Re: [OAUTH-WG] PAR - Guidance on the request URI structure needed?
Brian Campbell <bcampbell@pingidentity.com> Mon, 27 April 2020 19:17 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F47F3A1AD8 for <oauth@ietfa.amsl.com>; Mon, 27 Apr 2020 12:17:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_7aZB9OWAL4 for <oauth@ietfa.amsl.com>; Mon, 27 Apr 2020 12:17:04 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 897543A1AD4 for <oauth@ietf.org>; Mon, 27 Apr 2020 12:17:04 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id u6so18813546ljl.6 for <oauth@ietf.org>; Mon, 27 Apr 2020 12:17:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3bPDdojzVzti0SXFm9y4LEiQ7ONI+lJ3I0OEHf7AVQg=; b=RjIQVupqIb2Gll0tYffJ6XwxNbc38O2BKKDo8FlHuHgYHh6/RxL3zFpYZUlJNn0Od+ wzQ4LcBIxDzA9LQml5YzaG6O31nnHxB+njMvapeKUo47T2f3/FH4umJf0MJdX5zq5Zqg M6FHbLdJo8PHJ+utYcbJHFuIupYpZZ3OjrTZTM/rWmFLY4MLsrVfz0ljwPe1S7F4ZCon 8OaRLO0eFtux/f+BqipAn32/JMRC+LluR7/Pl5nq75/lEGwq0/sPHYjpA672f0nmo1sr b/AuPFur5TwpD4sG2/QQFNQTlikcquMMcJ0oioIjR/wmwmRmlbQG42QvgurtgPVKIOHq Xi7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3bPDdojzVzti0SXFm9y4LEiQ7ONI+lJ3I0OEHf7AVQg=; b=inLt+VjWkbob694fSu0DHyseZ88eYrXb0oDmaRtRm8BWD7Jrkbl5lb+Q2XAjQP5wXd gcuXb9NZTwnKuefCkW3XzM2EwtwElugLl0AyNWWAB2hwIrJHndSFJpxPcNmEjyhNykGB DFjEopyiiPwek6sGsCO3EB7d71YsKoQttMXPXW8SAO6RAzz0UK9nlu4r+3vzJHbSJVbU Wbqglr8q46RdZKIk3UxxV7KRvNukbVKFPx4C2vE8bKelj66lXio4/Vtz13tMgmc0dR6Z 3o7T0pUElwHo4eAzkCUWQx+TZ355+CM6vJBtF4pL/X+y6x7g0waDKrYoLfGuDd4J4rQa +OAA==
X-Gm-Message-State: AGi0PubP7l2NPYevmfbzMTdlfPgGlCsYX6wNGjRqNzUFK9i5DrvAtaNw DruTUjrJoT71HoMGWRrqJFD34aEkYndblKIL+36Ky5g6j+7Qwn22I1oA2XwzC26wZYbwFDd828A 9jfyBqNgxOHPgNiPiJX4=
X-Google-Smtp-Source: APiQypIv5MnAD3mxjFlbvWiDY8BhhHVrNM1QCob1O4kYSNGEeGGvPuSEB2IjhU2GXKLb85jPbRzzcRVROCZRLuInDuU=
X-Received: by 2002:a05:651c:505:: with SMTP id o5mr8913002ljp.0.1588015022344; Mon, 27 Apr 2020 12:17:02 -0700 (PDT)
MIME-Version: 1.0
References: <A680BD1A-1E79-40C0-B325-91EEEFD7BDA5@lodderstedt.net> <CALAqi_-xtfcrWg0bvMTae9GkbOzCorNENpPiwt0kjzw5sgn_Mg@mail.gmail.com> <32A77307-BFE4-4A0E-99F6-B9567DF38645@mit.edu>
In-Reply-To: <32A77307-BFE4-4A0E-99F6-B9567DF38645@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 27 Apr 2020 13:16:36 -0600
Message-ID: <CA+k3eCSHFM29uJ4SFWtqoq=kV_fp-2UF4Nty_rsqnFgZXmwLkQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Filip Skokan <panva.ip@gmail.com>, oauth <oauth@ietf.org>, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e1d3405a44a8fab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QH7Mc2gDjONLi58c2g_5nt0UL44>
Subject: Re: [OAUTH-WG] PAR - Guidance on the request URI structure needed?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 19:17:11 -0000
Yeah, I hadn't really been thinking of going so far as making it RECOMMENDED either but more of just providing an easy option for those that would choose to use it. On Mon, Apr 27, 2020 at 10:58 AM Justin Richer <jricher@mit.edu> wrote: > I agree that any URI could be used but that it MUST be understood by the > AS to be local to the AS (and not something that can be impersonated by an > attacker). I wouldn’t even go so far as RECOMMENDED, but it’s certainly an > option. > > — Justin > > On Apr 27, 2020, at 4:41 AM, Filip Skokan <panva.ip@gmail.com> wrote: > > I believe implementers should be free to devise their own URIs and not be > locked down to one by the spec, at the same time, > and RFC6755 subnamespace would be good for guidance. > > So, I would suggest it be RECOMMENDED to use e.g. > `urn:ietf:params:oauth:request_uri:<random>` (Brian's proposal) but also > that any URN or URL will do if the circumstances call for it. > > Best, > *Filip* > > > On Sun, 26 Apr 2020 at 17:20, Torsten Lodderstedt <torsten= > 40lodderstedt.net@dmarc.ietf.org> wrote: > >> Hi all, >> >> another topic from last week’s virtual meeting. >> >> Shall there be guidance on the request URI structure? >> >> Please state your opinion. >> >> thanks in advance, >> Torsten. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] PAR - Guidance on the request URI stru… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Filip Skokan
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Sascha Preibisch
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Justin Richer
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Brian Campbell
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Benjamin Kaduk
- Re: [OAUTH-WG] PAR - Guidance on the request URI … Dave Tonge