Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
Phil Hunt <phil.hunt@oracle.com> Mon, 20 May 2013 16:36 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E78E621F93DE for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 09:36:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.453
X-Spam-Level:
X-Spam-Status: No, score=-5.453 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id opRXWF1fvR9g for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 09:36:47 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 6EF7421F93B7 for <oauth@ietf.org>; Mon, 20 May 2013 09:36:47 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r4KGaiEn023126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 20 May 2013 16:36:45 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4KGajsa023204 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 20 May 2013 16:36:45 GMT
Received: from abhmt109.oracle.com (abhmt109.oracle.com [141.146.116.61]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4KGaiLg005128; Mon, 20 May 2013 16:36:44 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 20 May 2013 09:36:44 -0700
References: <C0CE9538-4B72-4882-9462-B08A2D386720@oracle.com> <51965446.2070404@mitre.org> <84E4E4E6-EA02-4141-BA6D-77A0B3F76E7A@oracle.com> <3701BFCE-3D0F-45A3-955E-7486904B98B3@ve7jtb.com> <99D23FB9-19C3-40DF-9989-30F6686091DA@oracle.com> <519A4512.9080905@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <519A4512.9080905@mitre.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Message-Id: <17A3EEC1-AA53-44F4-AC17-58DA46D8AF6D@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 20 May 2013 09:36:42 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 16:36:54 -0000
Phil On 2013-05-20, at 8:45, Justin Richer <jricher@mitre.org> wrote: > > On 05/17/2013 07:29 PM, Phil Hunt wrote: >> He's saying every client gets a registration token and a client token. > What's a "client token", exactly? There are three potential places for OAuth tokens in and around dynamic registration, and none of them are called "client token". <ph> i meant client credential. Client token is obviously a type of client cred. > > 1) The registration access token, which binds a "client" (or "instance of a client", if you will) to a set of registration information at a specific authorization server. The client uses this to call its Client Information Endpoint to do updates, refreshes, and potentially delete itself. This token is *only* good at this Client Information Endpoint, and nowhere else. This token is specific to the registration it represents. <ph> This is not apparent at all. No more than binding the registration to the client credential since the implication is one reg -> one client cred and one reg token. John Bradley has brought up seemingly other scenarios that would not bind but rather associates a dev or an admin to a reg. i may be wrong. I have not had time to consider his explanations yet. What seems clear is that there is confusion as to the purpose and role for this token and what the use cases are for registration. My plan is to review and suggest clarifying text and changes if necessary this week. > > 2) The (optional) initial token used to authenticate to the Client Registration Endpoint. This is *not* the registration access token, and it is *not* used to access the Client Information Endpoint. How the client or developer get this token is out of scope. How the registration server validates this token is out of scope. The structure and contents of this token are out of scope. > > 3) The access/refresh tokens that a registered client eventually gets from the Token Endpoint and uses with protected resources. These tokens aren't used at the Client Registration Endpoint or at the Client Information Endpoint. > > There are also a couple of related concepts that aren't tokens at all: > > 4) The client_id, which is issued to a "client" (or "client instance") by the authorization server. This must be unique at the auth server for each client instance. The client uses this client_id at the Authorization Endpoint and the Token Endpoint in normal OAuth flows. > > 5) The client_secret, which is issued to a "client" (or "client instance") by the auth server, for confidential clients (ie: clients that can protect their client_secret). This is used by the client to authenticate to the Token Endpoint and nowhere else. > > > Which of these do you mean by a "client token"? > > -- Justin
- [OAUTH-WG] Client Credential Expiry and new Regis… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Mike Jones
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Justin Richer
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… Donald F Coffin
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Mike Jones
- Re: [OAUTH-WG] Client Credential Expiry and new R… Donald F Coffin
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Justin Richer
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… Phil Hunt
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… John Bradley
- Re: [OAUTH-WG] Client Credential Expiry and new R… Justin Richer