Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
Justin Richer <jricher@mitre.org> Thu, 25 April 2013 13:30 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC5321F9606 for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2013 06:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fpuVWS8xRo4u for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2013 06:30:20 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id A785821F8976 for <oauth@ietf.org>; Thu, 25 Apr 2013 06:30:19 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5D1B91F04B2; Thu, 25 Apr 2013 09:30:18 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 4779F1F047A; Thu, 25 Apr 2013 09:30:18 -0400 (EDT)
Received: from [10.146.15.29] (129.83.31.58) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 25 Apr 2013 09:30:18 -0400
Message-ID: <51792FD5.7040605@mitre.org>
Date: Thu, 25 Apr 2013 09:29:57 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130329 Thunderbird/17.0.5
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <53250C00-9D1C-4E81-9AD6-E12241B875D9@oracle.com> <5178498B.3050406@mitre.org> <0E96125F-CFEC-4157-8A1E-3CFCA1C4D79F@oracle.com> <0C683171-29F6-47EA-A611-AB6394207353@ve7jtb.com> <E24D0C95-DBDF-430F-B8A7-FC4E67C255BD@oracle.com>
In-Reply-To: <E24D0C95-DBDF-430F-B8A7-FC4E67C255BD@oracle.com>
Content-Type: multipart/alternative; boundary="------------060407000803070909000000"
X-Originating-IP: [129.83.31.58]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 13:30:21 -0000
The thing to remember is that all of these parameters are bi directional since the configuration is echoed back to the client. On the one hand (C->S), it's the client stating its preference. On the other direction (S->C) it's the server specifying the client's configuration. So the server *does* say that the client must do authn method X in its response, using the same parameter. And if the client wants a method that doesn't get supported, then it doesn't get to use it. But at least it has a chance to know about that by looking at the server's response. Same goes with scopes, grant types, and others. It is a singular value. At one point I had had it in there as an array (space separated list of strings, I think), but the Connect working group didn't want to make it plural at the time. -- Justin On 04/24/2013 06:55 PM, Phil Hunt wrote: > Right and if the client wants a method not supported then what? > > Why can't the client offer up a list of methods it is able to support, > say in order of preference? > > The text appears to indicate only one value may be passed. > > Given the way it is written. It seems better to just have the server > say the client must do authn method X in the response. > > Phil > > @independentid > www.independentid.com <http://www.independentid.com> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > > > > > > On 2013-04-24, at 3:41 PM, John Bradley wrote: > >> In Connect the AS may support a number of token endpoint >> authentication methods. The reason to allow a client to register >> using a particular one is to prevent downgrade attacks. >> >> If the client wants to always use an asymmetric signature you don't >> want to allow attackers to use weaker methods like http basic. >> >> So a server may support any number of methods, but it is reasonable >> for a client to specify which one it is going to use. In a closed >> system that may not be that useful but in a open system where the AS >> has a looser relationship to the client it is important. >> >> John B. >> >> On 2013-04-24, at 7:30 PM, Phil Hunt <phil.hunt@oracle.com >> <mailto:phil.hunt@oracle.com>> wrote: >> >>> Hmmm… what was the objective or use case for having the client being >>> able to choose in the first place? >>> >>> It seems to me that the AS will make a decision based on many >>> factors. As you say, there isn't any other place that enumerates the >>> various [authn] methods a client can use to access the token >>> endpoint. So, why do it? >>> >>> Phil >>> >>> @independentid >>> www.independentid.com <http://www.independentid.com/> >>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >>> >>> >>> >>> >>> >>> On 2013-04-24, at 2:07 PM, Justin Richer wrote: >>> >>>> Seems reasonable to me, can you suggest language to add in the >>>> capability? Would it require an IANA registry? Right now there >>>> isn't any other place that enumerates the various methods that a >>>> client can use to access the token endpoint. >>>> >>>> -- Justin >>>> >>>> On 04/24/2013 04:17 PM, Phil Hunt wrote: >>>>> For parameters to token_endpoint_auth_method, the spec has defined >>>>> "client_secret_jwt" and "private_key_jwt". Shouldn't there be >>>>> similar options of SAML? >>>>> >>>>> Shouldn't there be an extension point for other methods? >>>>> >>>>> Phil >>>>> >>>>> @independentid >>>>> www.independentid.com <http://www.independentid.com/> >>>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Mike Jones
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Sergey Beryozkin
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer