IETF Logo Mail Archive

Re: [OAUTH-WG] Extensibility for OAuth?

Eran Hammer-Lahav <eran@hueniverse.com> Fri, 25 June 2010 18:00 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6A773A681E for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 11:00:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.213
X-Spam-Level:
X-Spam-Status: No, score=-2.213 tagged_above=-999 required=5 tests=[AWL=0.386, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byJhautpw92o for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 11:00:16 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by core3.amsl.com (Postfix) with SMTP id D4A2428C16B for <oauth@ietf.org>; Fri, 25 Jun 2010 11:00:14 -0700 (PDT)
Received: (qmail 7208 invoked from network); 25 Jun 2010 18:00:23 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 25 Jun 2010 18:00:22 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Fri, 25 Jun 2010 11:00:08 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, OAuth WG <oauth@ietf.org>
Date: Fri, 25 Jun 2010 10:59:50 -0700
Thread-Topic: Extensibility for OAuth?
Thread-Index: AcsSmmOz8+Jt3DWXRJyOV1i4UkJelAB9HoEA
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72343B3EC84973@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <3D3C75174CB95F42AD6BCC56E5555B4502BE07CC@FIESEXC015.nsn-intra.net>
In-Reply-To: <3D3C75174CB95F42AD6BCC56E5555B4502BE07CC@FIESEXC015.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Extensibility for OAuth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 18:00:18 -0000

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of Tschofenig, Hannes (NSN - FI/Espoo)
> Sent: Tuesday, June 22, 2010 11:08 PM
> To: OAuth WG
> Subject: [OAUTH-WG] Extensibility for OAuth?
> 
> Hi Eran,
> Hi all,
> 
> I briefly browsed through the -08 version of the draft to figure out what
> could be written about extensibility. Here are a few thoughts:
> 
> - Client Profiles
> 
> This is probably the most important item were people will want to write
> extensions for. Currently, we have the following onces in the document:
>   1) Web Server
>   2) User Agent
>   3) Native Application
>   4) Autonomous
>   Note that the actual profile identifiers aren't clearly listed in the document
> at the moment (or are inconsistent, such as "user_agent" and "user-agent"
> for the user agent profile).

Profiles are not normative language, they are just examples of the authorization and token endpoints can be used (profiled) for particular use cases (the most common ones). This is why this has been moved to the introduction. Instead, the spec now talks about grant types, providing three primary types (user basic credentials, authorization code obtained from the authorization endpoint, and assertion). The assertion type is the generic extension point using a URI-formatted assertion type (which does not require a registry).

I would rather limit the ability to extend the two endpoints beyond their current architecture, and instead, allow others to specify new endpoints (e.g. a device endpoint for getting an authorization code without using browser redirection) that work in addition to the token endpoint (using an existing grant type or assertion).

> We would want IANA to register them and then we need to list under what
> conditions new profiles can be added, or existing onces updated/deleted.
> RFC 5226 defines some typical policies, see
> http://tools.ietf.org/html/rfc5226.
> We probably want the policy "RFC Required". When people write new
> profiles we want them to provide a description about the use case, maybe an
> example, we want them to discuss security, and  we definitely want to
> ensure that the overall write is consistent with the base specification (such as
> with the registry parameters it defines). The reviews would ensure that
> existing profile do not in fact already provide the functionality of the newly
> defined profile. Note that "RFC Required"
> does not require a Standards Track RFC; an Informational or an Experimental
> RFC is already sufficient. Those are less difficult to get published but they still
> provide a stable reference.

I think Specification Required is better for most registries.

> - Error Codes
> 
> The document lists error codes in Section 3.1 and Section 4.3. I suspect that
> they are not from the same pool of error codes.
> 
> My question is whether some of the error codes are very specific to the
> profiles themselves or rather generic in nature.

I'm working to clean up errors in -09.

> - Grant Type
> 
> The Grant Type (grant_type) is described in Section 4. Currently, there are 5
> values defines ("authorization_code", "user_basic_credentials", "assertion",
> "refresh_token", "none") and I assume that the list should be extensible
> (even though the text currently says something else at the moment).
> 
> Are there specific requirements that must be met in order to register new
> grant types?

I would rather not allow for new grant types. I think the assertion type offers as much extensibility as needed. However, I am going to propose we allow extension parameters to both endpoints.

> - Assertion Type
> 
> Section 4.1.3 defines the assertion type ("assertion_type"). The text
> indicates that the content is an absolute URI and as such it is a bit different to
> the other value encodings we have seen previously.
> Nevertheless, the question is whether some folks want to write
> standardized templates for assertions, such as a specific form of SAML
> assertion. This could help interoperability a lot, I believe. The solution is still
> to have a URI but to define an IANA managed space for IETF standardized
> assertion types. Such a style is btw common.

I am not sure this is needed. URIs provide name collision protection. Beyond that, people should write specs as needed.

EHL

v2.40.3 | Report a Bug | By Email | System Status