Re: [OAUTH-WG] PAR and client metadata
George Fletcher <gffletch@aol.com> Fri, 17 April 2020 14:36 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B6EF3A0B1B for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 07:36:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSwpXETfMq1W for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 07:36:03 -0700 (PDT)
Received: from sonic302-48.consmr.mail.ne1.yahoo.com (sonic302-48.consmr.mail.ne1.yahoo.com [66.163.186.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFE5E3A0B95 for <oauth@ietf.org>; Fri, 17 Apr 2020 07:35:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1587134140; bh=ak1/tbuKc4/KNevR3lpNosmSbN6jMFep89dE3PWXtoo=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=s721HSHnAeT1XQPklkNUN88rCUUPJu30as/P9+jtgIeI0WaihmgN8hZiHFNsKK/eLZehMqHFnDMAA5Wyc+oCPn/SmGP135KoRZAAoDum88P/rcu7siqBnHHzU/dKGGulmJlg6k20WAhszzM+2+zO6WHraG/SyrW7734pUiEP4dPNzKd4mUQXmpY+VON278t7guq3Z7TqHRPwWo/VQEyak/ZRFyuiorNv9gIF9oKTiGATLe/OBxVfIPdbSI5H9L165lfrlow8yJKgfKagncWgsi1Ag54FdvdZ5rYvazLLy7HacmPlsvN0IDnVvjAudl1ZUyrJhpZ1WdEa8EEfxebsRg==
X-YMail-OSG: MFaR6vMVM1l_um_Wc.fVBgB80bHMttS9krcWgskhS7jJbK0V56wAwjDwVEe7kIt 9GT9NUsFBiKzj01wjzAd8fJSTwdIat3b5LONgZg6N2UAOIQjZdwzOP.Six1vwl5XAlaGA8D2os1i 56u6rp8tp2f73Eq8S0sWmNcadfZKP8r29S_3j5g4dffh7oX8UOc1MIQdjF3nRCMSx4xDLECy6Zum obJbfw96XxwsFy8tT_FsFRj.xi2mwdkLmFD5.A1FU6YZE2rjkeFm0d_oSOBD_k2aLJtoG_JekxLE LEdlKVSm3vffYS4W.x9PuiOcUPuh_t8puYNa1atYcabuU6Ap3NmoNJpK4T6eRsnjalskRrdzQ6e7 JPMgrR_BEuVv5XDy7Alx8imTugZXdp3McG3adCJndGy9kGlL6S67wMMJrERMKQQaH82HwO0FWFLS 7q0qLbcqOwpxezv7uG1V5B863Fx_GFtvV350TJyj9KUH7WWxHpZ9exe09wxdutVwbVZ5s4EhR_f0 surG7t9uSemV9VqkhduFS7EhlbE9XDePHCAr20ucL_LXqMqlCCZCr5J4vc2tbCl1Tu7R7afq0AFb o4nUs3bjxEi5YafQq2DetRNSDye64qHze07dN6.NSQLNRK0GcUZEcVYyk8vK3LcC.OyhhvTHbwvi o2jjvjb_Nn33X6P1J390LWkx8mGpSExnSFWJvZBanbIFVGSemnT663f9XmmxtE6BdDWvfynQPMyb 76iiL07vmC4_6R8M1I2fiRM.cBVSAriuK.t.YWknSkfMmp96acTvWK2o5IoUwEAugVtFFv9UTNra 83viSSaWI1pzB8.BpxsP0Ti3y4qcGYFmsQ4X_TmLcNREtXDbqJJsdHNkGvIsrdqN9VIevre1YEFX yq8XocsHbkQQcX41kqaiY3Ccif2qbtQKG5UmDqkduK4.434avZ8IsXyBlSpIP7jzFwt5dIeAbtdI GnJ0BV1KR4KhZFn5X8KdflWSj2kTlbIVK9HfMVKAixFGbmE3_dslacYDl3Ed2ih7FN_PGzGbL_fv R_dQvxDy8EqK2e0N9nNRDjuEHzlgmYDDXCLf5JFdBynY7MBujzCXUvQPr9VpJNimMbRnO5snaioA rHXarunIYcmbEWoxt2UZH6Yx.TySFv.WCcAd7LptVENyFXSZFXoyjfzxj2gBItlyB9P.czpGEfXg H5h92aM5z8xU_0dAMKxGrpoCDPOjal9beW_2UXN36_d_fX7RxhloBYr7ltk4A4SxqNo.eLpKag6F h8K2a5NSl3Wnc21qNXedTdps1gb_26HDzJeqQ6EU5mOwh1RNz5UNUWxCvfC6OQUfs2hEU9uhG2Tn WDNjtAcGZiiFg_5KMgvZEe8NAdJPYQtMI5LMHLGTCqeaViiM5nGeScgfAXyFXQ5tVjVT8Vtov3nr STW_D30hsKtvrRt653EXBnqfa5fgsbZ1DheaVN6OOGFFd6ESfexTkL8tY0yxSmJhiVg--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 17 Apr 2020 14:35:40 +0000
Received: by smtp417.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID bccf1a3c0b5f17bca550db98017ec375; Fri, 17 Apr 2020 14:33:38 +0000 (UTC)
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
Cc: Filip Skokan <panva.ip@gmail.com>, oauth <oauth@ietf.org>
References: <CA+k3eCTHtpBD-=hZPuCwjcjc_55f-J6=RKe_OGuRW38Wnhm2Cg@mail.gmail.com> <CALAqi_9cXOiEN-i1xoQSrtBP=A8QdUYi4upjL2s4kAE0fG1p3w@mail.gmail.com> <CA+k3eCTCOa8RNqZmriDQerwVsV20K8ecSPUAObKFhT36Y6OujQ@mail.gmail.com> <91a9b333-9b43-5f85-6bb2-2bb008aec4e7@aol.com> <E4844A97-1DBA-4521-BEAA-C1129FA69136@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <b0f39202-adec-b9a2-6675-f890b84b3600@aol.com>
