Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 29 August 2013 05:42 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0955E21F9ED2 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 22:42:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level:
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TnLOH0P1EmLj for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 22:42:05 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.27]) by ietfa.amsl.com (Postfix) with ESMTP id 2A0CD21F85E0 for <oauth@ietf.org>; Wed, 28 Aug 2013 22:42:03 -0700 (PDT)
Received: from [80.187.101.96] (helo=[10.50.83.42]) by smtprelay04.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VEuzX-0002bq-Ii; Thu, 29 Aug 2013 07:42:00 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com> <521E27BF.3030408@mitre.org> <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com> <146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com> <521E2B74.9080104@aol.com> <0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----X8C3ZSRBY3W6HBFJAJMAJFPRUR4G51"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Thu, 29 Aug 2013 07:41:53 +0200
To: Phil Hunt <phil.hunt@oracle.com>, George Fletcher <gffletch@aol.com>
Message-ID: <c521a42d-d194-42c2-b1f6-eefd0c776532@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2013 05:42:09 -0000
Authz server and resource server need to agree on a token format. The client never needs to interpret the token content. Since we are talking about clients, where is the connection? regards, Torsten. Phil Hunt <phil.hunt@oracle.com> schrieb: >I think many of the parameters in dyn reg need to be specified in the >statement -- the main change is we're moving dyn reg parameters into >the statement and locking them down between instances. It keeps >hackers from changing individual instances and it minimizes state in >per instance registration. > >The reason OAuth doesn't have to define token formats is they are >largely "local". Federated token scenarios (like UMA) obviously have >to have some OOB agreement on format. Given that registration in most >of these cases is federated, it seems appropriate to define these >assertions. (In the non-federated cases (e.g. like Google), they can do >registration using workflows with the developer directly.) > >Phil > >@independentid >www.independentid.com >phil.hunt@oracle.com > > > > > > > >On 2013-08-28, at 9:55 AM, George Fletcher <gffletch@aol.com> wrote: > >> OAuth has never specified anything regarding the format the "tokens" >that the AS has to accept and that's one of it's virtues. It allows for >many implementations from local only to federated. >> >> I fully believe there is value in defining profiles of OAuth for >particular problem domains that put restrictions on client_id format, >access_token format etc (e.g. the assertion set of specs). However, >those should be layered on top of OAuth as a profile and not be forced >into the core. Otherwise, we are forcing all implementations down a >much narrower path than is supported today. I definitely don't want to >see that happen. >> >> Thanks, >> George >> >> On 8/28/13 12:48 PM, Phil Hunt wrote: >>> You can pass anything as a client_id. It just has to be accepted. >That's the point of us writing a draft here isn't it? >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> >>> >>> On 2013-08-28, at 9:45 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: >>> >>>> That is my concern as well, sending an assertion to the >authorization endpoint requires a extension of OAuth to add another >parameter or placing it in the client_id which you can do now with the >dynamic reg spec if the AS wants to. >>>> >>>> Holding up client registration for something that will require an >extension to OAuth is overdoing it. We need something for the OAuth >spec we have now without requiring clients implement the assertion flow >and other extensions. >>>> >>>> John B. >>>> >>>> On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org> >wrote: >>>> >>>>> The initial_access_token doesn't assume that it's from the local >domain. It merely assumes that the authorization server accepts the >token, which would be true in the UMA case due to the federation. It >could also be the exact same kinds of mechanisms that the software >statement would use to achieve federation. >>>>> >>>>> I still don't see how an auth server is going to know about a >client's configuration state with the assertion swap method, since >there's no defined mechanism for sending a JWT assertion to the >authorization endpoint. >>>>> >>>>> -- Justin >>>>> >>>>> On 08/28/2013 12:35 PM, Phil Hunt wrote: >>>>>> George, >>>>>> >>>>>> It would be reasonable for a client to submit an assertion, and >obtain its own client assertion in return. This is very close to what >is happening per 2.1, 2.2 of >http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06 >>>>>> >>>>>> In this case, the Software Statement is an authorization that is >exchanged for a client assertion in return. Then the clients >authenticate per section 2.2 of the JWT spec. >>>>>> >>>>>> Regarding initial_access_token. This does have some of the >characteristics I am speaking of. But it is unspecified and the >assumption is that it is issued by the local domain. This doesn't work >in the UMA case because that's more like a federated model. Thus the >specified software statement works because the AS can approve the >client software based on name, and/or developer, and/or publisher -- >whatever trust requires. >>>>>> >>>>>> Phil >>>>>> >>>>>> @independentid >>>>>> www.independentid.com >>>>>> phil.hunt@oracle.com >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com> >wrote: >>>>>> >>>>>>> I can't say I understand what you mean by a simple assertion >swap... but if you are wanting to use a client_assertion flow instead >of the code flow then that's something completely different. If you are >saying that you want the client_id to represent an "instance" in a >stateless way using an "assertion" then that's already possible today. >>>>>>> >>>>>>> George >>>>>>> >>>>>>> On 8/28/13 12:23 PM, Phil Hunt wrote: >>>>>>>> George >>>>>>>> >>>>>>>> That case can be solved with a simple assertion swap. We just >have to profile it. >>>>>>>> >>>>>>>> Phil >>>>>>>> >>>>>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com> >wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote: >>>>>>>>>> Please define the all in one case. I think this is the edge >case and is in fact rare. >>>>>>>>>> >>>>>>>>>> I agree, in many cases step 1 can be made by simply approving >a class of software. But then step 2 is simplified. >>>>>>>>>> >>>>>>>>>> Dyn reg assumes every registration of an instance is unique >which too me is a very extreme >>>>>>>>> If you have a mobile app that needs to do the code flow... >which requires a client_secret in order to retrieve the access token >and refresh token, how does the app do this without per app instance >registration? >>>>>>>>> >>>>>>>>> I'd argue that almost all user facing mobile apps will want >the above flow and that's not a small, rare edge case. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> George >>>>>>>>>> position. >>>>>>>>>> >>>>>>>>>> Phil >>>>>>>>>> >>>>>>>>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> >wrote: >>>>>>>>>> >>>>>>>>>>> Except for the cases where you want step 1 to happen in >band. To me, that is a vitally and fundamentally important use case >that we can't disregard, and we must have a solution that can >accommodate that. The notions of "publisher" and "product" fade very >quickly once you get outside of the software vendor world. >>>>>>>>>>> >>>>>>>>>>> This is, of course, not to stand in the way of other >solutions or approaches (such as something assertion based like you're >after). It's not a one-or-the-other proposition, especially when there >are mutually exclusive aspects of each. >>>>>>>>>>> >>>>>>>>>>> Therefore I once again call for the WG to finish the current >dynamic registration spec *AND* pursue the assertion based process that >Phil's talking about. They're not mutually exclusive, let's please stop >talking about them like they are. >>>>>>>>>>> >>>>>>>>>>> -- Justin >>>>>>>>>>> >>>>>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote: >>>>>>>>>>>> Sorry. I meant also to say i think there are 2 registration >steps. >>>>>>>>>>>> >>>>>>>>>>>> 1. Software registration/approval. This often happens out >of band. But in this step policy is defined that approves software for >use. Many of the reg params are known here. >>>>>>>>>>>> >>>>>>>>>>>> Federation techniques come into play as trust approvals can >be based on developer, product or even publisher. >>>>>>>>>>>> >>>>>>>>>>>> 2. Each instance associates in a stateless way. Only >clients that need credential rotation need more. >>>>>>>>>>>> >>>>>>>>>>>> Phil >>>>>>>>>>>> >>>>>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> >wrote: >>>>>>>>>>>> >>>>>>>>>>>>> I have a conflict I cannot get out of for 2pacific. >>>>>>>>>>>>> >>>>>>>>>>>>> I think a certificate based approach is going to simplify >exchanges in all cases. I encourage the group to explore the concept on >the call. >>>>>>>>>>>>> >>>>>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet >another option. I would like to explore how federation concept in >software statements can help with facilitating association and making >many reg stateless. >>>>>>>>>>>>> >>>>>>>>>>>>> Phil >>>>>>>>>>>>> >>>>>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - >FI/Espoo)" <hannes.tschofenig@nsn.com> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Here are the conference bridge / Webex details for the >call today. >>>>>>>>>>>>>> We are going to complete the use case discussions from >last time (Phil wasn't able to walk through all slides). Justin was >also able to work out a strawman proposal based on the discussions last >week and we will have a look at it to see whether this is a suitable >compromise. Here is Justin's mail, in case you have missed it: >http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html >>>>>>>>>>>>>> >>>>>>>>>>>>>> Phil, please feel free to make adjustments to your slides >given the Justin's recent proposal. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Topic: OAuth Dynamic Client Registration >>>>>>>>>>>>>> Date: Wednesday, August 28, 2013 >>>>>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, >GMT-07:00) >>>>>>>>>>>>>> Meeting Number: 703 230 586 >>>>>>>>>>>>>> Meeting Password: oauth >>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------- >>>>>>>>>>>>>> To join the online meeting >>>>>>>>>>>>>> ------------------------------------------------------- >>>>>>>>>>>>>> 1. Go to >https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0 >>>>>>>>>>>>>> 2. Enter your name and email address. >>>>>>>>>>>>>> 3. Enter the meeting password: oauth >>>>>>>>>>>>>> 4. Click "Join Now". >>>>>>>>>>>>>> >>>>>>>>>>>>>> To view in other time zones or languages, please click >the link: >>>>>>>>>>>>>> >https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0 >>>>>>>>>>>>>> >>>>>>>>>>>>>> To add this meeting to your calendar program (for example >Microsoft Outlook), click this link: >>>>>>>>>>>>>> >https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0 >>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------- >>>>>>>>>>>>>> To join the teleconference only >>>>>>>>>>>>>> ------------------------------------------------------- >>>>>>>>>>>>>> Global dial-in Numbers: >http://www.nokiasiemensnetworks.com/nvc >>>>>>>>>>>>>> Conference Code: 944 910 5485 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>>> OAuth@ietf.org >>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>>> OAuth@ietf.org >>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> OAuth mailing list >>>>>>>>>>>> OAuth@ietf.org >>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>> _______________________________________________ >>>>>>>>>> OAuth mailing list >>>>>>>>>> OAuth@ietf.org >>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> <XeC> >>>>>>> >>>>>>> -- >>>>>>> <XeC.png> >>>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> -- >> <XeC.png> > > > >------------------------------------------------------------------------ > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Dynamic Client Registration Conference… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Anthony Nadalin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Anthony Nadalin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Anthony Nadalin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Sergey Beryozkin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Sergey Beryozkin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… John Bradley
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Anthony Nadalin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… George Fletcher
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Donald F Coffin
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Brian Campbell
- Re: [OAUTH-WG] Dynamic Client Registration Confer… Torsten Lodderstedt
- [OAUTH-WG] Fwd: Re: Dynamic Client Registration C… Torsten Lodderstedt