[OAUTH-WG] Review of OAuth 2.1 v8 (required auth-param)
Johannes Koch <johannes.koch@avenga.com> Wed, 29 March 2023 09:07 UTC
Return-Path: <johannes.koch@avenga.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57881C151B15 for <oauth@ietfa.amsl.com>; Wed, 29 Mar 2023 02:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=avenga.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M9Nl2Gkgy5Ek for <oauth@ietfa.amsl.com>; Wed, 29 Mar 2023 02:07:00 -0700 (PDT)
Received: from mail-ed1-x542.google.com (mail-ed1-x542.google.com [IPv6:2a00:1450:4864:20::542]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 942F4C151551 for <oauth@ietf.org>; Wed, 29 Mar 2023 02:07:00 -0700 (PDT)
Received: by mail-ed1-x542.google.com with SMTP id ew6so60331999edb.7 for <oauth@ietf.org>; Wed, 29 Mar 2023 02:07:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=avenga.com; s=google; t=1680080819; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=eSYJ+31F5ZnOhVyXcUOzsc79Du2l0ueYSLxZOpbIFtM=; b=KTmq+e92O8BGHAG4kAg15WZbMEH1rT+eRW65IqzbJQUSEKtfMTOuoCEavVPnqlSVau uCx89V+0GfRi7cgABOZw5nDtRzt9yEZMy6srlwWZHpJRJe86jodLZifv+xdHiT0wsFDU ucsJazU+75LoiaXSkWS/ahwayXvWwCgjYzXNg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680080819; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=eSYJ+31F5ZnOhVyXcUOzsc79Du2l0ueYSLxZOpbIFtM=; b=lltJ5r1rh6HvbB4qdUZotX6NxmC64VZzYNz+bJEo7F/B5hNZHrqFzc53IRoih4Je+h yiQi5nskt8v84kDJNwVyNK5Dx5DDHQzB6iDzSDNe6LLC29W+gXQT/Zdd0seHPUY4VoaD hv6TaCkRPdSMvjPHK13Qahb7yBeap32eBBmdkzbNXaaCpbMbZ7M0EL9jiT/pbwbBNu8G cqZ6EGI03RS7LmZmx02ex2KAH4kUWQhZzEKfBS7y8VYksVQOCi5JnsRNSrvtMrNuQRvk zYLrW5OUzQEZz39upAvbKT1DLjaSeZbMcQKgsZ0Mza1ZriPnvbZ6t/tlF18LorTWRG5l mqBw==
X-Gm-Message-State: AAQBX9eeAwsoSbXMJdO7Ovjn1dG4doWoB/7MN5erK9kayEwrWw+o+8eR iCQcoPUZ3JCDR39D+SLCkHMmBYLtjFsnwB29VK8VlZO0E4gEjPUVLhQ+JzM8
X-Google-Smtp-Source: AKy350YaPW9QfAZX+WQt+ZO9skVf1YGzuwl6AbP90xFBIFWjGX3v3mFO3YxKvh7qsJyy1jojsK3PUDbVDtad1B1UpRI=
X-Received: by 2002:a50:d756:0:b0:4fc:e5c:902 with SMTP id i22-20020a50d756000000b004fc0e5c0902mr9223791edj.8.1680080818663; Wed, 29 Mar 2023 02:06:58 -0700 (PDT)
MIME-Version: 1.0
From: Johannes Koch <johannes.koch@avenga.com>
Date: Wed, 29 Mar 2023 11:06:47 +0200
Message-ID: <CAGRquTqn7AiYH5HfG4hJAVRwuwM7s_0-FHqrDqtdSFEo05bZQA@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000649e8105f8064c45"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UUOHnL7m5F1PPgulqvprsGOGypI>
Subject: [OAUTH-WG] Review of OAuth 2.1 v8 (required auth-param)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 09:07:05 -0000
Hi, I tried to bring this issue to your attention before, but maybe chances are better if I frame my question in a review of a specific version :-) So, I reviewed https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-08. Here's my question about section 5.2.3 ( https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-08#section-5.2.3 ): All challenges for this token type MUST use the auth-scheme value Bearer. This scheme MUST be followed by one or more auth-param values. What is the purpose of requiring at least one auth-param (MUST)? The mentioned auth-params realm, scope (MAY), error (SHOULD), error_description, error_uri (MAY) are all optional on their own. Consider the following situation: A resource request lacking a bearer token; so no error, error_description, error_uri (SHOULD NOT per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-08#section-5.2.4 ) There are no separate realms; so realm is not necessary IMO. The scope auth-param doesn't seem applicable either. Is WWW-Authenticate: Bearer realm="default" or WWW-Authenticate: Bearer realm="" or WWW-Authenticate: Bearer foo="bar" better than having no auth-param at all? Maybe this is a legacy from good old HTTP/1.1. When "Bearer Token Usage" became RFC 6750 in 2012, WWW-Authenticate was still defined by RFC 2616, and RFC 2617 defined challenge as challenge = auth-scheme 1*SP 1#auth-param , thus requiring at least one auth-param. However, things changed: RFC 7235 (2014, https://www.rfc-editor.org/rfc/rfc7235#section-2.1) and RFC 9110 (2022, https://www.rfc-editor.org/rfc/rfc9110#section-11.3) do not have this requirement anymore: challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] So I propose to change the MUST (regarding the "one or more auth-param values") into (at least) a SHOULD. See issue 108 in the github repo ( https://github.com/oauth-wg/oauth-v2-1/issues/108). -- Johannes Koch
- [OAUTH-WG] Review of OAuth 2.1 v8 (required auth-… Johannes Koch