Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata now with WWW-Authenticate
Brian Campbell <bcampbell@pingidentity.com> Wed, 19 July 2023 16:37 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF09EC14CE42 for <oauth@ietfa.amsl.com>; Wed, 19 Jul 2023 09:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BrQ7QLoxi9QE for <oauth@ietfa.amsl.com>; Wed, 19 Jul 2023 09:37:36 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4BDCC14F736 for <oauth@ietf.org>; Wed, 19 Jul 2023 09:37:31 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id ca18e2360f4ac-7869bcee569so304558239f.0 for <oauth@ietf.org>; Wed, 19 Jul 2023 09:37:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1689784651; x=1690389451; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+Q4LcFbwze/AnxYJM/Kw7XKwjunG+0hFq/pTK4woESI=; b=YmgdC0t5I4AQE10vCKiJ7otZ1wtUWDLGtM7amhijNubNevIk6ml4OtDf8QyMd7Hboj tbOzye4/7EHfMhbYIQ++uuoTP3Lcd/aoUMxQrgT/nNl5JIe40brXNMvtJZmjICoQlmpw C3ZpBCTCIBIOJ6DeKRc6zhvgPixy8sebiPaDn9dJ+eyzU4cu323yDf39qrTF3ww+OhAS mzWm8GorEI8b/+UFpqlZV0okrlk6B7lGJfyG9SzT5h2XyUd/qCGGgACF1nnEmC6hfEdw UyXJcsb7hHnyYTvs9xepbV+6OdJrT3NIB7la7OrivZ/MRTLNnOWOqH6dxmv0xvCUe4/f Dwjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689784651; x=1690389451; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+Q4LcFbwze/AnxYJM/Kw7XKwjunG+0hFq/pTK4woESI=; b=aARILoMt8nWcWrI1wRVzl4oF9TvT9bM3dsg9/7/J3lgCPyXGTYVjtNJ5xlye27dH+H R8jommv/zOHY8HcCIzE838xRVwNA+BbYstNO5NHdHowZcR63N4OKtBE1gHrs70pZ9PZ1 Cyk6p70lmOavNzT7GS48B5t2PaLI6BrgpaIwHwZVRM09f5uknw7p8XyKs51CXi96BG+r dCR+3qhcvKixaWilHOK2SpL+UHXPNbI33GlBvHhhA4Jfe7T9Q+RcGS/0qIGcTbBIOYUN XCYbLoQZCdVT/HKxFQiOgj+426iSHsatzqtcVs6z9pc2Ti0GKPRNUCKzkMNgZtnCmw9N Bp6g==
X-Gm-Message-State: ABy/qLa7EjYaHDs4BkToE0Z+8HZ8oEn+pPkSzo8CnR3dSsRcXv6ySD6K jLRkKh2xof0rP/1A5ikiTagqdPkFcrRkfLXPviNKBIoCfyISWVBKoqXGOKxowmU5QIK4v5cR3Rd rObbMY6tp4GXQC3Xt2W7FMM20
X-Google-Smtp-Source: APBJJlHmsw+U22driFoZc01nmeVMxyHbBAK/8EBL+SdmW3KBVK7xMC/1u0NvEjBG03lKswzyh3EwgHZ5GJ/xpu+FBcs=
X-Received: by 2002:a05:6e02:1d03:b0:345:a3c6:87b8 with SMTP id i3-20020a056e021d0300b00345a3c687b8mr7057468ila.12.1689784650625; Wed, 19 Jul 2023 09:37:30 -0700 (PDT)
MIME-Version: 1.0
References: <MW4PR02MB742844C56F175D4E359EDD07B731A@MW4PR02MB7428.namprd02.prod.outlook.com>
In-Reply-To: <MW4PR02MB742844C56F175D4E359EDD07B731A@MW4PR02MB7428.namprd02.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 19 Jul 2023 10:36:57 -0600
Message-ID: <CA+k3eCR+c20GLkYcrupksxs+FmdCj1AGfXD5m7AF9oKkum_vGQ@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d9648c0600d9a53f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LA6sqNOV98D7wP44p2Hl6dpSmtg>
Subject: Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata now with WWW-Authenticate
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2023 16:37:41 -0000
This certainly isn't a comprehensive review or endorsement necessarily but I read though the latest draft and had a couple of off-the-cuff* comments/questions: The abstract and intro talk only about enabling clients to obtain information needed to interact with a protected resource. However, the jwks_uri protected resource metadata parameter mentions that it might contain encryption key(s) that are used to encrypt access tokens to the protected resource, which would be something the AS does. It seems like the abstract and/or intro text should be adjusted or augmented a bit so as not to suggest that an AS is precluded from using the protected resource metadata. I'm struggling to see how the resource_signing_alg_values_supported, resource_encryption_alg_values_supported, and resource_encryption_enc_values_supported parameters would be used in a meaningful or interoperability improving way. What "content" is being signed or encrypted and by whom? These parameters seem to me to clutter/confuse the draft more than providing actual useful information. If you know (well-known), you know. The way it's done here makes a lot of sense for the context but might raise some eyebrows down the road, if this draft progresses. * Actually, I may have had some of these same thoughts in 2017 when -01 was presented to the WG but didn't get around to mentioning them back then :) On Mon, Jul 10, 2023 at 6:34 PM Michael Jones <michael_b_jones@hotmail.com> wrote: > In collaboration with Aaron Parecki <https://twitter.com/aaronpk>, the > ability for OAuth 2.0 protected resource servers to return their resource > identifiers via WWW-Authenticate has been added to the OAuth 2.0 > Protected Resource Metadata specification. This enables clients to > dynamically learn about and use protected resources they may have no prior > knowledge of, including learning what authorization servers can be used > with them. > > > > This incorporates functionality originally incubated in > draft-parecki-oauth-authorization-server-discovery-00 > <https://www.ietf.org/archive/id/draft-parecki-oauth-authorization-server-discovery-00.html>. > Aaron and I had been asked to merge the functionality of our two drafts > during an OAuth working group session at IETF 116. We’re both happy with > the result! > > > > The specification is available at: > > · > https://www.ietf.org/archive/id/draft-jones-oauth-resource-metadata-04.html > > > > -- Mike > > > > P.S. This notice was also posted at https://self-issued.info/?p=2377 and > was referenced from > https://twitter.com/selfissued/status/1677471513023508481. > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] OAuth 2.0 Protected Resource Metadata … Michael Jones
- Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metad… Brian Campbell
- Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metad… Giuseppe De Marco
- Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metad… Rebecca Warren