Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)

Justin Richer <> Fri, 24 April 2015 12:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 977661B2CA2; Fri, 24 Apr 2015 05:30:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XejhRnxtJ0tH; Fri, 24 Apr 2015 05:30:50 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0329C1B2CEB; Fri, 24 Apr 2015 05:30:49 -0700 (PDT)
X-AuditID: 12074425-f79ca6d000000e5e-6d-553a377877a0
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 85.67.03678.8773A355; Fri, 24 Apr 2015 08:30:48 -0400 (EDT)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t3OCUlOV010740; Fri, 24 Apr 2015 08:30:48 -0400
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t3OCUj8G013062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 24 Apr 2015 08:30:46 -0400
Message-ID: <>
Date: Fri, 24 Apr 2015 08:30:34 -0400
From: Justin Richer <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Stephen Farrell <>, The IESG <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnleLIzCtJLcpLzFFi42IR4hTV1q0wtwo1OLtS12Laz9dsFjP+TGS2 uD13JZvFybev2Cym773G7sDqsbb7KpvHkiU/mQKYorhsUlJzMstSi/TtErgy7v3+zl7wxrCi Y15MA+MMjS5GTg4JAROJxmetbBC2mMSFe+uBbC4OIYHFTBL7l59jB0kICWxklFh4LQsicZtJ 4tq1hSwgCV4BNYnvU4+AdbMIqErcfbQSzGYDsqevaWECsUUFoiQmfj0EVS8ocXLmEzBbRMBT 4mHfKTCbWcBHonfaZbB6YYE8iY5DXVBX9DNKPLz+GayIU0BT4suiGUwQDWYS8zY/ZIaw5SW2 v53DPIFRcBaSHbOQlM1CUraAkXkVo2xKbpVubmJmTnFqsm5xcmJeXmqRroVebmaJXmpK6SZG UHizu6juYJxwSOkQowAHoxIP74w5lqFCrIllxZW5hxglOZiURHk7paxChfiS8lMqMxKLM+KL SnNSiw8xSnAwK4nwPjMAyvGmJFZWpRblw6SkOViUxHk3/eALERJITyxJzU5NLUgtgsnKcHAo SfBqmAE1ChalpqdWpGXmlCCkmTg4QYbzAA2fB1LDW1yQmFucmQ6RP8WoKCXOOwMkIQCSyCjN g+uFpZ9XjOJArwjz5oBU8QBTF1z3K6DBTECDZy61ABlckoiQkmpgZLlUO4lD/8ivBVs/On58 enPzzapd9QlTw1bc/qZkZ9j6gpHryMq2W3YsXsfFrnTvXve34h/L0Wr77fwr5qxS47N19pHO dbjJH7D88W7BhUmNtassBEqOzFvDdt3fSrpA2a/B7QHf+yfnfNyC0zmazO9envoj6frZC4d3 56h3P/nKx2fEkfPBR4mlOCPRUIu5qDgRANGJmZ4aAwAA
Archived-At: <>
Subject: Re: [OAUTH-WG] Stephen Farrell's Discuss on draft-ietf-oauth-dyn-reg-28: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Apr 2015 12:30:52 -0000

On 4/24/2015 8:24 AM, Stephen Farrell wrote:
> On 24/04/15 13:20, Justin Richer wrote:
>> Stephen, thanks for the comments.
>> We discussed but decided to stop short of a full back-and-forth
>> multi-trip information negotiation protocol in order to keep things as
>> simple as possible for the simple case. The model here is that the
>> client *requests* a certain set of information in the registration, and
>> the server *dictates* to the client what actually occurred. This is to
>> allow sensible defaults for blank fields, and other mechanisms like
>> that. Instead of just saying "no", the server here has an opportunity to
>> do something slightly reasonable. It's up to the client if it agrees
>> with the reasonableness, and most clients (in my experience) are going
>> to be super dumb and just do what they're told by the server if they're
>> able to. If they're unable to, they'll just fail to use the OAuth
>> protocol with that AS and users will complain (rightly) of an
>> incompatibility bug. A smarter client can try to re-register and see if
>> that works instead, but the vast majority of OAuth clients are really
>> dumb (by design).
>> However, there's a bit more to the story: As it turns out, when coupled
>> with the management protocol and a discovery mechanism, you actually can
>> do more of a negotiated registration with the existing mechanism: client
>> says "I want foo", server says "you get bar", client sends an UPDATE
>> that says "can I have baz instead?", and so forth. Without the update
>> mechanism, you don't have a way to tie one registration request to a
>> subsequent one. If you've got server capability discovery (such as is
>> defined in OpenID Connect and still-ignored by this working group) then
>> you've got the ability for a smart client to see which values might work
>> ahead of time. This gets a little tricky with values that have
>> relationships (such as grant_types and response_types), but it's still
>> workable when they've got well-defined relationships (as is required in
>> the Dyn Reg spec).
>> So it really is out of scope for us to say what the client does when it
>> gets information back it doesn't want: it can ignore it, fail on it, or
>> use it. With management and discovery, it can try to re-negotiate, but
>> that's a fairly sophisticated behavior.
> So could we just point at the relevant specs for that behaviour?
> (Not normatively, and I don't care if they're not RFCs.)
> S.

OK, so are you asking for something like:

"If the server supports an update mechanism such as [Dyn-Reg-Management] 
and a discovery mechanism such as [OIDC-Discovery], then a smart client 
could use these components to renegotiate undesirable metadata values."

With both of these being informative references? I'm not opposed to it.

  -- Justin

>> Hope this helps,
>>   -- Justin
>> On 4/24/2015 8:09 AM, Stephen Farrell wrote:
>>> So this is to follow up on my discuss point#2, which said:
>>> (2) If the response (defined in 3.2.1) includes metadata that
>>> the server has altered, but that the client doesn't like, then
>>> what does the client do? (It may be that that's ok, but I'm
>>> not following why that is the case.) I'm also not sure the
>>> "https" requirement (1st bullet in section 5) is useful there.
>>> In -28 you added a bit of text to 3.2.1. saying:
>>> "The client or developer can check the values in the response to
>>> determine if the registration is sufficient for use (e.g., the
>>> registered "token_endpoint_auth_method" is supported by the client
>>> software) and determine a course of action appropriate for the client
>>> software.  The response to such a situation is out of scope for this
>>> specification but could include filing a report with the application
>>> developer or authorization server provider."
>>> That new text may be fine, but I'd like to check that I
>>> understand it correctly and that it addresses the issue
>>> sensibly.
>>> Say I'm a developer who writes and distributes a client
>>> that uses this and I test it with the
>>> registration endpoint and it works, but for my application
>>> to work I need a specific token_endpoint_auth_method, say
>>> client_secret_basic.
>>> Say time passes, and we discover that client_secret_basic
>>> is bad for some reason and client_secret_supergood is
>>> invented and gets used a lot.
>>> At that point would like to turn off
>>> the (now-crappy) client_secret_basic and only allow use
>>> of client_secret_supergood. If it does that, then new
>>> installs of our application will fail at registration
>>> time with an (opaque) error to the human user and we
>>> need the application developer to do an update to add
>>> client_secret_supergood.
>>> Or, what seems more likely is that
>>> will have to keep offering the now insecure
>>> client_secret_basic until essentially no interesting
>>> applications remain that don't support the new, better
>>> thing. And that's the bit I don't like so much.
>>> This spec could (maybe, I'm not 100% sure) have been
>>> written to allow for the client and registration endpoint
>>> to first try to use the new better things and, if that
>>> doesn't work, to try fallback to the old not so good
>>> things, but that is not supported here afaics - once
>>> the client sees response metadata it doesn't like,
>>> there's no way for the client to say "bummer, I'd have
>>> been fine if only you'd said foo and not bar, can we
>>> try register again and use foo?"
>>> And I also don't see how the client who is really stuck
>>> can tell the registration endpoint "actually, I'm not
>>> successfully registered because your said bar and I don't
>>> like that bit of metadata" - won't that lead to our
>>> ending up with a misleading picture
>>> of what clients were successfully registered?
>>> So my question is: is all that really ok, or am I confused
>>> in the above? (And confused is quite possible - this is
>>> OAuth after all:-)
>>> Cheers,
>>> S.
>>> _______________________________________________
>>> OAuth mailing list