Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

William Denniss <wdenniss@google.com> Mon, 01 February 2016 20:21 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E6791B3603 for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 12:21:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6w7j_Yx43X9W for <oauth@ietfa.amsl.com>; Mon, 1 Feb 2016 12:21:32 -0800 (PST)
Received: from mail-ob0-x22e.google.com (mail-ob0-x22e.google.com [IPv6:2607:f8b0:4003:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 129531B3602 for <oauth@ietf.org>; Mon, 1 Feb 2016 12:21:32 -0800 (PST)
Received: by mail-ob0-x22e.google.com with SMTP id is5so129967975obc.0 for <oauth@ietf.org>; Mon, 01 Feb 2016 12:21:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=jfXfS8C3mhLoV7Sf8ygvcfAuWk4Tx5xfjPLuqg7Ghs0=; b=iflsRoqKrhKprQoWH+nNg4URWfYWbriVptUy3Q/pGWxdt2yoZWvSRMigGoKGovdUYO 19QaVN2iSznpSYnR+KJQXvhV+qPlPLLexW80g2b/4bdHOOTBzgMUuU7kxD0UCtQuiaE8 O4mqwfXqUfbFYukKGlGpXTqlNfDJtXGbZSPkSGFdWAaPLYq6cPSESETZC0KuYzKzXce5 TozEShVoBe38nWhOqQ9Pe+N06P1g8VcGnASk0CZe3xxHJAusfL+AOh7PMIf3nVZanqff 90dxZ4PH7Vp8vQ/AM1wwbjmZPc3BtycNB0h3LMAUiEyu+q1COOcu3lgrItT8yjEd524W p34g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=jfXfS8C3mhLoV7Sf8ygvcfAuWk4Tx5xfjPLuqg7Ghs0=; b=SS732K6jO9+O9cSdB9kC+ToANTNnvcMdQlfLGQ42oB05UGxJxgWcjs2tT0YGeMIfxj R4H4U1YC3Dr9XmM4+Ym/4JqcBergwcEtTex4ebBa721O6DjNURcfjGm68V4QX7zgclcr omxDXNNrBzRmVyhpT2NUm/o+iYyfDGfJ3EhumtJ7RyO3JHagugsk1DQ4Yqe8LopBNTk5 kdNmL7kfbu+E8m+ofR2tM3Q9kmHxFnP62bApgDeZ5m+aghe2jJAOPuw1thCXgT80B624 cGFaoNLr4xMOzdrzdWuCnSGFe9/Muk0h+at/fAbekY9hCZDNPUM7yNIYCDS+thjvNwgZ wsDA==
X-Gm-Message-State: AG10YOTixM0HraP4NXaLRwd7v77UyHiI7UsAPJBh2LIe1Q/64EDTyOB/+cBUtYMiXfEN2LHwcFuR1JtQHJjTwgLa
X-Received: by 10.60.57.134 with SMTP id i6mr19293368oeq.11.1454358091408; Mon, 01 Feb 2016 12:21:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Mon, 1 Feb 2016 12:21:11 -0800 (PST)
In-Reply-To: <BY2PR03MB4429A6A763D5A283FC09B70F5DB0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com> <56AB59CA.5070408@connect2id.com> <CABzCy2Cq5czDXCGP5P5UWjcG8JQTwiS9dci2xLzpefUJVNFf0g@mail.gmail.com> <5CDF5150-89C7-4EC7-92C8-EE356C30993F@ve7jtb.com> <BY2PR03MB4429A6A763D5A283FC09B70F5DB0@BY2PR03MB442.namprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 1 Feb 2016 12:21:11 -0800
Message-ID: <CAAP42hA3UM=JQsSDYKEp6YphkqJduqcAjdFUzpdCW5BsGr+erQ@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=089e013a2a266a80fc052abb2117
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/X44EgKsyC-vVtmcCloZCSck7208>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2016 20:21:34 -0000

On Fri, Jan 29, 2016 at 3:22 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

> Do the PKCE authors want to make a concrete proposal for how to represent
> this in discovery metadata?
>

We don't need to represent this property in the discovery metadata.

