IETF Logo Mail Archive

Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method

Sergey Beryozkin <sberyozkin@gmail.com> Thu, 25 April 2013 09:13 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA46E21F8C08 for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2013 02:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tc3q7oM6W8xc for <oauth@ietfa.amsl.com>; Thu, 25 Apr 2013 02:13:20 -0700 (PDT)
Received: from mail-ee0-f46.google.com (mail-ee0-f46.google.com [74.125.83.46]) by ietfa.amsl.com (Postfix) with ESMTP id 539D721F85F4 for <oauth@ietf.org>; Thu, 25 Apr 2013 02:13:20 -0700 (PDT)
Received: by mail-ee0-f46.google.com with SMTP id c13so1133015eek.5 for <oauth@ietf.org>; Thu, 25 Apr 2013 02:13:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=7TcF7M7XgYc5HFQjfAaWxz0UdkcKejKeFFgfmNXfYcc=; b=dC0FcIjB/oGQBnYqiFwFdWMPLqPcnlMjB8sGvGGgKcz3bBB35VwmBLUrHxlOj5nWGU jPhoGoZEk3FzBjnZlprjJQVXrugefFJQCuLraKGS4bnB5mjSikwIhvYWD71Nk+i9KrWr aZ3tKAK0hDXr6wSodEb2qavZu1PN0C9jAUirWcMDmM1bq7OFJUklgfVyQpbqucO0EGrq YfnH9+d9ex/x5y78CJO5aiV0sCTuNNHYAyTImj++VQPV+KbD0WSNPydTSeRxrDrJBmPh Kn4QEA0XLsych1Qf6eTyZaqXnfSadBabqgt9oEHwNclZrCiACSD53U2YsP3C0PP70Ueb 2a5w==
X-Received: by 10.14.173.71 with SMTP id u47mr37986213eel.24.1366881199500; Thu, 25 Apr 2013 02:13:19 -0700 (PDT)
Received: from [10.36.226.5] ([217.173.99.61]) by mx.google.com with ESMTPSA id f9sm9156479eeu.11.2013.04.25.02.13.18 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 25 Apr 2013 02:13:18 -0700 (PDT)
Message-ID: <5178F389.8030707@gmail.com>
Date: Thu, 25 Apr 2013 10:12:41 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: oauth@ietf.org
References: <53250C00-9D1C-4E81-9AD6-E12241B875D9@oracle.com> <5178498B.3050406@mitre.org> <0E96125F-CFEC-4157-8A1E-3CFCA1C4D79F@oracle.com> <0C683171-29F6-47EA-A611-AB6394207353@ve7jtb.com> <E24D0C95-DBDF-430F-B8A7-FC4E67C255BD@oracle.com> <4E1F6AAD24975D4BA5B1680429673943676ABC64@TK5EX14MBXC284.redmond.corp.microsoft.com> <E670140C-68DA-4F42-BF98-EB9C22F86B68@oracle.com>
In-Reply-To: <E670140C-68DA-4F42-BF98-EB9C22F86B68@oracle.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 09:13:21 -0000

On 25/04/13 00:28, Phil Hunt wrote:
> Fair enough, but that doesn't make sense in this broader forum where
> discovery isn't assumed.
>
I guess it is true, I wonder, even with the discovery, would real world 
clients be able to choose from a list of the supported methods 
dynamically ? They are probably pre-configured to work with a specific 
method.

Sergey

> Phil
>
> On 2013-04-24, at 16:17, Mike Jones <Michael.Jones@microsoft.com
> <mailto:Michael.Jones@microsoft.com>> wrote:
>
>> What you’re missing is the part of the OpenID Connect flow where the
>> client first discovers the capabilities that the Server advertises. In
>> this case, it uses this discovery parameter:
>>
>> token_endpoint_auth_signing_alg_values_supported
>>
>> OPTIONAL. JSON array containing a list of the JWS signing algorithms
>> (algvalues) supported by the Token Endpoint for the private_key_jwtand
>> client_secret_jwtmethods to encode the JWT. Servers SHOULD support RS256.
>>
>> So in this use case, the client already knows what algorithms it can
>> choose from, and it makes the choice.
>>
>> Other OAuth flows could do the same thing, given either dynamic
>> discovery or a published algorithm list by the server.
>>
>> -- Mike
>>
>> *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>
>> [mailto:oauth-bounces@ietf.org] *On Behalf Of *Phil Hunt
>> *Sent:* Wednesday, April 24, 2013 3:55 PM
>> *To:* John Bradley
>> *Cc:* oauth@ietf.org <mailto:oauth@ietf.org> WG
>> *Subject:* Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 -
>> token_endpoint_auth_method
>>
>> Right and if the client wants a method not supported then what?
>>
>> Why can't the client offer up a list of methods it is able to support,
>> say in order of preference?
>>
>> The text appears to indicate only one value may be passed.
>>
>> Given the way it is written. It seems better to just have the server
>> say the client must do authn method X in the response.
>>
>> Phil
>>
>> @independentid
>>
>> www.independentid.com <http://www.independentid.com>
>>
>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>
>>
>>
>> On 2013-04-24, at 3:41 PM, John Bradley wrote:
>>
>>
>>
>> In Connect the AS may support a number of token endpoint
>> authentication methods. The reason to allow a client to register using
>> a particular one is to prevent downgrade attacks.
>>
>> If the client wants to always use an asymmetric signature you don't
>> want to allow attackers to use weaker methods like http basic.
>>
>> So a server may support any number of methods, but it is reasonable
>> for a client to specify which one it is going to use. In a closed
>> system that may not be that useful but in a open system where the AS
>> has a looser relationship to the client it is important.
>>
>> John B.
>>
>> On 2013-04-24, at 7:30 PM, Phil Hunt <phil.hunt@oracle.com
>> <mailto:phil.hunt@oracle.com>> wrote:
>>
>>
>>
>> Hmmm… what was the objective or use case for having the client being
>> able to choose in the first place?
>>
>> It seems to me that the AS will make a decision based on many factors.
>> As you say, there isn't any other place that enumerates the various
>> [authn] methods a client can use to access the token endpoint. So, why
>> do it?
>>
>> Phil
>>
>> @independentid
>>
>> www.independentid.com <http://www.independentid.com/>
>>
>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>
>>
>>
>> On 2013-04-24, at 2:07 PM, Justin Richer wrote:
>>
>>
>>
>> Seems reasonable to me, can you suggest language to add in the
>> capability? Would it require an IANA registry? Right now there isn't
>> any other place that enumerates the various methods that a client can
>> use to access the token endpoint.
>>
>> -- Justin
>>
>> On 04/24/2013 04:17 PM, Phil Hunt wrote:
>>
>>     For parameters to token_endpoint_auth_method, the spec has defined
>>     "client_secret_jwt" and "private_key_jwt". Shouldn't there be
>>     similar options of SAML?
>>
>>     Shouldn't there be an extension point for other methods?
>>
>>     Phil
>>
>>     @independentid
>>
>>     www.independentid.com <http://www.independentid.com/>
>>
>>     phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     OAuth mailing list
>>
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.19.0 | Report a Bug | By Email