Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
"Sahler, Frank" <frank.sahler@datev.de> Thu, 16 May 2019 08:33 UTC
Return-Path: <frank.sahler@datev.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FEF812010F for <oauth@ietfa.amsl.com>; Thu, 16 May 2019 01:33:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=datev.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YjzU9orJFWA1 for <oauth@ietfa.amsl.com>; Thu, 16 May 2019 01:33:21 -0700 (PDT)
Received: from idvmailout04.datev.com (idvmailout04.datev.com [193.27.49.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18740120059 for <oauth@ietf.org>; Thu, 16 May 2019 01:33:20 -0700 (PDT)
Received: from biem02.services.datev.de (idvmailproxy02v1.services.datev.de [10.252.82.156]) by idvmailout04.datev.com (Postfix) with ESMTP id 454Pnm0vY4zK8Yb; Thu, 16 May 2019 10:33:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=datev.de; s=Vxdd; t=1557995595; x=1562995595; bh=eJYDB6IwEHuikmv0YHpr+fi7V9/aC7Yv/rxGS8oC8yE=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:from:reply-to:subject:date:to:cc:content-type: message-id; b=r+YwhcwRHt9Do8xbhBJ7EuA8b0rGVDGh3AxBDEpjmUgWkxpJB+7EJmFEvvTQDL/CV IUp8s+Ma1OxvamlIrkV2OLsj/9jsxJudxB1iUCmDFkxYG/CmtRAx91TCxaDLtablxL xe29yk9G3H6xTAQvX912ha5oqLk+s2KRjm0NqotvMZgH0y74zll484vpE7mNFbrb6Q 4UXb9vScPp1ihYkdSFP234HMVoLrZ3eaMNuuKP0A+n51t35ucu2VpgE3/IK1WLWY+9 PLpnOldVWSGBr1OXhRjGYNGPoKRBp7QaF+GNBYkNt3vXgLvegcUIQNjQLI4VOCpn4M zmNg60+ZoDXew==
X-Virus-Scanned: amavisd-new-2.11.0 on idvmailproxy02.services.datev.de
Received: from WEXCSB002.bk.datev.de (2.40.130.10.in-addr.arpa [10.130.40.2]) by biem02.services.datev.de (Postfix) with ESMTP id 454Pnk4T2zz28Gh; Thu, 16 May 2019 10:33:14 +0200 (CEST)
Received: from WEXCSB010.bk.datev.de (10.130.40.10) by WEXCSB002.bk.datev.de (10.130.40.2) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Thu, 16 May 2019 10:33:14 +0200
Received: from WEXCSB010.bk.datev.de ([10.130.40.10]) by WEXCSB010.bk.datev.de ([10.130.40.10]) with mapi id 15.01.1713.006; Thu, 16 May 2019 10:33:14 +0200
From: "Sahler, Frank" <frank.sahler@datev.de>
To: 'Justin Richer' <jricher@mit.edu>
CC: "'oauth@ietf.org'" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
Thread-Index: AdULR5pWZEE5HKV3Q2aM1px2/PKpxwAdapzg
Date: Thu, 16 May 2019 08:33:14 +0000
Message-ID: <480b151b02714a7fb7cedc871df429de@datev.de>
References: <9FDB4A17E451433AB2EDF31BEF4F2EF9@bk.datev.de>
In-Reply-To: <9FDB4A17E451433AB2EDF31BEF4F2EF9@bk.datev.de>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
versandeinstellungen: Signieren=True; Verschluesseln=False; Konvertieren=True; EnglischerDisclaimer=False
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="=-_DvNextPart_0005_519B127B.36B9AAF6"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aCem60fkGXzIpXM3icQHGzLZc1Y>
Subject: Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 08:33:25 -0000
Hi Justin, background of my query is that we want to offer in our company the possibility of dynamic client registration. Unfortunately, the topic initial access token - how do I get it and how exactly it is constructed - is not exactly specified - it is out of scope. That is the reason why I searched in internet and found the scope "dcr" in curity documentation. Central question in the moment: how does the user who want to register a client get the initial access token? My idea: We are using a protected client registration so the user first has to authenticate himself. In the authorization request, the scope "dcr" (or any other?) is transferred to the authorization server and as a result there is the initial access token for this user and this client. So, in my opinion, it is guaranteed that one gets the initial access token, which has also requested it. With the idea to use the software statement, I have to work more intensively. I had not seen that way before. Perhaps the initial access token can even be replaced by this. But also there is the question, how is it requested? Greetings Frank -----Ursprüngliche Nachricht----- Von: Justin Richer <jricher@mit.edu> Gesendet: Mittwoch, 15. Mai 2019 19:57 An: Sahler, Frank <frank.sahler@datev.de> Cc: oauth@ietf.org Betreff: Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol On the surface this is fine, but it hides an important detail: you need to have a client registered with the system in order to make a token request, meaning that the “dcr” token was issued to a different client than the one making the registration request. So that just means that the developer is going to have to copy it by hand into a configuration, or otherwise pass it to the instances at runtime. Is it allowable? Sure, as the RFC doesn’t state (or care) how you got the initial access token for the registration request. Is it standard? Well, the “dcr” scope is specific to this company’s implementation, and it’s a little odd using an automated process to get a token for what will be an automated process. That basically leaves one instance of the application as the “primary” instance and everything else builds off of that. It’s more common to use a software statement, which also locks down a set of client attributes in a signed statement. In fact, in the original version of this part of the specification, which came from the BlueButton+REST project, the “software statement” and “initial access token” were one and the same. This working group decided that the functionality was better separated. — Justin On May 14, 2019, at 1:30 PM, Sahler, Frank <frank.sahler@datev.de<mailto:frank.sahler@datev.de>> wrote: Hello, I read in the dynamic client registration documentation of the company curity (https://developer.curity.io/tutorials/dynamic-client-registration-overview) that they use the scope "dcr" in the authorization request to get an initial access token i.e. a bearer token that only allows access to the registration endpoint. Is this also from your point of view a feasible way to initiate the client registration? Unfortunately the specification says nothing about how to get the token and how its purpose is limited to the registration endpoint. These two points are "out of scope for this specification". Regards Frank Sahler Security Consultant DATEV eG, Nuremberg, Germany ________________________________ Signatur Diese E-Mail wurde mit einem Zertifikat der DATEV eG signiert. Damit können Sie sicher sein, dass die Nachricht so von uns gesendet wurde. Wenn Sie eine Meldung erhalten, dass die Signatur ungültig ist oder nicht geprüft werden kann, fehlt das Zertifikat zu dieser Signatur auf Ihrem Rechner. Informationen zu Zertifikaten und zur digitalen Signatur finden Sie unter https://www.datev.de/zertifikate im Internet. ________________________________ DATEV eG 90329 Nürnberg Telefon +49 911 319-0 E-Mail: info@datev.de<mailto:info@datev.de> Internet: https://www.datev.de<https://www.datev.de/> Sitz: 90429 Nürnberg, Paumgartnerstraße 6-14 Registergericht Nürnberg, GenReg Nr. 70 Vorstand Dr. Robert Mayr (Vorsitzender) Eckhard Schwarzer (stellv. Vorsitzender) Julia Bangerth Prof. Dr. Peter Krug Diana Windmeißer Vorsitzender des Aufsichtsrates: Nicolas Hofmann _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth ________________________________ Signatur Diese E-Mail wurde mit einem Zertifikat der DATEV eG signiert. Damit können Sie sicher sein, dass die Nachricht so von uns gesendet wurde. Wenn Sie eine Meldung erhalten, dass die Signatur ungültig ist oder nicht geprüft werden kann, fehlt das Zertifikat zu dieser Signatur auf Ihrem Rechner. Informationen zu Zertifikaten und zur digitalen Signatur finden Sie unter https://www.datev.de/zertifikate im Internet. ________________________________ DATEV eG 90329 Nürnberg Telefon +49 911 319-0 E-Mail: info@datev.de Internet: https://www.datev.de Sitz: 90429 Nürnberg, Paumgartnerstraße 6-14 Registergericht Nürnberg, GenReg Nr. 70 Vorstand Dr. Robert Mayr (Vorsitzender) Eckhard Schwarzer (stellv. Vorsitzender) Julia Bangerth Prof. Dr. Peter Krug Diana Windmeißer Vorsitzender des Aufsichtsrates: Nicolas Hofmann
- [OAUTH-WG] Query on RFC 7591 - dynamic client reg… Sahler, Frank
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Justin Richer
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Sahler, Frank
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Phil Hunt