IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details

Justin Richer <jricher@mitre.org> Wed, 28 August 2013 16:41 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC33421F9E6A for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:41:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.494
X-Spam-Level:
X-Spam-Status: No, score=-6.494 tagged_above=-999 required=5 tests=[AWL=0.105, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHbjyJkXpM9l for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:41:35 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2B8FA21F9B94 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:41:35 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C52AD1F072D; Wed, 28 Aug 2013 12:41:34 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id AE2CC1F02CD; Wed, 28 Aug 2013 12:41:34 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 12:41:34 -0400
Message-ID: <521E2834.4010102@mitre.org>
Date: Wed, 28 Aug 2013 12:41:24 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Sergey Beryozkin <sberyozkin@gmail.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com>
In-Reply-To: <521E276F.3010804@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [129.83.31.56]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:41:39 -0000

Yes, that already works. And you could accomplish that with the current 
dynamic registration spec, too -- it's just that client assertions were 
deemed too-underspecified to include in the base draft, and nobody's 
stepped up to offer a full writeup and extension of using other auth 
mechanisms (outside of OpenID Connect).

  -- Justin

On 08/28/2013 12:38 PM, Sergey Beryozkin wrote:
> On 28/08/13 17:33, George Fletcher wrote:
>> So I understand that you'd rather that OAuth doesn't require a
>> client_secret and that's fine. However, I don't think we should impose
>> that thinking on the rest of the world who have already implemented it
>> and have it working and scaling without issues. If the core of this
>> discussion is around replacing client_id and client_secret with a
>> client_assertion then lets have that discussion separately and not bury
>> it in the dynamic registration discussion.
>>
>> Could you not profile OAuth2 to support a flow that allows for retrieval
>> of access and refresh tokens using code + client_assertion? Doesn't seem
>> like that hard a profile and then the rest of this could fall out pretty
>> easily.
>>
> That is already supported AFAIK, something like
>
> grant_type=authorization_code
> &code=12345678
> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer 
>
> &client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
>
> probably the same works with JWT
>
> Sergey
>
>
>> Thanks,
>> George
>>
>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>
>>> I do think that this is the rare-edge use case, we would not want
>>> require client-secret, we already have that mess today with OAuth and
>>> trying not to continue the proliferation, we solve this today with our
>>> STS and assertion swaps/transformations, it scales, performs and we
>>> don’t have the management debacle this specification creates
>>>
>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>> Behalf Of *George Fletcher
>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>> *To:* Phil Hunt
>>> *Cc:* oauth mailing list
>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>
>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>
>>>     Please define the all in one case. I think this is the edge case 
>>> and is in fact rare.
>>>
>>>
>>>
>>>     I agree, in many cases step 1 can be made by simply approving a 
>>> class of software. But then step 2 is simplified.
>>>
>>>
>>>
>>>     Dyn reg assumes every registration of an instance is unique 
>>> which too me is a very extreme
>>>
>>> If you have a mobile app that needs to do the code flow... which
>>> requires a client_secret in order to retrieve the access token and
>>> refresh token, how does the app do this without per app instance
>>> registration?
>>>
>>> I'd argue that almost all user facing mobile apps will want the above
>>> flow and that's not a small, rare edge case.
>>>
>>> Thanks,
>>> George
>>>
>>>     position.
>>>
>>>
>>>
>>>     Phil
>>>
>>>
>>>
>>>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org> 
>>> <mailto:jricher@mitre.org>  wrote:
>>>
>>>
>>>
>>>         Except for the cases where you want step 1 to happen in 
>>> band. To me, that is a vitally and fundamentally important use case 
>>> that we can't disregard, and we must have a solution that can 
>>> accommodate that. The notions of "publisher" and "product" fade very 
>>> quickly once you get outside of the software vendor world.
>>>
>>>
>>>
>>>         This is, of course, not to stand in the way of other 
>>> solutions or approaches (such as something assertion based like 
>>> you're after). It's not a one-or-the-other proposition, especially 