Date: Fri, 17 Apr 2020 10:33:30 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <E4844A97-1DBA-4521-BEAA-C1129FA69136@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------56CD8F876048A0A27CE04DD6"
Content-Language: en-US
X-Mailer: WebService/1.1.15651 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YTGpLUOwaeI8opumktzFSjo6Rwk>
Subject: Re: [OAUTH-WG] PAR and client metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 14:36:05 -0000
I don't know about a PAR "requirement", but it feels like the PAR spec is the right place to put this. My understanding of what's being asked is... how does the AS advertise to it's clients that it will ONLY accept PAR based request_uris and other authn/authz request methods will fail. On 4/17/20 3:22 AM, Torsten Lodderstedt wrote: > Is this really a PAR requirement? I’m asking since the client in the end is required to use an authorization request in the fron channel but with a PAR request_uri. So one could see this as a constrained on the authorisation request itself. Another question is whether this request_uri must be PAR based or whether it could be any other request_uri. > >> On 16. Apr 2020, at 23:05, George Fletcher <gffletch=40aol.com@dmarc.ietf.org> wrote: >> >> Maybe if we make it an array of authorization "flows" supported? A bit like the AS can describe whether it supports "pairwise", "public" or both? >> >> Not sure what to name it though:) Possible values could be "redirect" and "par" (redirect not being quite right:) which allows for expansion in the future. That way the AS could easily signal whether it supports both or just one. It does mean the discovery doc is redundant in specifying that the AS supports PAR but that's probably ok. >> >> On 4/16/20 4:50 PM, Brian Campbell wrote: >>> But do you think that an AS-wide policy >>> signal (i.e. all_yall_clients_gotta_do_par_every_darn_time : true) is >>> needed or sufficiently useful? >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] PAR and client metadata Brian Campbell
- Re: [OAUTH-WG] PAR and client metadata Vladimir Dzhuvinov
- Re: [OAUTH-WG] PAR and client metadata Brian Campbell
- Re: [OAUTH-WG] PAR and client metadata Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR and client metadata Filip Skokan
- Re: [OAUTH-WG] PAR and client metadata Sascha Preibisch
- Re: [OAUTH-WG] PAR and client metadata Brian Campbell
- Re: [OAUTH-WG] PAR and client metadata Brian Campbell
- Re: [OAUTH-WG] PAR and client metadata George Fletcher
- Re: [OAUTH-WG] PAR and client metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR and client metadata George Fletcher
- Re: [OAUTH-WG] PAR and client metadata Vladimir Dzhuvinov
- Re: [OAUTH-WG] PAR and client metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR and client metadata Brian Campbell
- Re: [OAUTH-WG] PAR and client metadata Filip Skokan
- Re: [OAUTH-WG] PAR and client metadata Brian Campbell
- Re: [OAUTH-WG] PAR and client metadata Torsten Lodderstedt