsY3Apu4p2aiNcN33hiY7ty4wBsyE9cdKyrSYXKaYV5xLawig6Sf7Gcrwz8jIKCzLsfS1gG9r+z7VXSwCS169sMyb2ChSedQDHZS6OTusnNbXqO/SYg+FQUz+f8A=
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com (10.161.207.22) by BN3PR0301MB1235.namprd03.prod.outlook.com (10.161.207.23) with Microsoft SMTP Server (TLS) id 15.1.434.16; Fri, 11 Mar 2016 16:01:31 +0000
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) by BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) with mapi id 15.01.0427.020; Fri, 11 Mar 2016 16:01:31 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Thread-Topic: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
Thread-Index: AQHRalH06DIAQfC9O0686lpsTuUfK59Sxh0AgAAqNQCAAAiJgIAAEaoAgAF+WvA=
Date: Fri, 11 Mar 2016 16:01:31 +0000
Message-ID: <BN3PR0301MB1234677D30C6A37A8DF95004A6B50@BN3PR0301MB1234.namprd03.prod.outlook.com>
References: <56C5C9D5.6040703@gmx.net> <D5D8B85B-68E6-4E88-89F7-88E6851381E4@adm.umu.se> <CA+k3eCQOX6DgiJFp4b0A8R0boVQxVwGJP2-dY8_TbrCpJowOtw@mail.gmail.com> <56E19B6D.6060509@connect2id.com> <64D743EA-3F8D-403B-B05E-74539124A847@oracle.com>
In-Reply-To: <64D743EA-3F8D-403B-B05E-74539124A847@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: oracle.com; dkim=none (message not signed) header.d=none;oracle.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:4::9b]
x-ms-office365-filtering-correlation-id: 34f81fd0-e51b-4def-28b4-08d349c669ec
x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1235; 5:iwLVAhXp8mYpRN7RBj2DlW+CQNhbesVRYmosf2n1pvxkfYjaw5wGsdwnHJhz3TXvV1S/erbEWzMdmTpDcJ/gDEJYuQyt4JnnMbEtO1HzC9SFk81F9e+hRgYjMj0kNQiunDikUE/tdFoFxCb5JVEmsQ==; 24:D+4ZuHqQireEybHbYgTOU8MNYAxXJ1cDTS4PspBD1XvdfoK/8GWgXldzcZoBg90Fd8l5vSleaaIPbSX57NZzaF6T4gggLMqfhEiKUNq1bzE=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1235;
x-microsoft-antispam-prvs: <BN3PR0301MB123540E886D86708A515EE7FA6B50@BN3PR0301MB1235.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:BN3PR0301MB1235; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1235;
x-forefront-prvs: 087894CD3C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(24454002)(377454003)(53754006)(479174004)(77096005)(15975445007)(5001770100001)(586003)(86362001)(6116002)(790700001)(74316001)(5008740100001)(92566002)(86612001)(102836003)(10090500001)(3280700002)(5003600100002)(10290500002)(3660700001)(189998001)(8990500004)(4326007)(2906002)(5002640100001)(5005710100001)(2900100001)(2950100001)(10400500002)(76576001)(122556002)(19609705001)(19617315012)(81166005)(93886004)(16236675004)(19300405004)(19625215002)(19580405001)(87936001)(5004730100002)(33656002)(76176999)(1220700001)(50986999)(54356999)(19580395003)(106116001)(99286002)(1096002)(11100500001)(3826002)(42262002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1235; H:BN3PR0301MB1234.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR0301MB1234677D30C6A37A8DF95004A6B50BN3PR0301MB1234_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2016 16:01:31.6308 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1235
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/K1r9wobnCRtBPRlu28b68FZViWY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 16:01:37 -0000

There have been way too many issues, confused conversations and discussions on and off list to have this document move forward, suggest that this be one of the main items on the agenda for when we meet.

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt (IDM)
Sent: Thursday, March 10, 2016 9:09 AM
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

I strongly oppose. 2 major issues.

This is not service discovery this is configuration lookup. The client must have already discovered the oauth issuer uri and the resource uri.

The objective was to provide a method to ensure the client has a valid set of endpoints to prevent mitm of endpoints like the token endpoint to the resource server.

The draft does not address the issue of a client being given a bad endpoint for an rs. What we end up with is a promiscuous authz service giving out tokens to an unwitting client.

Phil

On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote:
+1 to move forward with these
On 10/03/16 17:35, Brian Campbell wrote:

+1



On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg <roland.hedberg@umu.se><mailto:roland.hedberg@umu.se>

wrote:



I support this document being moved forward with these two changes:



- change name to “OAuth 2.0 Authorization Server Discovery Metadata” as

proposed by Brian and

- use the URI path suffix ’oauth-authorization-server’ instead of

’openid-configuration’ as proposed by Justin.



18 feb 2016 kl. 14:40 skrev Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>

:



Hi all,



This is a Last Call for comments on the  OAuth 2.0 Discovery

specification:

https://tools.ietf.org/html/draft-ietf-oauth-discovery-01<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-oauth-discovery-01&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=CdkVvfNBrMho0Fhfri9J3WXztcjcW2jIPI7yv%2f7hf6A%3d>



Since this document was only adopted recently we are running this last

call for **3 weeks**.



Please have your comments in no later than March 10th.



Ciao

Hannes & Derek



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=um6A5NXgypvNEdAGBEatm1sKhG7yiOEfsDAgWvgjjC4%3d>

— Roland



”Everybody should be quiet near a little stream and listen."

From ’Open House for Butterflies’ by Ruth Krauss





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=um6A5NXgypvNEdAGBEatm1sKhG7yiOEfsDAgWvgjjC4%3d>








_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7caeeff0cf0b5d44d8ade808d349073b5d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=um6A5NXgypvNEdAGBEatm1sKhG7yiOEfsDAgWvgjjC4%3d>

v2.23.0 | Report a Bug | By Email