Re: [OAUTH-WG] Comments on draft-jones-oauth-resource-metadata-00

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 13 November 2016 08:27 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3665E129524 for <oauth@ietfa.amsl.com>; Sun, 13 Nov 2016 00:27:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ySvXJqUXC9s for <oauth@ietfa.amsl.com>; Sun, 13 Nov 2016 00:27:41 -0800 (PST)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35053129431 for <oauth@ietf.org>; Sun, 13 Nov 2016 00:27:41 -0800 (PST)
Received: from [58.120.104.2] (helo=[192.168.101.95]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1c5q8Y-0006OC-CS; Sun, 13 Nov 2016 09:27:38 +0100
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <e544a62e-3499-dc32-ad1d-ed3f77e60495@aol.com> <5827FAD7.1090105@lodderstedt.net> <CO2PR03MB235854922A12B3E4CCE498C7F5BD0@CO2PR03MB2358.namprd03.prod.outlook.com>
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-ID: <582823F7.8010106@lodderstedt.net>
Date: Sun, 13 Nov 2016 17:27:35 +0900
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <CO2PR03MB235854922A12B3E4CCE498C7F5BD0@CO2PR03MB2358.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------000409000609080904020904"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/M5jtxZPBYNpRQ6MzYkbFBWI3a5A>
Subject: Re: [OAUTH-WG] Comments on draft-jones-oauth-resource-metadata-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 08:27:44 -0000

I see your point but do you really think this is needed and efficient 
enough for practical use?

Basing metadata handling on single resources (distinct URLs including 
different query parameters, right?) in my opinion means:
- the client needs to discovery the AS for every of those URLs
- the client needs to acquire an access token per URL
- I'm not quite sure what it means when it comes to token binding

I think it would be good idea to have a container on a more coarse grain 
level in order to make that more efficient. If every resource (distinct 
URL) belongs to such a container (let's call it resource server or 
something else), the client-side handling should become easier.

BTW: we don't have different meta data for token endpoint and 
authorization endpoint of a particular AS, right? So the comparision 
does not completely fit.

What do you think?

best regards,
Torsten.



Am 13.11.2016 um 15:37 schrieb Mike Jones:
>
> Actually, it’s intentionally a particular resource that the metadata 
> applies to – exactly as the AS metadata applies to a particular AS.  
> It is **not** metadata about all resources that might be managed by a 
> resource server, just as the AS metadata is not about all ASs that a 
> particular server (such as a multi-tenant server) might manage.
>
> Bear in mind that just as different ASs are likely to use different 
> keys for security reasons, even if they are on the same physical 
> server – such as in the multi-tenant case, different resources need to 
> be able to use different keys, even if they are hosted at the same 
> resource server.  That mandates the metadata being resource-specific.
>
> For what it’s worth, if we ever do an OAuth 3.0, I believe we should 
> get rid of the “resource server” term entirely.  It doesn’t have any 
> actionable semantics tied to it and its existence only encourages 
> confusion.
>
> Thanks for reading the draft, Torsten.
>
> -- Mike
>
> *From:*Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
> *Sent:* Sunday, November 13, 2016 2:32 PM
> *To:* Mike Jones <Michael.Jones@microsoft.com>; oauth@ietf.org
> *Cc:* gffletch@aol.com
> *Subject:* Re: [OAUTH-WG] Comments on 
> draft-jones-oauth-resource-metadata-00
>
> Hi Mike,
>
> just read your spec and I'm also a bit confused about the "resource" 
> meta data element in section 2.
>
> I would assume the metadata are provided for a certain resource server 
> managing a set of resources in a particular administrative domain. So 
> I would prefer to name the respective element "resource_server". In 
> the example George gave the URL would be 
> "https://idp.example.com/tenant/<tenantid>/". Resource managed by a 
> particular resource server could use sub-paths of the respective URL, 
> such as " https://idp.example.com/tenant/<tenantid>/users/<userid>".
>
> best regards,
> Torsten.
>
> Am 05.08.2016 um 02:10 schrieb George Fletcher:
>
>     Mike, thanks for drafting and publishing these specifications. I
>     have a couple of questions regarding the
>     draft-jones-oauth-resource-metadata-00.
>
>     1. Is a "protected resource" a server? or an actual API endpoint.
>     The non-normative examples use
>     /.well-known/oauth-protected-resource and
>     /resource1/.well-known/oauth-protected-resource which is a little
>     unclear. I think of "resource" as something like "Mail" or
>     "Instant Messaging".
>
>     2. Assuming that "protected resource" means an actual API
>     endpoint, what is the expected location of the metadata for a
>     fully REST compliant API where the full URL points to a specific
>     resource and not the concept of a general API.
>
>         Using an example of an IdP that supports user management
>         capabilities. Let's assume the IdP supports a REST API of...
>
>             CREATE -- POST https://idp.example.com/tenant/<tenantid>/users
>             READ -- GET
>         https://idp.example.com/tenant/<tenantid>/users/<userid>
>             UPDATE -- PUT
>         https://idp.example.com/tenant/<tenantid>/users/<userid>
>             DELETE -- DELETE
>         https://idp.example.com/tenant/<tenantid>/users/<userid>
>
>         Assuming there are 3 tenants (tenantA, tenantB, tenantB) and
>         lots of users. Where does the
>         .well-known/oauth-protected-resource get added?
>
>            ??
>         https://idp.example.com/tenant/tenantA/users/1232234/.well-known/oauth-protected-resource
>
>         In this case would not the oauth-protected-resource metadata
>         be duplicated across the set of tenants and users? Is that the
>         desired behavior?
>
>     Thanks,
>     George
>
>
>
>     _______________________________________________
>
>     OAuth mailing list
>
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/oauth
>