IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-03.txt

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 19 December 2014 23:13 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02F3B1A90AE for <oauth@ietfa.amsl.com>; Fri, 19 Dec 2014 15:13:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dk_Bo2Z2Mqb7 for <oauth@ietfa.amsl.com>; Fri, 19 Dec 2014 15:13:06 -0800 (PST)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FCEC1A90AC for <oauth@ietf.org>; Fri, 19 Dec 2014 15:13:06 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id a1so2527369wgh.37 for <oauth@ietf.org>; Fri, 19 Dec 2014 15:13:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=Pwj1c3SMSMD8G1fuQLgvSCVhRCDR6sWvYMF7bRjXw7g=; b=m5yncr47agWNosv9MbwHzIEgvmzC3BXQC1mjLSSV3NoC6YZ670k4qmJo6ydlhrtWwz yGT4EBrZ5tf8Fw63c0D71wJJSzNfPEQx8S6dxADjW8Dahl9Wq4oG4XMpcI6brd1qDMy4 VB4C43UCV4fX88vYYhpyupajB/bNTJqvp4u8NBei9VLsgDkEiHEGE6Mj7H9dYK9xQoLC MgJIFMNscqeB+MsG6A6c0kG6pZ5rmZUDdm7n+73Ii0vwcXqmox1GULgDtgr/+9bKwOgO 98qQJDC8m6G+JyGYQay1Jo4yKk/PczKXxmZAQt2cQz4dRKxfWR+mydhYaZPcFVeWvw4s 7x9A==
X-Received: by 10.180.228.37 with SMTP id sf5mr10110783wic.35.1419030785240; Fri, 19 Dec 2014 15:13:05 -0800 (PST)
Received: from [192.168.2.7] ([109.255.230.137]) by mx.google.com with ESMTPSA id n4sm1792985wia.7.2014.12.19.15.13.04 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Dec 2014 15:13:04 -0800 (PST)
Message-ID: <5494B0FE.4010900@gmail.com>
Date: Fri, 19 Dec 2014 23:13:02 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <20141207033213.26273.31418.idtracker@ietfa.amsl.com> <1416B7A5-2CCE-4E6F-B9CB-56C606076DD3@mit.edu> <32999E7E-459F-44C1-916C-67318C3968F8@mit.edu> <54871C72.60006@gmail.com>
In-Reply-To: <54871C72.60006@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Q1XWjYdza1RWe5-7oOd8o5lZNoc
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2014 23:13:09 -0000

Hi Justin

returning a client public/confidential status may be useful in case RS 
chooses to allow for a more restricted access to public clients in cases 
where both public & private clients are accepted

Thanks, Sergey
On 09/12/14 15:59, Sergey Beryozkin wrote:
> Hi Justin
>
> IMHO the section 2.1 [1] requires more work.
>
> First, "resource_id". Having such a parameter does not add anything to
> the interoperability side of the spec. It is a "server specific
> string..." which may be anything and as such a 3rd party AS is unlikely
> to do any work around this parameter unless both RS and AS are from the
> same provider.
> IMHO it either has to be dropped, the text "The endpoint MAY allow other
> parameters to provide further context to the query" covers whatever else
> that server may want to add or attach some more specific meaning to it.
> Besides that, the MUST authentication requirement covers properly a
> possible RS identification requirement.
> I'd rather have a "resource_id" representing an RS base address or
> better, a current request URI, which in combination with an optional
> client_ip can help AS to make a more specific introspection action.
>
> I also suggested to promote a parameter like "client_ip". Just referring
> to a possibility of RS reporting a client IP adress does not help
> improving the interoperability either with respect to RS and AS offered
> by different providers working with a client IP property
>
> Thanks, Sergey
>
>
>
> [1]
> http://tools.ietf.org/html/draft-ietf-oauth-introspection-03#section-2.1
>
>
>
> On 07/12/14 03:38, Justin Richer wrote:
>> … and I just noticed hanging text at the top of section 2.2 due to the
>> JWT claims edit. My working copy has removed the extraneous text
>> “Several of these”.
>>
>> Also, as always, latest XML is up on GitHub:
>>
>> https://github.com/jricher/oauth-spec
>>
>> — Justin
>> On Dec 6, 2014, at 10:34 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>>> Small update to introspection, now the returned values reference the
>>> JWT claims specifically (as requested). Also updated the HTTP and
>>> HTML references.
>>>
>>> No normative changes.
>>>
>>> — Justin
>>>
>>> On Dec 6, 2014, at 10:32 PM, internet-drafts@ietf.org wrote:
>>>
>>>>
>>>> A New Internet-Draft is available from the on-line Internet-Drafts
>>>> directories.
>>>> This draft is a work item of the Web Authorization Protocol Working
>>>> Group of the IETF.
>>>>
>>>>        Title           : OAuth 2.0 Token Introspection
>>>>        Author          : Justin Richer
>>>>     Filename        : draft-ietf-oauth-introspection-03.txt
>>>>     Pages           : 12
>>>>     Date            : 2014-12-06
>>>>
>>>> Abstract:
>>>>   This specification defines a method for a protected resource to query
>>>>   an OAuth 2.0 authorization server to determine the active state of an
>>>>   OAuth 2.0 token and to determine meta-information about this token.
>>>>   OAuth 2.0 deployments can use this method to convey information about
>>>>   the authorization context of the token from the authorization server
>>>>   to the protected resource.
>>>>
>>>>
>>>>
>>>> The IETF datatracker status page for this draft is:
>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/
>>>>
>>>> There's also a htmlized version available at:
>>>> http://tools.ietf.org/html/draft-ietf-oauth-introspection-03
>>>>
>>>> A diff from the previous version is available at:
>>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-introspection-03
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org.
>>>>
>>>> Internet-Drafts are also available by anonymous FTP at:
>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email