Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-discovery-08: (with DISCUSS and COMMENT)
John Bradley <ve7jtb@ve7jtb.com> Wed, 24 January 2018 20:07 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A204012895E for <oauth@ietfa.amsl.com>; Wed, 24 Jan 2018 12:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.34
X-Spam-Level:
X-Spam-Status: No, score=-2.34 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UO6OIz5pS01b for <oauth@ietfa.amsl.com>; Wed, 24 Jan 2018 12:07:29 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8DE2128896 for <oauth@ietf.org>; Wed, 24 Jan 2018 12:07:28 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id r71so10735531wmd.1 for <oauth@ietf.org>; Wed, 24 Jan 2018 12:07:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=UmREG2iW0y+PQihWJZQ9t5itcEB4egXavnvKbbC0EpU=; b=n6aqimZbmWoehuIWoNcup9WMJlekAWzBQ7WNIcxpKAJ+F4H5qOjvYzUoXak3v7gdRg y5XQ+CtyhbKAmtIH7efMgA9AAtSt4bN5VXxKYqxCUkbi6CdcPV9uxEswXu+mftKQL1h8 2YrQsrCn8eMgy+sQSPK5qEhKSY2rrPtylDygVwRuozkh8OPR6clnbanaNAgrONy0O6+b BFAruswVPSYKT1E1SSYgUoYNBT62UE2xJxK9u7iBmcSECpHoSi1j7Y1BYS62X0C1hIXw TfEuSri4NkoOFTDcxpHrT9asJ8kvDTriu4e+7AVcE0ZGq3Jajriy7LG2xgWBX48xhNN/ RbYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=UmREG2iW0y+PQihWJZQ9t5itcEB4egXavnvKbbC0EpU=; b=p5Y5CiwIxSEW+9TSBHnaPauklKIbM/wQe7b5fEdgUA35xZIpRLokj0wIqiBzL4GI7E uYiSo8QSZOxYSu0LAJojHynFU3RmEd5OghbTOZRAjcSo5WxChHuJ+kWNwSQq2KFeMLa+ d2X2sOMWBLFyNDiJP20D7NwLcrbPQ7ZsIhm3KqE/85lYTu741WOuhF79iHGjEutTSjFo OZcpvGz0D++ngevUdhJjIIEH6T5yvL34OMgEOIncS4QfDysUnjBi5Y6vobDnpzJbKK1Y uHB0WC6w4GcvKURDBH0OcAHskC75uxXXD9+CrV8a9EqyWeXF9guQslNz/asuUW0LBKsD pmJg==
X-Gm-Message-State: AKwxyteQ2ZkICqA1krComnBcuC328Dw2FE3Obha0pfodOwKCnSSjf3dS 8XOxpndeAWijN8NeF37UMauhcPhSN9Q++LENjHdOlQ==
X-Google-Smtp-Source: AH8x226QRu4ioRy3b++Z9nfyEqxqtEKsyEbqem74Yhl0JXEi2b4SfWYLZ09wCfqlzktfDjKu3nlQe6UvYjTDRvyC7ZA=
X-Received: by 10.28.247.11 with SMTP id v11mr6248366wmh.27.1516824446488; Wed, 24 Jan 2018 12:07:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.191.140 with HTTP; Wed, 24 Jan 2018 12:07:25 -0800 (PST)
Received: by 10.28.191.140 with HTTP; Wed, 24 Jan 2018 12:07:25 -0800 (PST)
In-Reply-To: <c0295c9d-2606-1fca-d22c-52eed94fba1e@nostrum.com>
References: <151667531481.29516.15285531314696206411.idtracker@ietfa.amsl.com> <SN6PR2101MB0943BC380296B9DBD12E4EF1F5E20@SN6PR2101MB0943.namprd21.prod.outlook.com> <c0295c9d-2606-1fca-d22c-52eed94fba1e@nostrum.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Wed, 24 Jan 2018 17:07:25 -0300
Message-ID: <CAANoGhKCTvtdDNZk5Y1+E+U557k+GbYa1_TP=p5aJQEDk2NKdQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Michael Jones <Michael.Jones@microsoft.com>, IESG <iesg@ietf.org>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>, "draft-ietf-oauth-discovery@ietf.org" <draft-ietf-oauth-discovery@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="089e0827e9fc51e87005638b36ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KzTjENZhklnkIMvaJBbe5TFsZoc>
Subject: Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf-oauth-discovery-08: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2018 20:07:33 -0000
It seems that I was smarter 5 years ago:) We went with the easier construction for developers in the end. That may not have been the best choice in retrospect. Mike and I are discussing with the other authors how we can address this while minimising developer confusion, given that a large number of implementations use the existing construction. John B. On Jan 23, 2018 6:14 PM, "Adam Roach" <adam@nostrum.com> wrote: > On 1/23/18 6:21 PM, Mike Jones wrote: > >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> Thanks to everyone who worked on this specification. I think it's >> well-written, clear, and useful. I fully endorse publication, and intend to >> ballot "yes" once we come to an agreement on the issue I describe below. >> >> The problem I'm running into is the URL synthesis