All non-confidential clients should be using PKCE (and in the draft native
apps best practice, we say it's a MUST
<https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-01#section-7.2>
if
you want to follow the BCP).  It's OK to send PKCE to a server that doesn't
support PKCE (assuming standards compliance, they won't error on unknown
params), and now we have a way that clients can discover PKCE support and
send it only those those ASes who disclose this.

If a server decides to fail all non-PKCE requests for non-confidential
clients (which is fine), indicating this in discovery actually doesn't add
a whole lot.  Because if the client knows about PKCE it should have been
sending it based on code_challenge_methods_supported anyway, and if it
doesn't know about PKCE then it will always fail, discovery or not.

The thing is, there is no reason for a public client to *not* send PKCE if
the server indicates PKCE support, but then marks it as optional through
this mechanism.  If the client knows PKCE it should just always send PKCE –
so knowing that the request would succeed even if it didn't doesn't add any
value, and may cause harm.



>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradley
> *Sent:* Friday, January 29, 2016 6:11 AM
> *To:* Nat Sakimura <sakimura@gmail.com>
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OAuth Discovery metadata values added for
> revocation, introspection, and PKCE
>
>
>
> The only problem with that is the client may only require it for some
> types of clients (public) or response types.
>
>
>
> It may need to be finer grained than that, or define it as required for
> all public clients using the token endpoint.
>
>
>
> John B.
>
>
>
>
>
> On Jan 29, 2016, at 10:15 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>
>
>
> Good question.
>
> It's probably a good idea to be able to advertise this policy in the
> discovery.
>
> Perhaps in the line of
>
> pkce_required or rfc7636_required?
> The value should be Boolean.
>
> Nat from iPhone
>
> 2016年1月29日(金) 21:23 Vladimir Dzhuvinov <vladimir@connect2id.com>om>:
>
> Thanks Mike, the updated spec looks good!
>
> I have a question related to PKCE:
>
> The PKCE spec seems to imply that an AS may require public clients to use
> a code challenge:
>
> https://tools.ietf.org/html/rfc7636#section-4.4.1
>
> If an AS has such a policy in place, how is this to be advertised? Or is
> that supposed to the enforced when the client gets registered (there are no
> reg params for that at present)?
>
> On 28/01/16 19:27, Mike Jones wrote:
>
> The OAuth Discovery specification has been updated to add metadata values for revocation<http://tools.ietf.org/html/rfc7009> <http://tools.ietf.org/html/rfc7009>, introspection<http://tools.ietf.org/html/rfc7662> <http://tools.ietf.org/html/rfc7662>, and PKCE<http://tools.ietf.org/html/rfc7636> <http://tools.ietf.org/html/rfc7636>.  Changes were:
>
>
>
> *       Added "revocation_endpoint_auth_methods_supported" and "revocation_endpoint_auth_signing_alg_values_supported" for the revocation endpoint.
>
>
>
> *       Added "introspection_endpoint_auth_methods_supported" and "introspection_endpoint_auth_signing_alg_values_supported" for the introspection endpoint.
>
>
>
> *       Added "code_challenge_methods_supported" for PKCE.
>
>
>
> The specification is available at:
>
>
>
> *       http://tools.ietf.org/html/draft-jones-oauth-discovery-01
>
>
>
> An HTML-formatted version is also available at:
>
>
>
> *       http://self-issued.info/docs/draft-jones-oauth-discovery-01.html
>
>
>
>                                                           -- Mike
>
>
>
> P.S.  This note was also published at http://self-issued.info/?p=1531 and as @selfissued<https://twitter.com/selfissued> <https://twitter.com/selfissued>.
>
>
>
>
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> --
>
> Vladimir Dzhuvinov
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>