Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt
Brian Campbell <bcampbell@pingidentity.com> Tue, 22 March 2016 14:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7649F12D847 for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 07:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VlcGz5uRp3OH for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 07:54:31 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24DE012D6A5 for <oauth@ietf.org>; Tue, 22 Mar 2016 07:54:31 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id m184so245777615iof.1 for <oauth@ietf.org>; Tue, 22 Mar 2016 07:54:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=hPPekvCeAZUEG2+TOe28EmAh14dXckihjmzH8kAD+xM=; b=DmP/2cCTGV/DHtcz32wNxvOVE+qm3Mn8r3N8uDFio9wBG5LbiOuSjozirJn6upOP+r EwFEXKLxuupENDKLRVX8kgyUR6z7SpBgUf6doReSGFRvgc42vcl3aOMDGxFNeWNEc9hB EN4x1De9Po/1t5n7BnxXLugwuv9xswQSz2gtQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=hPPekvCeAZUEG2+TOe28EmAh14dXckihjmzH8kAD+xM=; b=KtVcVem8+uf1+gbHsYbhI//pAIs134Ouzq3qK1OqZ9EbaTJBo1z4e2rmZq3WYFfaK1 wDEFPmqdDVT93hnaOlglNR1rWcPPNGzFVC82I8rfQN8Ciq2jUq5VUyp3NQWkUuvw1T0z Ibyfwsp5+ZEp8ZjpLEgD3M3CooyBkrClm93pJTLCi42wqiG+txojR+1/YMmVSYGq4rev jvjjAU/yl4DPiw8qCi7BOMVuNk1FUKcS7qVCyDwtkX9kbSlBc4NqJwQrzeL+LbiZYTQe XjIGVXBHiBiQt490hmgyUDJi4GW/At5W0NzMDLOjwJXKXUdr5sucwkMOCLgka3AxW01w gFTg==
X-Gm-Message-State: AD7BkJKJuiqrXXSVZuTIk6bAMcWnFcyDd0/Ck29f9bmKaYRavgqyfkhWsbSfK89OVRVLLkJQDXpJeNfVwGRxzVA+
X-Received: by 10.107.132.18 with SMTP id g18mr37422903iod.48.1458658470354; Tue, 22 Mar 2016 07:54:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.28.196 with HTTP; Tue, 22 Mar 2016 07:54:00 -0700 (PDT)
In-Reply-To: <0DBACD62-E2FB-43D2-A2F6-F1A16794117A@oracle.com>
References: <20160321173103.31961.76817.idtracker@ietfa.amsl.com> <CAAX2Qa2kovVmCoByJc0HsE9a3ZS6Lm+9F2bzgynBoahttcv8Zw@mail.gmail.com> <CA+k3eCSOMkm+1_0+77+RONTVMbS=y9KpPWaO4jAEU0CfiiGF-Q@mail.gmail.com> <0DBACD62-E2FB-43D2-A2F6-F1A16794117A@oracle.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 22 Mar 2016 08:54:00 -0600
Message-ID: <CA+k3eCRDns-x7aZ7-x83+9wrRQ5s8gmFxKDA+W4aAJUahN6BVw@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a113ecbe4f97e8c052ea46301"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/aED1UpQXU8AQtPWme5sukjDp9kc>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 14:54:34 -0000
I don't consider this draft to be a direct alternative to the bound config
thing. It aims to fill a need that the WG has discussed several times
previously. It happens to also facilitate getting audience restrictions
into ATs, which address the concerns about a bad RS using an AT at a good
RS that seem to have surfaced recently (and some have gone so far as to say
isn't a 'real problem' at this time). AFAICT, bound config was put forth as
commentary or an alternative to "OAuth 2.0 Authorization Server Discovery
Metadata" that tries to check the legitimacy of an RS with webfinger.
Though, to be honest, I don't really understand what bound config solves.
The client provides the resource parameter to the token endpoint to
indicate what RS it wants a token for. Or to the authorization endpoint for
implicit (when an AT is returned as an authorization response parameter).
There shouldn't be a a need for unnecessary authorizations in most cases.
The audience to resource relationship is determined by the AS and RSs and
their deployment relationship. Pretty much how it is today. The resource
parameter just gives the client a tool to communicate the RS to the AS.