rules described in >> section >> 3.1 for multi-tenancy engage in exactly the kind of behavior that RFC >> 5785 was designed to head off: it creates URLs all over the path space of >> the authority, rather than coralling all synthesized URLs to live under >> only one top-level directory. One of the key aspects of the principles of >> the web architecture is URI opacity <https://www.w3.org/TR/webarch >> /#uri-opacity>, which generally precludes clients from synthesizing >> URLs. RFC 5785 was intended as a very limited carve-out to the principle of >> URI opacity, and was carefully limited to a single top-level path element. >> This specification oversteps that carve-out by exploding the location that >> "Well-Known" synthesized URLs can appear: it literally increases it from >> one location (the root) to infinite locations (at the end of any arbitrary >> path). >> >> Fortunately, this defect is trivial to fix. Rather than placing >> .well-known path components *after* the path identified by an issuer >> identifier, you place them *before* it, which amends this document's usage >> to be within the spirit intended by RFC 5785. For example, the example in >> section 3.1: >> >> GET /issuer1/.well-known/oauth-authorization-server HTTP/1.1 >> Host: example.com >> >> Would instead become: >> >> GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1 >> Host: example.com >> >> Mike> Interesting suggestion. I would agree with your suggestion if we >> were designing this from scratch. >> >> The problem is that this specification is based the much older and widely >> deployed specification "OpenID Connect Discovery 1.0" >> https://openid.net/specs/openid-connect-discovery-1_0.html, where these >> semantics are defined in the second paragraph of >> https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig. >> This OAuth spec removes the OpenID-specific parts of this discovery spec >> and keeps the rest, while remaining compatible with it by design. As >> discussed with Mark Nottingham during the IANA registration process for the >> .well-known URI (which he approved), this specification writes down what is >> already industry practice for publishing OAuth metadata - which subsets the >> OpenID Connect metadata to use only the OAuth-specific parts. >> >> The behavior of concatenating the .well-known suffix to the issuer path >> is hard-coded into at an absolute minimum, the eleven client libraries >> listed in the "RP Config" column of http://openid.net/certification/#RPs. >> In truth, it's hard-coded into essentially every OAuth client library that >> uses metadata to configure the OAuth client software and all the OAuth >> servers that support multiple tenants. These could number in the hundreds. >> >> An example showing a production deployment of the current method is >> https://login.microsoftonline.com/5608b4e0-e26d-4bd1-8a1a-d5 >> 7d7ae2af8c/v2.0/.well-known/openid-configuration. There are many more. >> >> This spec is explicitly paving cowpaths. Yes, you suggest a better path >> that could have been taken. But (torturing the metaphor) it's not where >> the cows are. We owe it to the industry to codify the widespread and >> sufficiently-well-working existing practice. Thanks for your understanding >> of this. >> > > I understand the difficulty here, as breaking changes -- especially at > this late state -- are a pretty big deal, and I feel bad that this > situation has arisen. I'll note that I was not the first to identify this > specific "better path that could have been taken"; John Bradley described > the same approach over five years ago in a thread that you participated in: > <https://bitbucket.org/openid/connect/issues/638/discovery-u > sing-issuer-identifer-w-path>. > > One of the key reasons existing external specifications are brought to the > IETF is to file off architectural warts such as this. As is standard > practice for BOFs involving