Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs

Daniel Fett <fett@danielfett.de> Tue, 09 June 2020 07:42 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF7E3A0864 for <oauth@ietfa.amsl.com>; Tue, 9 Jun 2020 00:42:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k2X4g19mwi0x for <oauth@ietfa.amsl.com>; Tue, 9 Jun 2020 00:42:31 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D3503A0833 for <oauth@ietf.org>; Tue, 9 Jun 2020 00:42:31 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 1D09E7504; Tue, 9 Jun 2020 07:42:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1591688548; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Q5yMW3G/Mya83gQohhExcApSWM9RKwunjUJ038+T6yU=; b=Q8lDFq4DH/E+dc5ZjJxJ0VT7VYl2wgVK8AdfomP14pCYdASNVZp8J48Q342SOQh9+Ururm phxSJXviVAHfuapQFsAlcaViFxOarCluWsRnggIz11a7BEm9Xx1X5yQ0rQru21OM9+N/2F g3TU3ukWN+Rf1EJI7fztgfcShfGv/BQ=
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Filip Skokan <panva.ip@gmail.com>, oauth@ietf.org
References: <79d39d11-f812-07bb-7a60-5c3bf7162c0a@danielfett.de> <E276B0D3-0AB1-436E-95CB-5811D80053E9@gmail.com> <a6efd3ec-7482-16f5-6039-b2380f7fb33e@danielfett.de> <20200608225031.GB58497@mit.edu>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <61e18e42-e878-9f2c-3a6c-5c0d993a1ac5@danielfett.de>
Date: Tue, 9 Jun 2020 09:42:27 +0200
MIME-Version: 1.0
In-Reply-To: <20200608225031.GB58497@mit.edu>
Content-Type: multipart/alternative; boundary="------------F8F9CCD2538C4BF6A2B8F80A"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1591688548; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Q5yMW3G/Mya83gQohhExcApSWM9RKwunjUJ038+T6yU=; b=f+CUZufQd/L4QksNvayf8bS2Ue0GEwJsXcGMS5lZlpccOzR/ZIDH2uaP37X2MR8bmMaQn+ Fz1o2gtk0bqtfQP3OMLVpfbiDPijYgvNA1J3VLzErwxFD+nn1XDr8wmhD7VkIq5b1mUpG8 adjYmWfav2CXKPNSGkQRAFWFLOcPiXg=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1591688548; a=rsa-sha256; cv=none; b=KVh43Nwf9pO4wHTMmIV/Gt5hUvYMJH+1zzBRL2qDxVvlEBobuzOBVG1AZqEMrlBhvDhbQJ YG/WdBuKO/ohQHsR0ujhaMuSdHshkOmUCy6cEHc0Kd9CQOAJIMmTMMlzA406bOxdvLEqsS ok3RwpKyUctHokg7nvnSdDS4F3HuBHY=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZwtXoHD6rjIPc5JKRk6Y4oxWOcs>
Subject: Re: [OAUTH-WG] Product Support for RFC8414 well-known URIs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 07:42:32 -0000

Am 09.06.20 um 00:50 schrieb Benjamin Kaduk:
> On Mon, Jun 08, 2020 at 11:15:07AM +0200, Daniel Fett wrote:
>> Hi Filip,
>>
>> Thanks for your answers!
>>
>> I'm not quite sure if the wording in my question was clear: My main
>> concern is the difference between
>> https://example.com/some/path*/.well-known/oauth-authorization-server*
>> and
>> https://example.com*/.well-known/oauth-authorization-server*/some/path,
>> i.e., the usage of the well-known URI as a postfix or as an infix.
> .well-known is only defined at the root of the path component of a URI.
> Usage such as
> https://example.com/some/path*/.well-known/oauth-authorization-server* is
> noncompliant with RFC 5785.

I know, but my impression is that since OIDC did it this way, some
clients are expecting the same behavior for RFC8414. Thus the question
if AS should be allowed or even required to offer the postfix variant in
an ecosystem.

-Daniel


-- 
https://danielfett.de