Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-16
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 24 April 2014 08:58 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288831A07ED for <oauth@ietfa.amsl.com>; Thu, 24 Apr 2014 01:58:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dISgPon0tdSL for <oauth@ietfa.amsl.com>; Thu, 24 Apr 2014 01:58:42 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id A0E351A0125 for <oauth@ietf.org>; Thu, 24 Apr 2014 01:58:42 -0700 (PDT)
Received: from [192.168.131.128] ([80.92.122.106]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LuJDv-1X5P6z2eUJ-011iuE; Thu, 24 Apr 2014 10:58:34 +0200
Message-ID: <5358D170.1060303@gmx.net>
Date: Thu, 24 Apr 2014 10:55:12 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
References: <5357BB37.1080803@gmx.net> <5357D4FF.5040800@mitre.org>
In-Reply-To: <5357D4FF.5040800@mitre.org>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="3GWtv1xukaSUPt84eOpgxdHUth1FjsxJB"
X-Provags-ID: V03:K0:UkHoRZN3WvwFJPhPx9baHbI6hmXYgw/ZTCfj6Ez7V7v0OB01fi+ IBolv6nEwOTf+TQHSVvYXU9AGMpHKfrwXUUd1bsENlyOYXA/57eJPM1jMmWUyVJ7f8oOnF1 PEf53RHlofh/rgkzFfT2rjZbXkEXm9brF1x2bgj3TBOM2LYj2APd7xmb9NVk26X79c8Mq0y 8qJAxgDzoTtrbg9l5d0nw==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Kub0Pk3RaYgxBzipMzcll0T6vB4
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-16
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Apr 2014 08:58:46 -0000
Hi Justin, thanks for the quick feedback. A few remarks below. >> - Protocol Flow >> >> In Figure 1 you show the client and the developer in the same box. The >> protocol defined in the specification clearly runs between a client and >> client registration endpoint at an authorization server. So, I would >> suggest to put the developer (which is a human) outside the box and to >> draw another box around the client registration endpoint to indicate >> that this is part of the authorization server. > > There are two known modes of deployment for this protocol: either the > client calls the registration endpoint directly and gets its own > client_id and client_secret, or the developer uses some tool (part of > their build process, a software publication process, a self-service > portal) to register the client. While the first use case is the original > driver, several people wanted to make sure that this other use case > wasn't inadvertently written out. Makes sense to me. Maybe you just want to provide that piece of background to the figure. > > >> - Section 2 >> >> What exactly does this sentence mean? >> >> " >> Authorization servers MUST accept all fields in this list. >> " >> >> I believe I cannot mean that the authorization server supports all >> mechanisms. > > All I was trying to say was that the AS isn't allowed to crash if it > sees a field in this list as part of the registration, to give us some > kind of interoperability baseline. I am welcome to re-wording > suggestions. The AS is free to ignore any field that it doesn't like, or > reject a registration for a value that it doesn't like, or replace a > value that it doesn't like with something that it does like and return > that. We enumerate all of those cases separately, so perhaps this > sentence isn't necessary any more. Understood. To clarify the context one could write the following. " Future extensions will extend the list of grant_types, and response_types with new mechanisms. To avoid interoperability problems authorization server MUST ignore values they do not understand. For instance, the [OAuth.Registration.Metadata] specification defines additional client metadata values. A properly implemented authorization server that does not understand any of the metadata values defined in [OAuth.Registration.Metadata] sent by the client would ignore those. " > >> You write: >> >> " >> Client metadata values can either be communicated directly in the >> body of a registration request, as described in Section 4.1, or >> included as claims in a software statement, as described in >> Section 3. If the same client metadata name is present in both >> locations, the value in the software statement SHOULD take >> precedence. >> " >> >> It might be worthwhile to note that the two options exist to allow (a) >> the client to suggest values and (b) to have the organizing issuing the >> software assertion to provide further values. > > It's actually the other way around -- the assertion if present defines a > set of core values for a class of clients and the client suggests values > on its own in the plain JSON. The vast majority of registrations will > use only the JSON object, in my estimation. > >> Regarding the SHOULD in the last sentence I guess it might make more >> sense to just say that it is deployment dependent what policy is used. > > The idea here is that the software statement, if present and trusted, > should really take precedence since it's cryptographically protected and > the plain JSON isn't. Reasonable thought. Maybe turn the SHOULD into a MUST? The challenge with the SHOULD is always to explain when it shouldn't be done. > >> - Section 2.1 >> >> You write: >> >> " >> As such, a server supporting these fields >> SHOULD take steps to ensure that a client cannot register itself into >> an inconsistent state. >> " >> >> Any guidance on how the authorization server would do that? > > Either return an error ("invalid_client_metadata") or replace the values > with sane defaults. Probably the former for most servers. Should we > state this? Might be a useful addition for someone implementing the spec to know what to do. I didn't know what to do when reading that sentence. > >> - Section 3 >> >> I don't understand this sentence: >> >> " >> In some cases, authorization servers MAY choose to accept a software >> statement value directly as a Client ID in an authorization request, >> without a prior dynamic client registration having been performed. >> " >> >> Does this mean that the client id is the software statement or that the >> software statement is embedded in the client id or something else? > > The idea here is that the software statement itself would be the > client_id, but the details of such usage are outside the scope of > dynamic registration (since it's not really registration at that point, > but a stateless client identifier). If the software statement is the client_id then would you only send the software statement but no client_id in the message? > >> - Section 4 >> >> The story around the initial access token is a bit strange. Here is the >> text: >> >> The client registration endpoint MAY be an OAuth 2.0 protected >> resource and accept an initial access token in the form of an OAuth >> 2.0 [RFC6749] access token to limit registration to only previously >> authorized parties. The method by which the initial access token is >> obtained by the registrant is generally out-of-band and is out of >> scope for this specification. The method by which the initial access >> token is verified and validated by the client registration endpoint >> is out of scope for this specification. >> >> >> First, the term 'registrant' is used here for the first time. Then, it >> is outside the scope of how the client got this initial access token. >> Normally for access tokens the client does not have to care about the >> content and does not verify anything but here the last sentence hints to >> the verification (although it is outside the scope of how it is used). > > The client doesn't verify the token, the client registration endpoint > verifies it. It's a vanilla OAuth token. Read that incorrectly. Thanks for the clarification! > >> I am curious whether the software assertion could actually be re-use >> here in case the unauthorized use of the registration by clients is a >> concern!? > > This is exactly what BlueButton+ does: the software statement equivalent > is presented as the initial access token. I personally think that this > makes a lot more sense, but some folks wanted to be able to separate > these two things, so that the authority to register with a server is > differentiable from the fixed registration parameters. Also, you don't > want to define the initial access token to *always* be a software > statement, since it could just represent authorization to call the > registration endpoint with no other strings attached. I would like to see some text (from some of the proponents of this two-token idea) where it would make sense to have these two tokens. Sounds quite complex to me, particularly when there are a lot of "out-of-scope" statements. We don't want to get to a model where the client does not have the client_id configured and then needs to use the dynamic client registration protocol to subsequently require even more information to get registered.... > >> - Section 4.2 >> >> You write: >> >> " >> This client identifier MUST be >> unique at the server and MUST NOT be in use by any other client. >> " >> >> This is a bit unclear given the text you provide in the subsequent >> section, Section 5.1. >> You write: >> >> " >> client_id REQUIRED. Unique client identifier. It MUST NOT be >> currently valid for any other distinct registered client. It MAY >> be the same as the Client ID value used by other instances of this >> client, provided that the Redirection URI values and potentially >> other values dictated by authorization server policy are the same >> for all instances. >> " > > Those are still inconsistent and I'm not positive where we came down on > that issue -- I personally don't like the idea of re-using client_ids > for different instances of the client (I see it causing nothing but > trouble down the line), but there was a push to relax that. Can someone > who wanted this comment on its utility? > >> You write: >> >> " >> If a software statement was used as part of the registration, its >> value SHOULD be returned in the response and its value MUST be >> returned if the authorization server supports registration management >> operations [OAuth.Registration.Management] that would require its >> presence in subsequent operations. >> " >> >> I am not sure I understand that. Are you saying that the software >> assertion is returned in the response from the authorization server to >> the client? Why is that? > > It is effectively part of the client's registration metadata and should > be returned as-is. If the client is going to be doing management, it > needs to be able to post that back to the server again as part of its > update and the server needs to be able to check against it. What we > really don't want is the registration endpoint to generate a new > software statement as part of the registration response. But the client had that data in the first place and so it is a waste of bandwidth to return the same data back to him again (maybe even twice -- once in the software assertion and then separately as meta-data). > >> - References >> >> I believe you should delete the dependency on the registration >> management specification. > > This makes sense if the operations can be completely insular and we > don't need any forward references as to why to do certain things. It > would be easy to build a registration endpoint that precludes any kind > of management/lifecycle API, and we want to avoid that in the design of > the core protocol. I think we've successfully done that, but if it makes > it cleaner to remove the references and just state how to do things, I > don't see why not. > I am just saying it because of the way how the discussions at the last IETF meeting went and creating these dependencies could lead to a problem with progressing this spec. > Thanks for the thorough review. No problem - I am here to help. Ciao Hannes > -- Justin > >> >> Ciao >> Hannes >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg-16 Hannes Tschofenig
- Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg… Justin Richer
- Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg… Hannes Tschofenig
- Re: [OAUTH-WG] Review of draft-ietf-oauth-dyn-reg… Justin Richer