Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
William Denniss <wdenniss@google.com> Mon, 01 February 2016 20:21 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E6791B3603 for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 12:21:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6w7j_Yx43X9W for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 12:21:32 -0800 (PST)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 129531B3602 for <oauth@ietf.org>; Mon, 1 Feb 2016 12:21:32 -0800 (PST)
Received: by mail-ob0-x22e.google.com with SMTP id is5so129967975obc.0 for <oauth@ietf.org>; Mon, 01 Feb 2016 12:21:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=jfXfS8C3mhLoV7Sf8ygvcfAuWk4Tx5xfjPLuqg7Ghs0=; b=iflsRoqKrhKprQoWH+nNg4URWfYWbriVptUy3Q/pGWxdt2yoZWvSRMigGoKGovdUYO 19QaVN2iSznpSYnR+KJQXvhV+qPlPLLexW80g2b/4bdHOOTBzgMUuU7kxD0UCtQuiaE8 O4mqwfXqUfbFYukKGlGpXTqlNfDJtXGbZSPkSGFdWAaPLYq6cPSESETZC0KuYzKzXce5 TozEShVoBe38nWhOqQ9Pe+N06P1g8VcGnASk0CZe3xxHJAusfL+AOh7PMIf3nVZanqff 90dxZ4PH7Vp8vQ/AM1wwbjmZPc3BtycNB0h3LMAUiEyu+q1COOcu3lgrItT8yjEd524W p34g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=jfXfS8C3mhLoV7Sf8ygvcfAuWk4Tx5xfjPLuqg7Ghs0=; b=SS732K6jO9+O9cSdB9kC+ToANTNnvcMdQlfLGQ42oB05UGxJxgWcjs2tT0YGeMIfxj R4H4U1YC3Dr9XmM4+Ym/4JqcBergwcEtTex4ebBa721O6DjNURcfjGm68V4QX7zgclcr omxDXNNrBzRmVyhpT2NUm/o+iYyfDGfJ3EhumtJ7RyO3JHagugsk1DQ4Yqe8LopBNTk5 kdNmL7kfbu+E8m+ofR2tM3Q9kmHxFnP62bApgDeZ5m+aghe2jJAOPuw1thCXgT80B624 cGFaoNLr4xMOzdrzdWuCnSGFe9/Muk0h+at/fAbekY9hCZDNPUM7yNIYCDS+thjvNwgZ wsDA==
X-Gm-Message-State: AG10YOTixM0HraP4NXaLRwd7v77UyHiI7UsAPJBh2LIe1Q/64EDTyOB/+cBUtYMiXfEN2LHwcFuR1JtQHJjTwgLa
X-Received: by 10.60.57.134 with SMTP id i6mr19293368oeq.11.1454358091408; Mon, 01 Feb 2016 12:21:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Mon, 1 Feb 2016 12:21:11 -0800 (PST)
In-Reply-To: <BY2PR03MB4429A6A763D5A283FC09B70F5DB0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com> <56AB59CA.5070408@connect2id.com> <CABzCy2Cq5czDXCGP5P5UWjcG8JQTwiS9dci2xLzpefUJVNFf0g@mail.gmail.com> <5CDF5150-89C7-4EC7-92C8-EE356C30993F@ve7jtb.com> <BY2PR03MB4429A6A763D5A283FC09B70F5DB0@BY2PR03MB442.namprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 01 Feb 2016 12:21:11 -0800
Message-ID: <CAAP42hA3UM=JQsSDYKEp6YphkqJduqcAjdFUzpdCW5BsGr+erQ@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="089e013a2a266a80fc052abb2117"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/X44EgKsyC-vVtmcCloZCSck7208>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2016 20:21:34 -0000
On Fri, Jan 29, 2016 at 3:22 PM, Mike Jones <Michael.Jones@microsoft.com> wrote: > Do the PKCE authors want to make a concrete proposal for how to represent > this in discovery metadata? > We don't need to represent this property in the discovery metadata. All non-confidential clients should be using PKCE (and in the draft native apps best practice, we say it's a MUST <https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-01#section-7.2> if you want to follow the BCP). It's OK to send PKCE to a server that doesn't support PKCE (assuming standards compliance, they won't error on unknown params), and now we have a way that clients can discover PKCE support and send it only those those ASes who disclose this. If a server decides to fail all non-PKCE requests for non-confidential clients (which is fine), indicating this in discovery actually doesn't add a whole lot. Because if the client knows about PKCE it should have been sending it based on code_challenge_methods_supported anyway, and if it doesn't know about PKCE then it will always fail, discovery or