externally-incubated solutions, there was > discussion at the OAUTH BOF regarding change control and breaking changes. > Looking at the minutes, a key proponent asserted "we want oauth reviewed, > and if problems are found, fixed", while the sponsoring AD clarified: "No > one expects bit-for-bit compatibility.... Code can change over time." I > understand the "code can change over time" argument is quite blithe when > applied out of the blue, but it seems much more relevant when it was one of > the arguments that was made for the very creation of the working group. > > Minimally, if we come to some kind of IETF consensus (after looping in the > relevant parties) that allows publication of a document that squats on the > entire path namespace of HTTP URLs -- and I want to be clear that I don't > believe this is possible -- then this document needs to update BCP 190, to > amend the following normative requirement on how IETF specifications handle > URLs: > > Scheme definitions define the presence, format, and semantics of a > path component in URIs; all other specifications MUST NOT constrain, > or define the structure or the semantics for any path component. > > The only exception to this requirement is registered "well-known" > URIs, as specified by [RFC5785]. See that document for a description > of the applicability of that mechanism. > > To be clear: amending BCP 190 is way, WAY outside the purview and charter > of OAUTH. Overriding this normative language would require input from the > appropriate community (maybe httpbis, but they're almost closed), and you'd > need to build consensus that what we did in BCP 190 -- which was a formal > codification of web principles promulgated by the W3C, with roots tracing > back to Roy Fielding's thesis that coined the REST concept itself -- was > incorrect. > > The fundamental problem here is that the cows have been walking through > private gardens for years, despite clear rules that say they should not. > Breaking out the paving equipment to formally seize that land for OAUTH's > exclusive use would only make that transgression so much worse. > > ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Section 1.1: [this is an editorial suggestion that I leave to the editors' >> discretion] This document makes use of uncapitalized "must", "should", >> and "may" in places. Please consider using the RFC 8174 boilerplate instead >> of the RFC 2119 boilerplate. >> >> Mike> I'd be glad to update to the RFC 8174 boilerplate. >> > > Thanks. > > Section 7.2: [this is an important procedural comment that really should >> be resolved prior to publication] The addition of restrictions to >> registries established by RFC 6749 would seem to require that this document >> formally include "Updates: RFC6749" in its metadata, as well as a mention >> of such an update in its Abstract and Introduction sections. >> >> Mike> I've actually worked with the IESG and IANA in the past to update >> the instructions for existing registries. https://tools.ietf.org/html/rf >> c7638#section-6 adds to the instructions to the Designated Experts for >> three existing registries. The way IANA did this was to add [RFC7638] to >> the References lists in the registries themselves. For instance, see that >> the instructions for the "JSON Web Key Types" registry at >> https://www.iana.org/assignments/jose/jose.xhtml#web-key-types has a >> References value of "[RFC7518][RFC7638]". RFC 7618 did not update RFC 7518 >> - only the registry established by it. I propose that we follow this >> precedent and do the same thing here. >> > > > If there's precedent, I'm okay going along with that. > > /a >
- [OAUTH-WG] Adam Roach's Discuss on draft-ietf-oau… Adam Roach
- Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf… Mike Jones
- Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf… John Bradley
- Re: [OAUTH-WG] Adam Roach's Discuss on draft-ietf… Adam Roach