Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

Justin Richer <jricher@mit.edu> Sun, 31 January 2016 13:47 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30F7A1A1A97 for <oauth@ietfa.amsl.com>; Sun, 31 Jan 2016 05:47:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.941
X-Spam-Level:
X-Spam-Status: No, score=-3.941 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYFybsLVs4LY for <oauth@ietfa.amsl.com>; Sun, 31 Jan 2016 05:47:26 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A645E1A026C for <oauth@ietf.org>; Sun, 31 Jan 2016 05:47:24 -0800 (PST)
X-AuditID: 1209190f-1a7ff7000000099f-09-56ae106b4737
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id CC.0E.02463.B601EA65; Sun, 31 Jan 2016 08:47:23 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u0VDlMjF029132; Sun, 31 Jan 2016 08:47:22 -0500
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0VDlKcR028986 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 31 Jan 2016 08:47:21 -0500
To: Torsten Lodderstedt <torsten@lodderstedt.net>, Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com> <56ADFA72.5090407@lodderstedt.net>
From: Justin Richer <jricher@mit.edu>
Message-ID: <56AE105B.9080101@mit.edu>
Date: Sun, 31 Jan 2016 08:47:07 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56ADFA72.5090407@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------010404070407000905050508"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IR4hRV1s0WWBdmsLtR1GLvtE8sFiffvmKz eHXsKYsDs8eSJT+ZPI719LN6tO74yx7AHMVlk5Kak1mWWqRvl8CVcWfKSbaCGVMYK07+dmhg fFLdxcjJISFgIvH+53UWEFtIoI1JYma/UhcjF5C9kVFi3YSnjBDObSaJqe3HGEGqhAXSJf7c /sUMkhARmMAosezxAlaI9nqJjolXwGw2AVWJ6WtamEBsXgE1iXUNPWwgNgtQfMWUJWBxUYEY iYudR6BqBCVOznwCdgangL7ErY33mUFsZoEwidlbzrFMYOSbhaRsFpIUhG0rcWfubmYIW16i eetsKFtXYtG2FezI4gsY2VYxyqbkVunmJmbmFKcm6xYnJ+blpRbpmujlZpbopaaUbmIEh7Uk /w7GbweVDjEKcDAq8fByGKwNE2JNLCuuzD3EKMnBpCTK264FFOJLyk+pzEgszogvKs1JLT7E KMHBrCTCe/wPUI43JbGyKrUoHyYlzcGiJM67q2NumJBAemJJanZqakFqEUxWhoNDSYK3jX9d mJBgUWp6akVaZk4JQpqJgxNkOA/Q8EkgNbzFBYm5xZnpEPlTjIpS4rxGIAkBkERGaR5cLyjt JLw9bPqKURzoFWHeK3xAVTzAlAXX/QpoMBPQYBfZ1SCDSxIRUlINjCrmzkefcXkldu7eLX35 SbVWtYZA4e5vn9suJAcVxikbGqgvf3b1QePSK3K6WuIXbBsMJ2+o//19ioHS5El7/V1znrya mb+lfdnkrblXLIzFbdpM81161q4wd9w4u6ws9rr+qR4WrcStJhNt69+1zr29S9+/6vjJOVnT tPz1F5wUPlDT2L+2QYmlOCPRUIu5qDgRAETqriYWAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/OEfg_Al4ob-1SoIuICm88PfKi-M>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 13:47:29 -0000

It would be for client authentication to the revocation endpoint, if the 
client were to use client_secret_jwt or private_key_jwt methods to 
authenticate. Our implementation actually allows this, but we don't let 
clients choose more than one authentication method across three 
endpoints (token, revocation, and introspection).

A value we might want to add for revocation and introspection is 
"bearer_token", since it makes sense in both cases to give a client an 
access token to call these endpoints as opposed to credentials. This 
would need to be added to the token endpoint authentication methods 
registry.

  -- Justin

On 1/31/2016 7:13 AM, Torsten Lodderstedt wrote:
> Hi Mike,
>
> the current revocation RFC does not support request signing. So what 
> is the intention of revocation_endpoint_auth_signing_alg_values_supported?
>
> best regards,
> Torsten.
>
> Am 28.01.2016 um 20:27 schrieb Mike Jones:
>>
>> The OAuth Discovery specification has been updated to add metadata 
>> values for revocation <http://tools.ietf.org/html/rfc7009>, 
>> introspection <http://tools.ietf.org/html/rfc7662>, and PKCE 
>> <http://tools.ietf.org/html/rfc7636>. Changes were:
>>
>> ·Added “revocation_endpoint_auth_methods_supported” and 
>> “revocation_endpoint_auth_signing_alg_values_supported” for the 
>> revocation endpoint.
>>
>> ·Added “introspection_endpoint_auth_methods_supported” and 
>> “introspection_endpoint_auth_signing_alg_values_supported” for the 
>> introspection endpoint.
>>
>> ·Added “code_challenge_methods_supported” for PKCE.
>>
>> The specification is available at:
>>
>> ·http://tools.ietf.org/html/draft-jones-oauth-discovery-01
>>
>> An HTML-formatted version is also available at:
>>
>> ·http://self-issued.info/docs/draft-jones-oauth-discovery-01.html
>>
>> -- Mike
>>
>> P.S.  This note was also published at 
>> <http://self-issued.info/?p=1531>http://self-issued.info/?p=1531 and 
>> as @selfissued <https://twitter.com/selfissued>.
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth