[OAUTH-WG] MTLS discovery - mtls_endpoint_aliases and _endpoint_auth_methods_supported

Filip Skokan <panva.ip@gmail.com> Tue, 25 June 2019 08:40 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58F66120274 for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2019 01:40:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jkxLjAM7NZJ for <oauth@ietfa.amsl.com>; Tue, 25 Jun 2019 01:40:13 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C7131200E9 for <oauth@ietf.org>; Tue, 25 Jun 2019 01:40:13 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id e8so16407226otl.7 for <oauth@ietf.org>; Tue, 25 Jun 2019 01:40:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=PhTPsTpdJz+83Mg6WdYfm7yyhIvlT1HD/JMc5/f1GSI=; b=U9Ct6VJTLQYVnruZMG9fMLXL+K4835+QC77rHduVLBrLw7tdha2x1FbSlz6IqBBvSx tChcP3oYGMXcsW/Z+QpP5ZtTmR2NZKTuRvcjm0/wLuuvY+Bbunst9KWGeCU3KtHayK2/ dFWJYeFUbN6dpq2d3RQWsI/H7yZOV9iroQbVRM3mIApGpgL7q3uXLXFbZHY32hdNzft4 +HHZolAmH5bvdjyl6Ax0Y7a8txpIJdxwON8pj8qDW7wzoqVNe85rkK6/7dGk3T35nZLu CbU5aLKE9c/H7MTugoJv3RwiX6zCOmil1B9yBBuJTc2MF+Yn00ul/IKtrl59n40H+hB5 CVMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PhTPsTpdJz+83Mg6WdYfm7yyhIvlT1HD/JMc5/f1GSI=; b=TnnufzPn7202SOvyf4rCwRrtSs9tUsHbIqrqli9wHwgSCddTxJGD2AKr1pe7yac7iC im+/QP8B5aNbSz7BJ+OgUwjZsLCUgfM6Sul+hn/OKl34GEu+V0LDOKLx9zTMXapUdQkH cyk0+wmIfwwYswPwBUNWAkAl07S62ELc29roVN6iy4L7N8x+/1yRgpxJcvEF9eUgz9DY K6Hoh+EPgreeS6QZx1sAp0r6BNcCLDJfU3A5Pw+Fn85a604AtClaz7N6+KAjHRs1XnoD q4AGZ/KiSCQy2+mt6l73r1aALf+AXo+PjG6hzu56do9DwHaDLzkEI40rjgKjx8DF+imF n5ww==
X-Gm-Message-State: APjAAAXtlK6tAXSmWKk2Wc5YvpUiw/6fay4srDNivDUmU/pLaT1Xw3rA w1lmkfgVbPZhCCkJtEo5ol5Jxlzj6sPIny3sLiG2u50h9w==
X-Google-Smtp-Source: APXvYqz6gNsRjV6pgrUInEbcnZqtlc1eLnKtrAdo3vRO9UWsI5m45a0oXrDSyWwbqMnwFVGf+iptN+CH+pQ0pquWEso=
X-Received: by 2002:a9d:3d64:: with SMTP id a91mr96534530otc.258.1561452012034; Tue, 25 Jun 2019 01:40:12 -0700 (PDT)
MIME-Version: 1.0
From: Filip Skokan <panva.ip@gmail.com>
Date: Tue, 25 Jun 2019 10:40:00 +0200
Message-ID: <CALAqi__vnFSdtJVqrLGKmRQh-1u_txhcrMFSAyNiz3gAFfL0vg@mail.gmail.com>
To: oauth <oauth@ietf.org>, "Richard Backman, Annabelle" <richanna@amazon.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary="00000000000082e041058c21e0c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TcW19Bz4MYYhBliJOTZU7tz0IM0>
Subject: [OAUTH-WG] MTLS discovery - mtls_endpoint_aliases and _endpoint_auth_methods_supported
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 08:40:15 -0000

Hello everyone,

This is a follow to IETF 104 Thursday, March 28, 2019 OAuth meeting where
we discussed the MTLS update.

In the meeting we discussed the mtls_endpoint_aliases discovery property
that exposes mutual-TLS enabled endpoints in addition to ones that don't
have mutual-TLS enabled. We're doing this so that there are no cert
selection popups for end-users when AS supports a mix of mtls and non-mtls
interactions at e.g. the token endpoint.

Annabelle brought up an issue on this list and in the meeting about the
*_endpoint_auth_methods_supported discovery properties - about "this"
endpoint which is now potentially in two places. I believe we have reached
a compromise in the meeting to also allow these properties in the aliases
but I cannot find a message about this neither on the list nor in the
meeting notes.

An example of such discovery document can be found here
<https://op.panva.cz/.well-known/openid-configuration> (aliases at the end
of the document), notice that self_signed_tls_client_auth is not present in
the root *_endpoint_auth_methods_supported properties but is present in the
aliases.

There have been no published updates to the MTLS draft since and i'm
wondering if this is going to make it in the next revision. I also do not
wish this point to get forgotten, hence this message.

Best,
*Filip*