Re: [OAUTH-WG] PAR metadata
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 31 December 2019 16:07 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8B0120043 for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 08:07:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOrTLU26soUz for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 08:07:07 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F3CC120013 for <oauth@ietf.org>; Tue, 31 Dec 2019 08:07:07 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id p9so2163412wmc.2 for <oauth@ietf.org>; Tue, 31 Dec 2019 08:07:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ALDhCn/vhUyXP6DLQpN5OyYomFTNjCueSuZjpIt8Mng=; b=nkRPRSIfl0HvB+gPKHy1gxbmT0JbMX+WifKmEodUzI22v4rKeoAzcny1JFfr7J9bBk W7I0jCcoB695X4SSjSAKwcJSXqu2SysHurYYh1slspNd3fk+KtBTzZ7wZ3FTy+uFJJtL 3CTXMUXsIrBOtn4G87SB8p3IuM2+OaaAaDwkvQf6XYPCMKHVqIAdwiE6tXrI9o88UoI3 jLY9uaQTUrI8V6cjKRZg0N4/9H9RKVkcAx7swWxHP96yobB0zJqmpX/QyyjAyx1zsBOK o8y4lgzxyMuFMT2qmYfsQwm6i3JoeaDO9sqzWyWnPT5sjLwCxFk7lMutji1tqIYeqRfk dz6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ALDhCn/vhUyXP6DLQpN5OyYomFTNjCueSuZjpIt8Mng=; b=irSwDblccohM7EotR937cIyRzrwJdLl0vkHq6S1awbTDW/cmCcxeEK0/jP9QmtRJq8 w15gUm6y5/SB37XKniksE7TkDRZsi6e2ZHU4i5eXrYVoCNmaUZCsgFY/i4sNWC9qU3+h /xCnxaRFohqYK834jqQtj9g+J6eU0Tyifqf7vWX6HhFSgyifzS/isZPNB+KbWRiBBzva +yqAV8FR1ymGl+uRToeBUTcheX5mpKOhqGVsI6e2B1MnwNxjOmHAhiaGWtSED4To24pV m+LITj98agQTmWVdW4zHokVIfJdUjNPoC1SpZX22OhU65wgg4QQu5kaXKy+pEI1qrbLI mXYg==
X-Gm-Message-State: APjAAAUIfyN1iP1boPopNH31T7axtx+l0UQ/sjKi5/ESpSo9LVx1GBds j7ZJFa6dN4Z9VEq1TPT6TITL4Q==
X-Google-Smtp-Source: APXvYqzWjBA1viO4KSQSy0xxXjypQs4XhR8wrXE/Cdi6G+fQrpl+EL0K2CNIwGmWpVX0vxlp+gAOVg==
X-Received: by 2002:a1c:3187:: with SMTP id x129mr4998602wmx.91.1577808425531; Tue, 31 Dec 2019 08:07:05 -0800 (PST)
Received: from p200300eb8f1a50e4853495bb51a8296f.dip0.t-ipconnect.de (p200300EB8F1A50E4853495BB51A8296F.dip0.t-ipconnect.de. [2003:eb:8f1a:50e4:8534:95bb:51a8:296f]) by smtp.gmail.com with ESMTPSA id n189sm2975154wme.33.2019.12.31.08.07.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Dec 2019 08:07:04 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <876D534C-66FE-41A4-8101-619B0A4915AF@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_C878A8E2-34D7-425E-AB4D-E7A9F7E5D435"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Tue, 31 Dec 2019 17:06:33 +0100
In-Reply-To: <CA+k3eCR156BLMkqFXAWU3vKfJbdUtKer36Yz9525hf4nVOGL0Q@mail.gmail.com>
Cc: Filip Skokan <panva.ip@gmail.com>, oauth <oauth@ietf.org>, Dave Tonge <dave.tonge@moneyhub.com>, Nat Sakimura <nat@sakimura.org>, Roland Hedberg <roland@catalogix.se>
To: Brian Campbell <bcampbell@pingidentity.com>
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net> <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com> <CA+k3eCR156BLMkqFXAWU3vKfJbdUtKer36Yz9525hf4nVOGL0Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SU1aGaIT4UqwRBL_R3A-nRfJkqE>
Subject: Re: [OAUTH-WG] PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 16:07:09 -0000
wfm Have a great new year! > On 31. Dec 2019, at 16:55, Brian Campbell <bcampbell@pingidentity.com> wrote: > > Yeah, I agree. The insights in that comment Filip referenced (copied below) are very very wise and explain why we should not define pushed_authorization_endpoint_auth_methods_supported and > pushed_authorization_endpoint_auth_signing_alg_values_supported metadata. > > > There's some historical weirdness to how client authentication has come to be represented (and named) in metadata. Client registration metadata has only a token_endpoint_auth_method, which despite the name has become the de facto place in the client data model to say how the client will authenticate to the AS when making any direct client -> AS call. The parameter name is a bit unfortunate but I believe it makes sense to have a single (backchannel) authentication method per client. RFC 8414 took a different direction and has revocation_endpoint_auth_methods_supported and introspection_endpoint_auth_methods_supported etc., which I believe was a mistake. I don't see a clear use case for needing or allowing a different set of auth methods for the different endpoints. And having a bunch of _supported parameters for different endpoints seems likely to clutter up the metadata document with a bunch of redundant info. > > I'd propose that some text be added into CIBA core that says that, for the backchannel authentication endpoint, the AS supports the same client authentication methods as indicated with token_endpoint_auth_methods_supported. And state that, for a client, the token_endpoint_auth_method is the authentication method registered for its client_id regardless of the endpoint being called. > > > On Tue, Dec 31, 2019 at 8:22 AM Filip Skokan <panva.ip@gmail.com> wrote: > I don't think we need a *_auth_method_* metadata for every endpoint the client calls directly, none of the new specs defined these (e.g. device authorization endpoint or CIBA), meaning they also didn't follow the scheme from RFC 8414 where introspection and revocation got its own metadata. In most cases the unfortunately named `token_endpoint_auth_method` and its related metadata is what's used by clients for all direct calls anyway. > > The same principle could be applied to signing (and encryption) algorithms as well. > > This I do not follow, auth methods and their signing is dealt with by using `token_endpoint_auth_methods_supported` and `token_endpoint_auth_signing_alg_values_supported` - there's no encryption for the `_jwt` client auth methods. > Unless it was meant to address the Request Object signing and encryption metadata, which is defined and IANA registered by OIDC. PAR only references JAR section 6.1 and 6.2 for decryption/signature validation and these do not mention the metadata (e.g. request_object_signing_alg) anymore since draft 07. > > PS: I also found this comment related to the same question about auth metadata but for CIBA. > > Best, > Filip > > > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi all, > > Ronald just sent me an email asking whether we will define metadata for > > pushed_authorization_endpoint_auth_methods_supported and > pushed_authorization_endpoint_auth_signing_alg_values_supported. > > The draft right now utilises the existing token endpoint authentication methods so there is basically no need to define another parameter. The same principle could be applied to signing (and encryption) algorithms as well. > > What’s your opinion? > > best regards, > Torsten. > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Filip Skokan
- [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Filip Skokan
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR metadata Vladimir Dzhuvinov
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Justin Richer