Re: [OAUTH-WG] updated Distributed OAuth ID

Dick Hardt <> Thu, 19 July 2018 13:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8EDE0130E29 for <>; Thu, 19 Jul 2018 06:42:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ksTtyqyqQN4v for <>; Thu, 19 Jul 2018 06:42:34 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE801130E0D for <>; Thu, 19 Jul 2018 06:42:34 -0700 (PDT)
Received: by with SMTP id n7-v6so3809589pgq.4 for <>; Thu, 19 Jul 2018 06:42:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hxM4cMXhK9flqvJA9J4U3+kdwDL47jQkJ3K2j36CNQY=; b=aJyzkVxWqFh45P8wMfE2C3Yxj3tHpTh7LbI94Wk/HG+Um4hYVO8ICpVLmhrFU5AT0K cBvmZpngUqre8PDizwiz1H2KBvQ8+R4qxcttMmYiBMwrcaCoDtmOW9QFbSWgB7QsFRxe ezXTBb3VIWALxeeDdgtstYMwEzKGGICJjTz4vqDFP96m1wCAxrJCy1TAVVwdwHl+XjGj y9JhiITydHRPQLw/kbGKKw/zhW+SZaBc9aMf4heWblLbir4sFoafiMnckg8mrWAJ7MVS hQMbhgqLoVPLm1vkuWPefg21sdJnIVWFLmoGmnzrNOvKRafY/lzjK0Z99geHvHCTZgNN 6zIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hxM4cMXhK9flqvJA9J4U3+kdwDL47jQkJ3K2j36CNQY=; b=iI21aszTiYtwk6ODU6C04VOw++3MrfVeb/x85RWCFFLoxXNqB8jqtjXLtA/ZmI52ap ISsGWLzMCo86rbJTsChlQuTbJYEUgI1epm3nBM4UFyIx3XCVHTmYp/2bHjQTg3RvVUN0 vKt8iWcRrNIxKHKTkuJZqJ5uJF9IAMhtUc9gAt1ur+HusPpksFTt04Yx8scswoq1aJOu pUng+V7IJM2hAflgQWpLZ5V7dsOHAJoDmmJ3vZtWfQVf3lkaNk/G/LhVCBP8BqUAWR7B oMESlX1hPU30l3aJwpN41iRLJ9ree297VYYM7QFnBPj926dJV8CrmTA89hUwZHkrTBzP 7Ixg==
X-Gm-Message-State: AOUpUlG8lvQh1epB8iOttJzcNZ4GL6rlrXhvg2OI/ips2xjQRNr8A1ih TtJQRMtOp+POq1fTpdZamhAtR1/93SSmpvTm1o2iAa4Y
X-Google-Smtp-Source: AAOMgpf1mBZPhHsg39h7pHFeX6qkOhQ27mFPqmlW+pzj3mFR+YC4ESiC+ezGhAKgNBC2LUV6tDOiyy3tLDYMh/VOL3s=
X-Received: by 2002:a62:be03:: with SMTP id l3-v6mr9572250pff.138.1532007754185; Thu, 19 Jul 2018 06:42:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:9ce:0:0:0:0 with HTTP; Thu, 19 Jul 2018 06:42:13 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Dick Hardt <>
Date: Thu, 19 Jul 2018 09:42:13 -0400
Message-ID: <>
To: David Waite <>
Content-Type: multipart/alternative; boundary="000000000000fb41d205715a599a"
Archived-At: <>
Subject: Re: [OAUTH-WG] updated Distributed OAuth ID
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Jul 2018 13:42:38 -0000

David, thanks for the detailed feedback ... responses inline ...

On Thu, Jul 19, 2018 at 3:54 AM, David Waite <>

> Four comments.
> First: What is the rationale for including the parameters as Link headers
> rather than part of the WWW-Authenticate challenge, e.g.:
> WWW-Authenticate: Bearer realm="example_realm",
>                              scope="example_scope",
>                              error=“invalid_token",
>     resource_uri=""urce",
>     oauth_server_metadata_uris="
> known/oauth-authorization-server https://different-as.example.
> com/.well-known/oauth-authorization-server"
> My understanding is that the RFC6750 auth-params are extensible (but not
> currently part of any managed registry.)
> One reason to go with this vs Link headers is CORS policy - exposing Link
> headers to a remote client must be done all or nothing as part of the CORS
> policy, and can’t be limited by the kind of link.
Nat had a good argument for using Link headers, I'll let him respond.

> Second: (retaining link format) Is there a reason the metadata location is
> specified the way it is? It seems like
> <>;
> rel=“oauth_server_metadata_uri"
> should be
> <>; rel=“oauth_issuer"
> OAuth defines the location of metadata under the .well-known endpoint as a
> MUST. An extension of OAuth may choose from at least three different
> methods for handling extensions beyond this:
> 1. Add additional keys to the oauth-authorization-server metadata
> 2. Add additional resources to .well-known for clients to supporting their
> extensions to attempt to resolve, treating ‘regular’ OAuth as a fallback.
> 3. Define their own parameter, such as rel=“specialauth_issuer”,
> potentially using a different mechanism for specifying metadata
> Given all this, it seems appropriate to only support specifying of
> metadata-supplying issuers, not metadata uris.

Interesting, what do others think of this?

There is a security advantage of using a predefined path as a malicious RS
can not have the client fetch a different meta data document than the one
that is at the well known location.

> Third: I have doubts of the usefulness of resource_uri in parallel to both
> the client requested URI and the Authorization “realm” parameter.
> As currently defined, the client would be the one enforcing (or possibly
> ignoring) static policy around resource URIs - that a resource URI is
> arbitrary except in that it must match the host (and scheme/port?) of the
> requested URI. The information on the requested URI by the client is not
> shared between the client and AS for it to do its own policy verification.
> It would seem better to send the client origin to the AS for it to do
> (potential) policy verification, rather than relying on clients to
> implement it for them based on static spec policy.
> The name “resource URI” is also confusing, as I would expect it to be the
> URI that was requested by the client. The purpose of this parameter is a
> bit confusing, as it is only defined as “An OAuth 2.0 Resource Endpoint
> specified in [RFC6750] section 3.2 - where the term doesn’t appear in 6750
> and there does not appear to be a section 3.2 ;-)
> It seems that:
> a. If the resource_uri is a direct match for the URI requested for the
> client, it is redundant and should be dropped
>     (If the resource URI is *not* a direct match with the URI of the
> resource requested by the client, it might need a better name).

It is not a direct match. Open to new name suggestions!

> b. If the resource URI is meant to provide a certain arbitrary grouping
> for applying tokens within the origin of the resource server, what is its
> value over the preexisting “ realm” parameter?

It is not arbitrary. The resource URI MUST be contained in the URI the
client is requesting access to. The hostname in the resource URI must be in
the hostname in the TLS certificate. This lets the client ensure it is
requesting an access token that is intended for the resource it is

The realm parameter does not have these characteristics specified, and may
already be used for other purposes.

> c. If the resource URI is meant to provide a way for an AS to allow
> resources to be independent, identified entities on a single origin - I’m
> unsure how a client would understand it is meant to treat these resource
> URIs as independent entities (e.g. be sure not to send bearer tokens minted
> for resource /entity1 to /entity2, or for that matter prevent /entity1 from
> requesting tokens for /entity2).

It is intended for the client to enforce.

> Admittedly based on not fully understanding the purpose of this parameter,
> it seems to me there exists a simpler flow which better leverages the
> existing Authentication mechanism of HTTP.
> A request would fail due to an invalid or missing token for the realm at
> the origin, and and the client would make a request to the issuer including
> the origin of the requested resource as a parameter. Any other included
> parameters specified by the WWW-Authenticate challenge understood by the
> client (such as “scope”) would also be applied to this request.
> Normal authorization grant flow would then happen (as this is the only
> grant type supported by RFC6750). Once the access token is acquired by the
> client, the client associates that token with the “realm” parameter given
> in the initial challenge by the resource server origin. Likewise, the ‘aud’
> of the token as returned by a token introspection process would be the
> origin of the resource server.
> It seems any more complicated protected resource groupings on a resource
> server would need a client to understand the structure of the resource
> server, and thus fetch some sort of resource server metadata.

I'm not understanding why you think this. Would you elaborate?

> Fourth and finally: Is the intention to eventually recommend token binding
> here? Token binding as a requirement across clients, resources, and the
> authorization servers would isolate tokens to only being consumed within an
> origin. This would actually make redundant/supplemental the AS additions
> defined within this spec (resource/origin request parameter, ‘aud’
> introspection response member)

Token binding solves part of the resource constrained access token
requirement, but does not solve how the client authenticates to the AS.

> -DW
> On Jun 12, 2018, at 1:28 PM, Dick Hardt <> wrote:
> Hey OAuth WG
> I have worked with Nat and Brian to merge our concepts and those are
> captured in the updated draft.
> We are hopeful the WG will adopt this draft as a WG document.
> Any comments and feedback are welcome!
> /Dick
> _______________________________________________
> OAuth mailing list