not. The thing is, there is no reason for a public client to *not* send PKCE if the server indicates PKCE support, but then marks it as optional through this mechanism. If the client knows PKCE it should just always send PKCE – so knowing that the request would succeed even if it didn't doesn't add any value, and may cause harm. > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradley > *Sent:* Friday, January 29, 2016 6:11 AM > *To:* Nat Sakimura <sakimura@gmail.com> > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] OAuth Discovery metadata values added for > revocation, introspection, and PKCE > > > > The only problem with that is the client may only require it for some > types of clients (public) or response types. > > > > It may need to be finer grained than that, or define it as required for > all public clients using the token endpoint. > > > > John B. > > > > > > On Jan 29, 2016, at 10:15 AM, Nat Sakimura <sakimura@gmail.com> wrote: > > > > Good question. > > It's probably a good idea to be able to advertise this policy in the > discovery. > > Perhaps in the line of > > pkce_required or rfc7636_required? > The value should be Boolean. > > Nat from iPhone > > 2016年1月29日(金) 21:23 Vladimir Dzhuvinov <vladimir@connect2id.com>: > > Thanks Mike, the updated spec looks good! > > I have a question related to PKCE: > > The PKCE spec seems to imply that an AS may require public clients to use > a code challenge: > > https://tools.ietf.org/html/rfc7636#section-4.4.1 > > If an AS has such a policy in place, how is this to be advertised? Or is > that supposed to the enforced when the client gets registered (there are no > reg params for that at present)? > > On 28/01/16 19:27, Mike Jones wrote: > > The OAuth Discovery specification has been updated to add metadata values for revocation<http://tools.ietf.org/html/rfc7009> <http://tools.ietf.org/html/rfc7009>, introspection<http://tools.ietf.org/html/rfc7662> <http://tools.ietf.org/html/rfc7662>, and PKCE<http://tools.ietf.org/html/rfc7636> <http://tools.ietf.org/html/rfc7636>. Changes were: > > > > * Added "revocation_endpoint_auth_methods_supported" and "revocation_endpoint_auth_signing_alg_values_supported" for the revocation endpoint. > > > > * Added "introspection_endpoint_auth_methods_supported" and "introspection_endpoint_auth_signing_alg_values_supported" for the introspection endpoint. > > > > * Added "code_challenge_methods_supported" for PKCE. > > > > The specification is available at: > > > > * http://tools.ietf.org/html/draft-jones-oauth-discovery-01 > > > > An HTML-formatted version is also available at: > > > > * http://self-issued.info/docs/draft-jones-oauth-discovery-01.html > > > > -- Mike > > > > P.S. This note was also published at http://self-issued.info/?p=1531 and as @selfissued<https://twitter.com/selfissued> <https://twitter.com/selfissued>. > > > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > -- > > Vladimir Dzhuvinov > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] OAuth Discovery metadata values added … Mike Jones
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Nat Sakimura
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… John Bradley
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… William Denniss
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Mike Jones
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Justin Richer
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… Justin Richer
- [OAUTH-WG] How can client react to access token n… Sergey Beryozkin
- Re: [OAUTH-WG] OAuth Discovery metadata values ad… William Denniss