Re: [OAUTH-WG] draft-hunt-oauth-client-association-00

Phil Hunt <phil.hunt@oracle.com> Sun, 03 November 2013 05:28 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E1021E809D for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 22:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.614
X-Spam-Level:
X-Spam-Status: No, score=-5.614 tagged_above=-999 required=5 tests=[AWL=-0.412, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nn2gcWoNsakY for <oauth@ietfa.amsl.com>; Sat, 2 Nov 2013 22:28:28 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 520FC21E8094 for <oauth@ietf.org>; Sat, 2 Nov 2013 22:28:28 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id rA35SPpR032228 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 3 Nov 2013 05:28:26 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id rA35SOdq011962 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 3 Nov 2013 05:28:24 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id rA35SOq8011959; Sun, 3 Nov 2013 05:28:24 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 02 Nov 2013 22:28:23 -0700
References: <5273FA71.4000500@gmx.net> <1D4A7D8A-A532-4368-B0E0-87B73B57F1EC@oracle.com> <52740DAD.9030102@gmx.net> <DCA0C891-504B-4DAA-A414-9A7324150DA3@oracle.com> <CANSMLKFrwb=m3a=iu2Q5Z4o27j8nHyvow4Myby7Nhf69M67UMg@mail.gmail.com> <26C9D99A-6CC6-44D0-A977-CA67B97915AF@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <26C9D99A-6CC6-44D0-A977-CA67B97915AF@mitre.org>
Content-Type: multipart/alternative; boundary=Apple-Mail-1AD6E9DB-960D-457F-9D02-205546547A0D
Content-Transfer-Encoding: 7bit
Message-Id: <55448281-4CB2-4EB3-AD8A-4B50C4EFA3F8@oracle.com>
X-Mailer: iPhone Mail (11B511)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Sat, 2 Nov 2013 22:28:21 -0700
To: "Richer, Justin P." <jricher@mitre.org>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-hunt-oauth-client-association-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2013 05:28:33 -0000

Client assoc is a profile of the existing token endpoint and uses the assertion drafts definition of client assertion. As such it is not a new mechanism. 

Client assoc is also compatible with assertion draft and thus as new token formats are defined they can automatically be issued via dyn association without amending client assoc draft or profiling each time. 