Backwards compatibility and optionality do need to be taken into account.
It's an extension. How migration and enforcement will be handled will be
policy and implementation decisions. That's just the state of things with
OAuth.
The resource parameter is available to all clients and doesn't rely on
discovery or metadata or registration.
The error condition is described in the draft as follows. Is there
something specific you believe should be addressed?
'If the
authorization server fails to parse the provided value or does not
consider the resource server acceptable, it MUST reject the
request and provide an error response with the error code
"invalid_resource".'
On Mon, Mar 21, 2016 at 2:15 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> What about server processing rules and error conditions? The client
> passes the resource in with every request. What happens if it sends a bad
> URL. I see the registration for invalid_resource, but I see no processing
> logic for the server that describes when that is returned. I’ll assume
> that is TBD.
>
> The draft seems more finer grained than with bound configuration
> approach. It suggests that the client will make a different URL request
> for each resource URL. This could lead to a lot of unnecessary
> authorizations. I think we still have to resolve the audience to resource
> relationship problem and just how much detail the AS service needs to know.
>
> I note that we have a similar issue with bound config on how granular
> resource URL processing is needed. My main goal is for config to validate
> the domain name only as a major improvement as we just need to make sure
> the client is talking to a valid server and not a MITM proxy.
>
> Finally, there is the question of optionality (in order to have backwards
> compatibility for static clients). If resource is optional, than how do we
> deal with dynamic clients that simply don’t both to use the resource
> parameter?
>
> We’re depending on client developers taking an extra step to provide the
> resource parameter. Maybe optionality for resource url becomes part of the
> client_id registration? In contrast, config discovery is brand new, so
> making validation required is not such a big deal as static clients
> wouldn’t use discovery.
>
> Another failure condition both drafts should consider:
> * when an authorization, token, or resource endpoint starts to fail,
> should the client fall back to discovery to re-verify configuration? If
> so, on what errors? A valid usecase would be a service provider deciding
> to re-configure its services naturally over time.
> * what are the issues when an endpoint that was part of configuration
> issues a re-direct? There are good and bad scenarios (e.g. to a specific
> cluster node), a resource that was relocated, or a hacked service that
> wants to steal tokens. In these cases, should the client re-validate the
> new resource URI either using this draft or the bound config method?
>
> *On a positive note, unrelated to security, there have been a lot of
> inquiries over the years about how to authorize against on user-owned
> resources. E.g. How can I ask for authorizations to Brian’s github
> project? I think this is worth discussing. Weighing the security and
> functionality needs would be a worthwhile discussion in BA.*
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
> On Mar 21, 2016, at 10:41 AM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> Very minor update to this draft before the deadline that moves Hannes from
> Acknowledgements to Authors in acknowledgment of his similar work a few
> years ago. Also fleshed out the IANA section with the formal registration
> requests.
>
>
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Mon, Mar 21, 2016 at 11:31 AM
> Subject: New Version Notification for
> draft-campbell-oauth-resource-indicators-01.txt
> To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Hannes Tschofenig <
> Hannes.Tschofenig@gmx.net>, Brian Campbell <brian.d.campbell@gmail.com>,
> John Bradley <ve7jtb@ve7jtb.com>
>
>
>
> A new version of I-D, draft-campbell-oauth-resource-indicators-01.txt
> has been successfully submitted by Brian Campbell and posted to the
> IETF repository.
>
> Name: draft-campbell-oauth-resource-indicators
> Revision: 01
> Title: Resource Indicators for OAuth 2.0
> Document date: 2016-03-21
> Group: Individual Submission
> Pages: 8
> URL:
> https://www.ietf.org/internet-drafts/draft-campbell-oauth-resource-indicators-01.txt
> Status:
> https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/
> Htmlized:
> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-01
> Diff:
> https://www.ietf.org/rfcdiff?url2=draft-campbell-oauth-resource-indicators-01
>
> Abstract:
> This straw-man specification defines an extension to The OAuth 2.0
> Authorization Framework that enables the client and authorization
> server to more explicitly to communicate about the protected
> resource(s) to be accessed.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … torsten@lodderstedt.net
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley