Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
John Bradley <ve7jtb@ve7jtb.com> Wed, 24 April 2013 23:23 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9D421F8D03 for <oauth@ietfa.amsl.com>; Wed, 24 Apr 2013 16:23:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.352
X-Spam-Level:
X-Spam-Status: No, score=-2.352 tagged_above=-999 required=5 tests=[AWL=0.246, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HbWLiS+KHTST for <oauth@ietfa.amsl.com>; Wed, 24 Apr 2013 16:23:22 -0700 (PDT)
Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 955EE21F8CEC for <oauth@ietf.org>; Wed, 24 Apr 2013 16:23:22 -0700 (PDT)
Received: by mail-ie0-f169.google.com with SMTP id ar20so2921840iec.28 for <oauth@ietf.org>; Wed, 24 Apr 2013 16:23:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=M3TgL6uNsenxSS0VYj7yfeX/tZM8ZtZeiqy8Ru6LdHE=; b=FqU4P2b1c/Y3t/05/ELz+H9WSFpYCDVi08KQ2qtJQNKvcfbXsmNNSOdSj2haKv502/ mLvPnyxvzhFOorVrPrLHgz/kW6JGZGBnbTw84vq9naUoJQTIzLMVJXROM6/Fp81gvDk+ jv+UBMG4Q4zsFhWVgZApXDCgn9IiurOjSNTxoj2bk1YUF+3UgteBVcWv05F8kIivyLo7 MPgKYhpdm074L1xlc6pEwHExD6u6pFy7Pf5NXkcJ21v8GPfeJTj+eBzAd9ml0RDd91O3 AQXv/libx6AdzyyoIY7sKrSHn5fuI8ACYNCrSyYYigjW/cmRdj915PmcgCqBaMtiBuuI dPrA==
X-Received: by 10.50.92.42 with SMTP id cj10mr9190670igb.60.1366845801952; Wed, 24 Apr 2013 16:23:21 -0700 (PDT)
Received: from [192.168.1.39] (190-20-16-122.baf.movistar.cl. [190.20.16.122]) by mx.google.com with ESMTPSA id in10sm30931487igc.1.2013.04.24.16.23.18 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 24 Apr 2013 16:23:20 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_59AF0F5A-0A27-4325-8169-E7D697CAA3E2"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <E24D0C95-DBDF-430F-B8A7-FC4E67C255BD@oracle.com>
Date: Wed, 24 Apr 2013 20:23:04 -0300
Message-Id: <629E4582-16C4-4554-9591-39E6801FA0A8@ve7jtb.com>
References: <53250C00-9D1C-4E81-9AD6-E12241B875D9@oracle.com> <5178498B.3050406@mitre.org> <0E96125F-CFEC-4157-8A1E-3CFCA1C4D79F@oracle.com> <0C683171-29F6-47EA-A611-AB6394207353@ve7jtb.com> <E24D0C95-DBDF-430F-B8A7-FC4E67C255BD@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQmdXxOWFNO+KPUksUtGkpqw7sB0cOmiAGXmpsRcSJbczfiOKGssmP+0EbttnAclWMFqGMz3
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-09 - token_endpoint_auth_method
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2013 23:23:26 -0000
In Connect there is a AS discovery before registration. The general pattern is the RP discovers the capabilities of the AS authentication methods and algorithms supported by the AS. The client then picks the best options for it and registers them. It would in theory work of the client knowing nothing about the AS pushed it's capabilities at the AS as you are suggesting and let the AS pick. My general feeling is that discovery with the client picking the options works best. In many cases the client doesn't need to register parameters as they can be selected at run time once it knows what a server supports. The token endpoint authentication method was a bit of a special case where even though it could be all dynamic and work, you do want to register a choice to prevent backwards compatibility attacks. I don't really want to complicate registration by trying to make it also cover AS discovery. John B. On 2013-04-24, at 7:55 PM, Phil Hunt <phil.hunt@oracle.com> wrote: > Right and if the client wants a method not supported then what? > > Why can't the client offer up a list of methods it is able to support, say in order of preference? > > The text appears to indicate only one value may be passed. > > Given the way it is written. It seems better to just have the server say the client must do authn method X in the response. > > Phil > > @independentid > www.independentid.com > phil.hunt@oracle.com > > > > > > On 2013-04-24, at 3:41 PM, John Bradley wrote: > >> In Connect the AS may support a number of token endpoint authentication methods. The reason to allow a client to register using a particular one is to prevent downgrade attacks. >> >> If the client wants to always use an asymmetric signature you don't want to allow attackers to use weaker methods like http basic. >> >> So a server may support any number of methods, but it is reasonable for a client to specify which one it is going to use. In a closed system that may not be that useful but in a open system where the AS has a looser relationship to the client it is important. >> >> John B. >> >> On 2013-04-24, at 7:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote: >> >>> Hmmm… what was the objective or use case for having the client being able to choose in the first place? >>> >>> It seems to me that the AS will make a decision based on many factors. As you say, there isn't any other place that enumerates the various [authn] methods a client can use to access the token endpoint. So, why do it? >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> phil.hunt@oracle.com >>> >>> >>> >>> >>> >>> On 2013-04-24, at 2:07 PM, Justin Richer wrote: >>> >>>> Seems reasonable to me, can you suggest language to add in the capability? Would it require an IANA registry? Right now there isn't any other place that enumerates the various methods that a client can use to access the token endpoint. >>>> >>>> -- Justin >>>> >>>> On 04/24/2013 04:17 PM, Phil Hunt wrote: >>>>> For parameters to token_endpoint_auth_method, the spec has defined "client_secret_jwt" and "private_key_jwt". Shouldn't there be similar options of SAML? >>>>> >>>>> Shouldn't there be an extension point for other methods? >>>>> >>>>> Phil >>>>> >>>>> @independentid >>>>> www.independentid.com >>>>> phil.hunt@oracle.com >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Questions on draft-ietf-oauth-dyn-reg-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Mike Jones
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Sergey Beryozkin
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… John Bradley
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Phil Hunt
- Re: [OAUTH-WG] Questions on draft-ietf-oauth-dyn-… Justin Richer