IETF Logo Mail Archive

Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs

Filip Skokan <panva.ip@gmail.com> Mon, 08 June 2020 09:52 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 065353A0837 for <oauth@ietfa.amsl.com>; Mon, 8 Jun 2020 02:52:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPVXrswmrrBI for <oauth@ietfa.amsl.com>; Mon, 8 Jun 2020 02:52:53 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 326A93A082D for <oauth@ietf.org>; Mon, 8 Jun 2020 02:52:53 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id p18so12876691eds.7 for <oauth@ietf.org>; Mon, 08 Jun 2020 02:52:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=gD0mxdjfjiWJJQQPr4ruxX0VOYOhrWYD+TAzdFMJWr8=; b=kzH2AvsG0MH5mhXlxK5Gdw12vtEwB1SwpU0q5/egq9Z7LAu0Sq3sjiHI6VNI7V/i57 8ZxXIZNwqeWepRBc9KFbJpMiyLmH4M221jFLACcCymr1liAwCf8lzQK3Rt4VAw7F/I1g nG7VMDRgTK3ixcbGeuAx3zeHTNBe13GDBqIEGtkHk7mNfSOTBT60k0/L51lDCA7urxgo k2FvrqHc+Padg0r2uvCTsk3PhGgMud5LfFEB7zvk8XLiQDKvVolhYWTCYhj+yN+jsuxB x4ps8edvvSj/kByTZL6XLqTrBaN33rah1NPXwuPdsm8c3Cie5ckvehzbBO9YHk3sErSO MgpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=gD0mxdjfjiWJJQQPr4ruxX0VOYOhrWYD+TAzdFMJWr8=; b=SjeGaCGoKQi2swOJAmPZCarOFV/vDPSTci4WWSi9A9n4wA2767EonJFVwVFxpp7Iea 70ELcUceapsM0bDkUzNrLQ0FkGNgbgSjwhFX2SMXMtRdbxMq4HCC7EyDvIo8F9bgTQ/6 tP2mh7R+bB/DS+9st7Ac9so8sc2bApT5H121Toi9ViQ5IXi42ACejCti5y31HsLwXc9J 8FOFVdtFT6XBLHQiLWcL+BvHJ7UflJIbqpKxB9bJv51s6m96k2PMPFYkPlkYr1xuqtSC OWzC+1j4tXf4+GqmrG6cH32pweOHFdEZ9Ir5e8jU2bIq6TajzrT0a3tmeVEFo1G1KuND LnyQ==
X-Gm-Message-State: AOAM532xp4WvF1w+p/YbGCrQJ2+7IJ6+oy//s+jgfgVlWI4GVqC1zMVc 58T4fpLjbz9PcIby7oZv1g==
X-Google-Smtp-Source: ABdhPJxB2qh4hXqU1LmDxjxgYYEI2zYy0pPIn5WWQKagVnnPnd5FresSYhgl45i2z11BTioPXKLS9Q==
X-Received: by 2002:aa7:de08:: with SMTP id h8mr20609043edv.164.1591609970231; Mon, 08 Jun 2020 02:52:50 -0700 (PDT)
Received: from [100.66.206.216] (ip-37-188-244-216.eurotel.cz. [37.188.244.216]) by smtp.gmail.com with ESMTPSA id t12sm10409693eje.21.2020.06.08.02.52.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jun 2020 02:52:49 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-5926357B-A10E-4754-83CE-CAB98EF5534B"
Content-Transfer-Encoding: 7bit
From: Filip Skokan <panva.ip@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 08 Jun 2020 11:52:48 +0200
Message-Id: <FACA0C56-8718-4511-B2A2-3F3D701EB841@gmail.com>
References: <67566E39-B76A-4CC4-8C41-9514126E72DD@gmail.com>
Cc: oauth@ietf.org
In-Reply-To: <67566E39-B76A-4CC4-8C41-9514126E72DD@gmail.com>
To: Daniel Fett <fett@danielfett.de>
X-Mailer: iPhone Mail (17F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SnPJDByj7PZO622TugPkaZiGgss>
Subject: Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 09:52:55 -0000

Preemptive send, sorry. That question was not clear from your text to me. 

When it comes to client’s discovery, at least my software does the following - when issuer is passed in it does oidc’s well known (openid-configuration) as a suffix and 8414’s well known (oauth-authorization-server) as an infix. According to both specs. Whichever returns first gets used as they as far as i can tell should be aliases. 

When discovery is performed with a URL that contains the keyword well-known, it just fetches that resource directly. 

This way the software is working as intended for conform ASs’ and developers can still use the non conform ones by passing the well known location directly.

Odesláno z iPhonu

> 8. 6. 2020 v 11:47, Filip Skokan <panva.ip@gmail.com>:
> 
> That question was not clear from your text, you 
> 
> Odesláno z iPhonu
> 
>> 8. 6. 2020 v 11:15, Daniel Fett <fett@danielfett.de>:
>> 
>> 
>> Hi Filip,
>> 
>> Thanks for your answers!
>> 
>> I'm not quite sure if the wording in my question was clear: My main concern is the difference between https://example.com/some/path/.well-known/oauth-authorization-server and https://example.com/.well-known/oauth-authorization-server/some/path, i.e., the usage of the well-known URI as a postfix or as an infix. 
>> 
>> Am 08.06.20 um 09:54 schrieb Filip Skokan:
>>> Some products publish both, but they don’t always return the same content, eventho as far as i can tell they should be aliases. 
>>> The uri normalization of 8414 is also implemented wrong in some cases, since it differs from OIDC as far as issuer path component is concerned.
>> This is where I'm not sure whether all products follow RFC8414 and properly use the well-known part as an infix.
>>> 
>>> I find it best for AS to have just one or both with the same content, client software doing discovery can check both locations. 
>> That would be the safe implementation, but I was wondering if prescribing this is a good choice for an ecosystem. That would mean that all authorization servers in the ecosystem would need to implement both https://example.com/some/path/.well-known/oauth-authorization-server and https://example.com/.well-known/oauth-authorization-server/some/path. Even if it is only an alias this could mean a considerable overhead for some implementations.
>> 
>> -Daniel
>> 
>>> 
>>> Odesláno z iPhonu
>>> 
>>>> 8. 6. 2020 v 9:46, Daniel Fett <fett@danielfett.de>:
>>>> 
>>>> 
>>>> Hi all,
>>>> 
>>>> RFC8414 says that the URI where the OAuth metadata document is published is
>>>> 
>>>> formed by inserting a well-known URI string into the authorization
>>>>    server's issuer identifier between the host component and the path
>>>>    component, if any.  By default, the well-known URI string used is
>>>>    "/.well-known/oauth-authorization-server".
>>>> 
>>>> I found that some OAuth servers and clients instead follow the convention used by OpenID Connect, where the suffix "/.well-known/openid-configuration" (or "/.well-known/oauth-authorization-server") is appended to the issuer URL.
>>>> 
>>>> Is this a common deviation from the spec? 
>>>> 
>>>> Do you know how specific products handle this? 
>>>> 
>>>> Does it make sense to serve the metadata document from both locations?
>>>> 
>>>> -Daniel
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> -- 
>> https://danielfett.de

v2.23.0 | Report a Bug | By Email