IETF Logo Mail Archive

[OAUTH-WG] Re: OAuth Client ID Metadata Document

Emelia Smith <emelia@brandedcode.com> Mon, 08 July 2024 19:38 UTC

Return-Path: <emelia@brandedcode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0B90C1F6C9B for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 12:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.215
X-Spam-Level:
X-Spam-Status: No, score=-1.215 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brandedcode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFuUVabrUCSu for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 12:38:36 -0700 (PDT)
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com [IPv6:2a00:1450:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C092C1F6C95 for <oauth@ietf.org>; Mon, 8 Jul 2024 12:38:36 -0700 (PDT)
Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-4255fa23f7bso28955355e9.2 for <oauth@ietf.org>; Mon, 08 Jul 2024 12:38:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brandedcode.com; s=google; t=1720467515; x=1721072315; darn=ietf.org; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:from:to:cc:subject:date :message-id:reply-to; bh=ou0Fz0bItPF0X89Z7LCCnJT4bz1vgAxnnYlUfpDJtaA=; b=dQ53OYrKPFG8CrdelHe+XfN8dlqrPnbzVN8mWWbKx4oEJN+MBM1EcYDEWO6UNfO3S8 btMjOnmeFM3khMzZ/eCTu6hooV5xw5twnPamR4wCq9vn1yHD4fhhN9TbkwpOSPk9L7im jAqdIw0MeDxn9N/rIEYSBBaemaru2/baFpCFhojIwqK/meKHvflKciBjCgfYS80TMscG gNvQ7rB0sgF3j4iPvyskuMjCJOHSx9j33ExPVpF6ieMjqkZLPg0r66F9aw6erPMtjzHe Hz1G0aVoxk4CuGPK9oYu6uq38fC+0ntiEMl0ETbj5gxgqNKs0yUurhvkOxj13v4jRwpI ZhMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720467515; x=1721072315; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ou0Fz0bItPF0X89Z7LCCnJT4bz1vgAxnnYlUfpDJtaA=; b=vNSaLyvqm+HvL+MblCKc1bLkGHa+7I1icrlZDJ3gurERWpBbcOpXXVPvropEwV/JB9 Z5EpdnaHT0RnSpkHxGB3qqxahh0iKXDuiHiDtYMGlxxY5IW6VDdNu5WVRlJsCwXF9kUK UwEBm0pIeFmo6EbP9HUuFzgA0RMoejaO+Rk6uj+R1XBNbXzsU7KYXVNKzMEzTxfdjsGJ lHVfZN/PkFBc4pNmrZ6L2gEZ3LfeNi1T78BV4Gw+oyrAoHIrtGL7wzYginVdRRJ17Ffh KQQ0dK0WpsQfYkqxMbzqScTnfDK8yXeFVi6Lhqh7X3cf759fSqwlcBv/g0emfRSINqST eKkg==
X-Forwarded-Encrypted: i=1; AJvYcCVfD9IH67pvyjyL0+vsKRXNQQlE/Y0+36V3XQgw5hsPILPL9JuxHev5NKZ04pu3fB+6p+HRRzvyMqM+lrnkRA==
X-Gm-Message-State: AOJu0YyOQEOm6nWzY4gDk9eJkdVj7sngB7Ksc2OWu+NUS/m+PkIS3LNN VEBdkXSI5vmpjPy8OeOZhPGgBvZWdXfLqqxWtOFXkokTo+LcBl3Q3ZvvwDm2+b0=
X-Google-Smtp-Source: AGHT+IFxfd0AopCONpprg4+EzQYfgju1ZVkLHu2XS8on8OcRlLaqv6cPH7d8N+A9+3k1eNYTx4WRdA==
X-Received: by 2002:a7b:cbc9:0:b0:426:6675:a115 with SMTP id 5b1f17b1804b1-426707db7e2mr3739215e9.22.1720467514677; Mon, 08 Jul 2024 12:38:34 -0700 (PDT)
Received: from smtpclient.apple (p200300ef2f04445ac5223fa0005971af.dip0.t-ipconnect.de. [2003:ef:2f04:445a:c522:3fa0:59:71af]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4266f741624sm9157925e9.41.2024.07.08.12.38.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jul 2024 12:38:34 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-39F8F14A-49E6-4971-8160-8548028B1166"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Emelia Smith <emelia@brandedcode.com>
In-Reply-To: <CAD9ie-sDwJ3UZq9XtqwkKv7etjKP=9SeJYzhJN6WyEMpiBNAhA@mail.gmail.com>
Date: Mon, 08 Jul 2024 21:38:23 +0200
Message-Id: <37510C10-72A2-41C5-A28B-E75DE2723D90@brandedcode.com>
References: <CAD9ie-sDwJ3UZq9XtqwkKv7etjKP=9SeJYzhJN6WyEMpiBNAhA@mail.gmail.com>
To: Dick.Hardt@gmail.com
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: QFJNR25KZ77SCLXLMLE3QQEAMSB6OBX4
X-Message-ID-Hash: QFJNR25KZ77SCLXLMLE3QQEAMSB6OBX4
X-MailFrom: emelia@brandedcode.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Client ID Metadata Document
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dz2ikN9JUHiVRuempYUUQu7eATs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>



On 8. Jul 2024, at 21:17, Dick Hardt <dick.hardt@gmail.com> wrote:

On Mon, Jul 8, 2024 at 11:33 AM Emelia S. <emelia@brandedcode.com> wrote:
I would suggest that if an AS were to implement to competing specifications for what a client_id means, then it'd be up to the implementor to decide what is used when. E.g., it'd be difficult to support both OpenID Federation and this I-D simultaneously without some degree of work on the implementors' behalf to try to decide which specification should be used (both have client_id's as URIs, but operate very differently)

Why would there be any difference between the two? OpenID Connect does not dictate where the client metadata comes from.

This is in relation to OpenID Federation which also allows URIs as client_id's and has a process for resolving them based on a well-known URI.


So how it handles a URI as client_id is different to how our I-D handles things, you would likely pick one to implement based on your security requirements. (e.g., a bank or fintech service isn't likely to use client identifier metadata documents, because they need a much higher level of trust than something like social networking)

The only real mechanism for "claim" here would be through some sort of DNS proof, but that requires either some sort of binding between the client identifier metadata document and the DNS record, or some pre-existing relationship with the AS where the AS provides the value for the proof. I'd be inclined to consider this out of scope, and just allow AS's to provide access to resources as they see fit (no different to dynamic client registration)

Per my comments in GitHub, do we want to be able to treat developers of software that want localhost differently than people that deploy the software that are able to deploy without registration? 

If so, then standardizing how to claim your app may be useful.

There may not be a requirement to actually claim the app though. The developer might be able to just enter a URI for the client and then have access to additional features for development. I've not thought through all the security implications of course!

I don't think we do want to support client_id's that resolve to non-public resources, as there is just too much risk of SSRF attacks and the AS cannot fetch the client metadata, which is the entire purpose of this I-D: allowing the AS to request the metadata rather than needing DCR.


Sorry we won't see you in Vancouver!

/Dick

v2.35.0 | Report a Bug | By Email | System Status