Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery

Roland Hedberg <roland.hedberg@umu.se> Thu, 04 February 2016 09:00 UTC

Return-Path: <roland.hedberg@umu.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACD61A1E0B for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 01:00:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.851
X-Spam-Level:
X-Spam-Status: No, score=-3.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fN9BBx1nZ7wg for <oauth@ietfa.amsl.com>; Thu, 4 Feb 2016 01:00:52 -0800 (PST)
Received: from smtp5.umu.se (smtp5.umu.se [130.239.8.142]) by ietfa.amsl.com (Postfix) with ESMTP id BAEF91A1E0F for <oauth@ietf.org>; Thu, 4 Feb 2016 01:00:51 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.22,393,1449529200"; d="asc'?scan'208";a="86021888"
X-IPAS-Result: A2CiBABZErNW/80N74JeGQEBAQEPAQEBAYJfgWoGiFWucoQHhg0CggcBAQEBAQGBC4RCAQEDAR0GVgULAgEIQgICMiUCBA4FDogFCAGxS48cAQEBAQEFAQEBAQEBAQEQCIYSgW2CSocyK4EPBZZxgnyBY5dfjkBig2Rqhy4BewEBAQ
Received: from umu-ex05.ad.umu.se (HELO mail.ad.umu.se) ([130.239.13.205]) by smtp5.umu.se with ESMTP; 04 Feb 2016 10:00:38 +0100
Received: from UMU-EX03.ad.umu.se (2002:82ef:dcb::82ef:dcb) by UMU-EX05.ad.umu.se (2002:82ef:dcd::82ef:dcd) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Thu, 4 Feb 2016 10:00:37 +0100
Received: from UMU-EX03.ad.umu.se ([fe80::708f:f02f:c850:d133]) by UMU-EX03.ad.umu.se ([fe80::708f:f02f:c850:d133%24]) with mapi id 15.00.1130.005; Thu, 4 Feb 2016 10:00:38 +0100
From: Roland Hedberg <roland.hedberg@umu.se>
To: Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery
Thread-Index: AQHRXyqDaIEa81d1jkSyC3gLIRPryQ==
Date: Thu, 4 Feb 2016 09:00:37 +0000
Message-ID: <40EFF814-7E12-4DF4-B94C-54495670E314@adm.umu.se>
References: <569E2298.3010508@gmx.net> <56A7CA7D.3050602@lodderstedt.net> <CA+k3eCS6_wZ0YkG8HjiwmQGemndHRBCG12McNTsgTvuEch5LwQ@mail.gmail.com> <DA812138-751B-4FEB-9EFA-40DC38BEDFDB@oracle.com>
In-Reply-To: <DA812138-751B-4FEB-9EFA-40DC38BEDFDB@oracle.com>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-pgp-agent: GPGMail 2.5.2
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.239.200.165]
Content-Type: multipart/signed; boundary="Apple-Mail=_5AA2F4BB-246B-4D70-A4A6-02B53352A14F"; protocol="application/pgp-signature"; micalg=pgp-sha256
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/L_p510EW3CmLR6zvFp-GPrR2TuE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 09:00:54 -0000

> 3 feb 2016 kl. 00:48 skrev Phil Hunt <phil.hunt@oracle.com>om>:
> 
> 
> Item 2:  rel value for webfinger
> It seems to me while the discovery requirements for plain OAuth and OIDC are the same for today that might not always be true.  What will happen if OIDC wants to add more stuff?  Will plain oAuth sites have to comply?
> 
> A client may want to know both the OAuth discovery endpoint information for a resource AND it might want to know the OIDC discovery information.  They endpoints might not always be the same - how do we tell them apart?

I’ve (we’ve) had exactly this problem in the UMA use-case.
Which is just one example where an AS may have OAuth2 or OIDC parentage.
So, I support having different real values.

— Roland