Phil

> On Nov 2, 2013, at 21:41, "Richer, Justin P." <jricher@mitre.org> wrote:
> 
> The software statement does make sense and we could use it in BB+ to take the place of the registration_jwt, even though I'm not really in favor of inventing yet another mechanism for presenting an assertion to an OAuth-protected endpoint. 
> 
> The association draft is in many ways semantically equivalent to the existing dynamic registration draft, but less flexible and it overloads the token endpoint.
> 
>  -- Justin
> 
> On Nov 1, 2013, at 6:42 PM, Josh Mandel <jmandel@gmail.com>
>  wrote:
> 
>> Hi Justin,
>> 
>> Well, I spent ~20min to read over this pair of drafts (association + software_statement). I have to say that in isolation, I find this approach quite reasonable. In particular:
>> 
>> 1. This approach does *not* require both a bearer token and software_statement for the registration step. The software_statement alone should work for a case lke B. (Bearer token is only presented to the registration endpoint for refresh/update -- or if some out of band authz needs to be communicated.)
>> 
>> 2. This approach is very friendly for public ("transient") clients.  No need to delete/expire/repeat the regsitration.
>> 
>> Under this spec, a BB+ Registry would produce software_statements instead of preregistration_jwts, but otherwise works the same.
>> 
>> I'm definitely interested to hear what you see as the drawbacks
>> 
>>   -J
>> 
>> ---------- Forwarded message ----------
>> From: Phil Hunt <phil.hunt@oracle.com>
>> Date: Fri, Nov 1, 2013 at 6:02 PM
>> Subject: Re: [OAUTH-WG] draft-hunt-oauth-client-association-00
>> To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
>> Cc: "oauth@ietf.org WG" <oauth@ietf.org>
>> 
>> 
>> I think for the client types, the trick is to try to make it restrictive enough so there's no second-guessing the client developer has to do about what SPs will accept.  The line I was drawing was for implicit/javascript clients in the current draft.
>> 
>> We could open it to a simple decision for the client developer.  If they think they will need an instance specific client_id from service endpoints, then they need to use dynamic registration.  Otherwise transient registration could be used for on-the-fly transient associations - which are still public clients.
>> 
>> My assessment was we could keep transient restricted to implicit/javascript only - making the choice very clear.  But I'd love to hear if someone has a case where they think transient fits a client doing one of the other authorization flows (the broader case).
>> 
>> BTW….this is why the client association draft is in fact so long.  There is considerable text discussing the classifications and their differences.
>> 
>> Looking at it now, I'm starting to feel stricter "normative" text (MUSTs & SHOULDS) and less fuzzy explanation and/or examples might actually be better for inter-op and perceived simplicity/clarity.
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>> On 2013-11-01, at 1:23 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>> 
>> > Hi Phil,
>> >
>> > We definitely have to figure out how the differentiation is made so that
>> > a developer (or someone who deploys the technology) understands the
>> > scenario they are in and what the implications are. At the moment I
>> > would struggle a bit.
>> >
>> > Using examples is certainly a good idea, like you did below. There are,
>> > however, quickly challenges. For example, in the JavaScript case below
>> > you can imagine a developer of a smart phone app who uses JavaScript but
>> > then packages the application (using PhoneGap), which makes it behave
>> > very much like a native app.
>> >
>> > And, as you say below, the notion of whether the endpoint is configured upfront (during development time) or dynamically configured may not necessarily matter.
>> >
>> > It definitely makes sense to discuss this during the meeting and real-world examples may help.
>> >
>> > Ciao
>> > Hannes
>> >
>> > Am 01.11.13 20:56, schrieb Phil Hunt:
>> >> Hannes,
>> >>
>> >> Great timing!
>> >>
>> >> This is an aspect that I think deserves more discussion. One of the
>> >> challenges was to draw a clear line of distinction between transient
>> >> and dynamic.
>> >>
>> >> Transient clients are really meant for javascript clients that decide
>> >> to connect to a particular end-point on the fly.  Note you can still
>> >> have "static" javascript clients that are hard coded to connect and
>> >> have already received a client_id through an out-of-band process.
>> >>
>> >> Phil
>> >>
>> >> @independentid www.independentid.com phil.hunt@oracle.com
>> >>
>> >> On 2013-11-01, at 12:01 PM, Hannes Tschofenig
>> >> <hannes.tschofenig@gmx.net> wrote:
>> >>
>> >>> Hi Phil, Hi Tony, Hi all,
>> >>>
>> >>> I re-read the document and I believe the most important concept it
>> >>> introduces is the classification of different associations, namely
>> >>> into 'static', 'dynamic', and 'transient'. This is certainly
>> >>> something worthwhile to discuss during the meeting and to ensure
>> >>> that it is well understood, and that there are only these three
>> >>> classes (rather than two or four).
>> >>>
>> >>> The description in the introduction makes the differentiation
>> >>> between the three concepts mostly based on how the endpoints are
>> >>> configured in the application.
>> >>>
>> >>> With the static association the endpoint is hard-coded into the
>> >>> software during the development time. It cannot be changed. With
>> >>> the two other cases the endpoint can be changed. As such, the
>> >>> difference between the 'dynamic', and 'transient' association seems
>> >>> to be in the terms of how long the lifetime of the association.
>> >>> Now, what exactly is the lifetime of an association? Is the
>> >>> lifetime of the association understood as the lifetime of the
>> >>> configured endpoint identifier?
>> >>>
>> >>> Then, when I re-read the text in Section 1 again then I suddenly
>> >>> get the impression that the lifetime of the association actually
>> >>> does not matter but instead the difference is rather whether the
>> >>> client is public or confidential. Is that true?
>> >>>
>> >>> If it isn't true that this is the feature that makes the
>> >>> distinction between 'dynamic', and 'transient' then the notion of
>> >>> "public" vs. "confidential" client isn't too important for the rest
>> >>> of the document.
>> >>>
>> >>> Ciao Hannes
>> >>>
>> >>>
>> >>> _______________________________________________ OAuth mailing list
>> >>> OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
>> >>
>> >
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>