Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)
Justin Richer <jricher@mit.edu> Fri, 24 April 2015 12:30 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977661B2CA2; Fri, 24 Apr 2015 05:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XejhRnxtJ0tH; Fri, 24 Apr 2015 05:30:50 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0329C1B2CEB; Fri, 24 Apr 2015 05:30:49 -0700 (PDT)
X-AuditID: 12074425-f79ca6d000000e5e-6d-553a377877a0
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 85.67.03678.8773A355; Fri, 24 Apr 2015 08:30:48 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t3OCUlOV010740; Fri, 24 Apr 2015 08:30:48 -0400
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t3OCUj8G013062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 24 Apr 2015 08:30:46 -0400
Message-ID: <553A376A.1070806@mit.edu>
Date: Fri, 24 Apr 2015 08:30:34 -0400
From: Justin Richer <jricher@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150424115205.3265.73381.idtracker@ietfa.amsl.com> <553A3289.2000401@cs.tcd.ie> <553A34FE.8@mit.edu> <553A35E4.1000904@cs.tcd.ie>
In-Reply-To: <553A35E4.1000904@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnleLIzCtJLcpLzFFi42IR4hTV1q0wtwo1OLtS12Laz9dsFjP+TGS2 uD13JZvFybev2Cym773G7sDqsbb7KpvHkiU/mQKYorhsUlJzMstSi/TtErgy7v3+zl7wxrCi Y15MA+MMjS5GTg4JAROJxmetbBC2mMSFe+uBbC4OIYHFTBL7l59jB0kICWxklFh4LQsicZtJ 4tq1hSwgCV4BNYnvU4+AdbMIqErcfbQSzGYDsqevaWECsUUFoiQmfj0EVS8ocXLmEzBbRMBT 4mHfKTCbWcBHonfaZbB6YYE8iY5DXVBX9DNKPLz+GayIU0BT4suiGUwQDWYS8zY/ZIaw5SW2 v53DPIFRcBaSHbOQlM1CUraAkXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRroVebmaJXmpK6SZG UHizu6juYJxwSOkQowAHoxIP74w5lqFCrIllxZW5hxglOZiURHk7paxChfiS8lMqMxKLM+KL SnNSiw8xSnAwK4nwPjMAyvGmJFZWpRblw6SkOViUxHk3/eALERJITyxJzU5NLUgtgsnKcHAo SfBqmAE1ChalpqdWpGXmlCCkmTg4QYbzAA2fB1LDW1yQmFucmQ6RP8WoKCXOOwMkIQCSyCjN g+uFpZ9XjOJArwjz5oBU8QBTF1z3K6DBTECDZy61ABlckoiQkmpgZLlUO4lD/8ivBVs/On58 enPzzapd9QlTw1bc/qZkZ9j6gpHryMq2W3YsXsfFrnTvXve34h/L0Wr77fwr5qxS47N19pHO dbjJH7D88W7BhUmNtassBEqOzFvDdt3fSrpA2a/B7QHf+yfnfNyC0zmazO9envoj6frZC4d3 56h3P/nKx2fEkfPBR4mlOCPRUIu5qDgRANGJmZ4aAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/StxhqwkRy_bBxAG3jXcQ9lXBeLo>
Cc: draft-ietf-oauth-dyn-reg@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2015 12:30:52 -0000
On 4/24/2015 8:24 AM, Stephen Farrell wrote: > > On 24/04/15 13:20, Justin Richer wrote: >> Stephen, thanks for the comments. >> >> We discussed but decided to stop short of a full back-and-forth >> multi-trip information negotiation protocol in order to keep things as >> simple as possible for the simple case. The model here is that the >> client *requests* a certain set of information in the registration, and >> the server *dictates* to the client what actually occurred. This is to >> allow sensible defaults for blank fields, and other mechanisms like >> that. Instead of just saying "no", the server here has an opportunity to >> do something slightly reasonable. It's up to the client if it agrees >> with the reasonableness, and most clients (in my experience) are going >> to be super dumb and just do what they're told by the server if they're >> able to. If they're unable to, they'll just fail to use the OAuth >> protocol with that AS and users will complain (rightly) of an >> incompatibility bug. A smarter client can try to re-register and see if >> that works instead, but the vast majority of OAuth clients are really >> dumb (by design). >> >> However, there's a bit more to the story: As it turns out, when coupled >> with the management protocol and a discovery mechanism, you actually can >> do more of a negotiated registration with the existing mechanism: client >> says "I want foo", server says "you get bar", client sends an UPDATE >> that says "can I have baz instead?", and so forth. Without the update >> mechanism, you don't have a way to tie one registration request to a >> subsequent one. If you've got server capability discovery (such as is >> defined in OpenID Connect and still-ignored by this working group) then >> you've got the ability for a smart client to see which values might work >> ahead of time. This gets a little tricky with values that have >> relationships (such as grant_types and response_types), but it's still >> workable when they've got well-defined relationships (as is required in >> the Dyn Reg spec). >> >> So it really is out of scope for us to say what the client does when it >> gets information back it doesn't want: it can ignore it, fail on it, or >> use it. With management and discovery, it can try to re-negotiate, but >> that's a fairly sophisticated behavior. > So could we just point at the relevant specs for that behaviour? > (Not normatively, and I don't care if they're not RFCs.) > > S. OK, so are you asking for something like: "If the server supports an update mechanism such as [Dyn-Reg-Management] and a discovery mechanism such as [OIDC-Discovery], then a smart client could use these components to renegotiate undesirable metadata values." With both of these being informative references? I'm not opposed to it. -- Justin > >> Hope this helps, >> -- Justin >> >> On 4/24/2015 8:09 AM, Stephen Farrell wrote: >>> So this is to follow up on my discuss point#2, which said: >>> >>> (2) If the response (defined in 3.2.1) includes metadata that >>> the server has altered, but that the client doesn't like, then >>> what does the client do? (It may be that that's ok, but I'm >>> not following why that is the case.) I'm also not sure the >>> "https" requirement (1st bullet in section 5) is useful there. >>> >>> In -28 you added a bit of text to 3.2.1. saying: >>> >>> "The client or developer can check the values in the response to >>> determine if the registration is sufficient for use (e.g., the >>> registered "token_endpoint_auth_method" is supported by the client >>> software) and determine a course of action appropriate for the client >>> software. The response to such a situation is out of scope for this >>> specification but could include filing a report with the application >>> developer or authorization server provider." >>> >>> That new text may be fine, but I'd like to check that I >>> understand it correctly and that it addresses the issue >>> sensibly. >>> >>> Say I'm a developer who writes and distributes a client >>> that uses this and I test it with the BIGreg.example.com >>> registration endpoint and it works, but for my application >>> to work I need a specific token_endpoint_auth_method, say >>> client_secret_basic. >>> >>> Say time passes, and we discover that client_secret_basic >>> is bad for some reason and client_secret_supergood is >>> invented and gets used a lot. >>> >>> At that point BIGreg.example.com would like to turn off >>> the (now-crappy) client_secret_basic and only allow use >>> of client_secret_supergood. If it does that, then new >>> installs of our application will fail at registration >>> time with an (opaque) error to the human user and we >>> need the application developer to do an update to add >>> client_secret_supergood. >>> >>> Or, what seems more likely is that BIGreg.example.com >>> will have to keep offering the now insecure >>> client_secret_basic until essentially no interesting >>> applications remain that don't support the new, better >>> thing. And that's the bit I don't like so much. >>> >>> This spec could (maybe, I'm not 100% sure) have been >>> written to allow for the client and registration endpoint >>> to first try to use the new better things and, if that >>> doesn't work, to try fallback to the old not so good >>> things, but that is not supported here afaics - once >>> the client sees response metadata it doesn't like, >>> there's no way for the client to say "bummer, I'd have >>> been fine if only you'd said foo and not bar, can we >>> try register again and use foo?" >>> >>> And I also don't see how the client who is really stuck >>> can tell the registration endpoint "actually, I'm not >>> successfully registered because your said bar and I don't >>> like that bit of metadata" - won't that lead to our >>> BIGreg.example.com ending up with a misleading picture >>> of what clients were successfully registered? >>> >>> So my question is: is all that really ok, or am I confused >>> in the above? (And confused is quite possible - this is >>> OAuth after all:-) >>> >>> Cheers, >>> S. >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Stephen Farrell's Discuss on draft-iet… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Justin Richer
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Justin Richer
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Justin Richer
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Justin Richer
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Kathleen Moriarty
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Mike Jones
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Justin Richer
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Justin Richer
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Stephen Farrell
- Re: [OAUTH-WG] Stephen Farrell's Discuss on draft… Kathleen Moriarty