>>> when there are mutually exclusive aspects of each.
>>>
>>>
>>>
>>>         Therefore I once again call for the WG to finish the current 
>>> dynamic registration spec *AND* pursue the assertion based process 
>>> that Phil's talking about. They're not mutually exclusive, let's 
>>> please stop talking about them like they are.
>>>
>>>
>>>
>>>         -- Justin
>>>
>>>
>>>
>>>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>
>>>             Sorry. I meant also to say i think there are 2 
>>> registration steps
>>>
>>>             1. Software registration/approval. This often happens 
>>> out of band. But in this step policy is defined that approves 
>>> software for use. Many of the reg params are known here.
>>>
>>>
>>>
>>>             Federation techniques come into play as trust approvals 
>>> can be based on developer, product or even publisher.
>>>
>>>
>>>
>>>             2. Each instance associates in a stateless way. Only 
>>> clients that need credential rotation need more.
>>>
>>>
>>>
>>>             Phil
>>>
>>>
>>>
>>>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com> 
>>> <mailto:phil.hunt@oracle.com>  wrote:
>>>
>>>
>>>
>>>                 I have a conflict I cannot get out of for 2pacific.
>>>
>>>
>>>
>>>                 I think a certificate based approach is going to 
>>> simplify exchanges in all cases. I encourage the group to explore 
>>> the concept on the call.
>>>
>>>
>>>
>>>                 I am not sure breaking dyn reg up helps. It creates 
>>> yet another option. I would like to explore how federation concept 
>>> in software statements can help with facilitating association and 
>>> making many reg stateless.
>>>
>>>
>>>
>>>                 Phil
>>>
>>>
>>>
>>>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - 
>>> FI/Espoo)"<hannes.tschofenig@nsn.com> 
>>> <mailto:hannes.tschofenig@nsn.com>  wrote:
>>>
>>>
>>>
>>>                     Here are the conference bridge / Webex details 
>>> for the call today.
>>>
>>>                     We are going to complete the use case 
>>> discussions from last time (Phil wasn't able to walk through all 
>>> slides). Justin was also able to work out a strawman proposal based 
>>> on the discussions last week and we will have a look at it to see 
>>> whether this is a suitable compromise. Here is Justin's mail, in 
>>> case you have missed 
>>> it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>
>>>
>>>
>>>                     Phil, please feel free to make adjustments to 
>>> your slides given the Justin's recent proposal.
>>>
>>>
>>>
>>>                     Topic: OAuth Dynamic Client Registration
>>>
>>>                     Date: Wednesday, August 28, 2013
>>>
>>>                     Time: 2:00 pm, Pacific Daylight Time (San 
>>> Francisco, GMT-07:00)
>>>
>>>                     Meeting Number: 703 230 586
>>>
>>>                     Meeting Password: oauth
>>>
>>>
>>>
>>> -------------------------------------------------------
>>>
>>>                     To join the online meeting
>>>
>>> -------------------------------------------------------
>>>
>>>                     1. Go 
>>> tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>
>>>                     2. Enter your name and email address.
>>>
>>>                     3. Enter the meeting password: oauth
>>>
>>>                     4. Click "Join Now".
>>>
>>>
>>>
>>>                     To view in other time zones or languages, please 
>>> click the link:
>>>
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>
>>>
>>>
>>>                     To add this meeting to your calendar program 
>>> (for example Microsoft Outlook), click this link:
>>>
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>
>>>
>>>
>>> -------------------------------------------------------
>>>
>>>                     To join the teleconference only
>>>
>>> -------------------------------------------------------
>>>
>>>                     Global dial-in 
>>> Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>
>>>                     Conference Code: 944 910 5485
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>                     OAuth mailing list
>>>
>>>                     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>>
>>>                 OAuth mailing list
>>>
>>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>                 https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>             _______________________________________________
>>>
>>>             OAuth mailing list
>>>
>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>     _______________________________________________
>>>
>>>     OAuth mailing list
>>>
>>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>> George Fletcher <http://connect.me/gffletch>
>>>
>>
>> -- 
>> George Fletcher <http://connect.me/gffletch>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>

v2.30.2 | Report a Bug | By Email | System Status