IETF Logo Mail Archive

Re: [OAUTH-WG] Registration: RESTful client lifecycle management

John Bradley <ve7jtb@ve7jtb.com> Thu, 14 February 2013 14:35 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B61A21F8806 for <oauth@ietfa.amsl.com>; Thu, 14 Feb 2013 06:35:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.388
X-Spam-Level:
X-Spam-Status: No, score=-3.388 tagged_above=-999 required=5 tests=[AWL=0.211, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s-ymjLj7UUN7 for <oauth@ietfa.amsl.com>; Thu, 14 Feb 2013 06:35:31 -0800 (PST)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 4032721F871F for <oauth@ietf.org>; Thu, 14 Feb 2013 06:35:31 -0800 (PST)
Received: by mail-qa0-f51.google.com with SMTP id cr7so1070927qab.10 for <oauth@ietf.org>; Thu, 14 Feb 2013 06:35:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer :x-gm-message-state; bh=/vuqJQIbDMQYS9H7Pf26NQpkWSqKkoE7ALL9OEj94mE=; b=ScbexGbljiyjAlxZi+GPZttwHC2JDMBrtckCoDFwdJlbS02BycRvAqOC/GFJAV5CTB VqyEO0CsqyIXyvAuatxesNoHxDuXcw2gVOtAAgtYrqnr3CUdr1J6aFXSgZdeEYVrcuzw t2iPTOWGaJy7FuLJ4EeVzz7XqzXuxS/feLhphCsnUAYpi9LyqHX6z1GLqhf6NXTLpwM8 cTz1daSKRARiR47brYtLL0ytkbz3VNgCyZh8m72MdMGYrjuIPVxWZsTbj/JiHBT6OwIu K8jCiID5xAcCo2OEFE3t6O2O+UlJL20MXUwJrP2eG2xvsfsN/iDLHh5xZYdFm4SRRgv1 g+nw==
X-Received: by 10.224.33.140 with SMTP id h12mr682388qad.73.1360852530651; Thu, 14 Feb 2013 06:35:30 -0800 (PST)
Received: from [192.168.1.213] (190-20-16-126.baf.movistar.cl. [190.20.16.126]) by mx.google.com with ESMTPS id o5sm18495545qao.12.2013.02.14.06.35.26 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 14 Feb 2013 06:35:29 -0800 (PST)
Content-Type: text/plain; charset="iso-2022-jp"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <511CF2C9.9040604@mitre.org>
Date: Thu, 14 Feb 2013 11:35:16 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <F93467E8-6196-4A65-8A0E-B3897E47FBEB@ve7jtb.com>
References: <51195F36.6040705@mitre.org> <780F8C26-19A4-4301-B350-307D9FFF69CD@ve7jtb.com> <511BAA8B.8030309@mitre.org> <BEBDAFAC-28B0-4959-9FE5-34EC17FC318C@ve7jtb.com> <-4554688250617930935@unknownmsgid> <AF401161-0C7C-4E49-9F44-9982B312FF6D@ve7jtb.com> <CABzCy2BtzA-DJofpSkKJWrwfYtM8a+44VWe1Lx+f_ow=mW8kwg@mail.gmail.com> <4687F290-4855-49DE-892F-F9694BB211D4@ve7jtb.com> <511CF2C9.9040604@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQlOdioMRTLvfP/d4Xjf7OPRnEBEHgpR6Ces/pyYVcmQagnU7IrVomCN7CZUYBP8jOCWpqdA
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Registration: RESTful client lifecycle management
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 14:35:32 -0000

On 2013-02-14, at 11:20 AM, Justin Richer <jricher@mitre.org> wrote:

> 
> On 02/14/2013 09:05 AM, John Bradley wrote:
>> I agree with Tim that is the behaviour I would  expect to see with DELETE though I have a rd time seeing a server ever honouring it.
>> 
>> I guess that we need to clarify what happens with PUT and claims the server has defaults for, perhaps some that are not changeable by the client.   
>> 
>> Is not including a claim in a PUT the same as not including it in registration, and it is set to the default.  
>> If you want to set a claim to null then you must explicitly include the claim with null as the value. That is the previous logic we had for replace as the client wasn't getting back all the config in the response and couldn't know about defaults it wasn't setting.
>> 
>> Perhaps PUT causes unsent claims to be interpreted as if they are sent with a null value (I think that is a likely to cause tears personally).
>> 
>> In ether case the client is not deleted and can still be recovered and the client_id and associated permissions are still active.
> 
> What I had in mind from this conversation is something like this:
> 
> When sending an update, a client MUST send all metadata fields returned
> from the server in its initial registration or previous read or update
> call, including its client_id. A server MAY replace any missing or
> invalid fields with default values, or it MAY return an error as
> described in the Error Response section. A server MUST return all
> provisioned fields in its response. A server MUST NOT change the
> client_id field. A server MAY change the client_secret and/or
> refresh_access_token fields.

Yes that covers it.
> 
>> 
>> DELETE to be used correctly is I think going to delete the client_id and all associated tokens and cause a ripple effect in removing grants associated with that client_id.  
> 
> This is how I would interpret it as well. It's de-provisioning the
> client, not resetting it.

That is what I would expect I don't know if it is a good idea, and adds to the size of the spec.   Having a not supported response is better but, I don't have a good feeling about it yet.


> 
> -- Justin
> 
>> 
>> It is a big difference and understanding what a AS is supposed to do to delete a client still seems a touch vague to me.   I understand the http verb but there is more to it than that if we want interoperability.
>> 
>> John
>> 
>> On 2013-02-14, at 12:31 AM, Nat Sakimura <sakimura@gmail.com> wrote:
>> 
>>> I thought your concern about DELETE was whether the client should be
>>> allowed to erase the registration data.
>>> I thought PUT with an empty values would achieve a similar effect.
>>> Or did you mean that with PUT, the server default kicks in and
>>> parameters are set to the defaults?
>>> If that is the case, they are quite different, I agree.
>>> 
>>> On the effect of DELETE, +1 to Tim's comment.
>>> 
>>> Nat
>>> 
>>> 2013/2/14 John Bradley <ve7jtb@ve7jtb.com>:
>>>> DELETE is removing the record not resetting it to defaults.  They are quite diffrent.
>>>> 
>>>> I want to agree on what the expected behaviour of DELETE is.   I think we have agreement on PUT and POST.
>>>> 
>>>> The general not in that a client can DELETE it's record is a implication I don't like.  I think that is for the server to decide and if it is not actually deleting it then DELETE is the wrong verb to use.
>>>> 
>>>> John B.
>>>> 
>>>> On 2013-02-13, at 3:31 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>>>> 
>>>>> Generally speaking, mapping PUT to replace and POST to change is an
>>>>> acceptable practice so I am fine with it.
>>>>> 
>>>>> Now, what I still do not understand is why you think it is fine to do
>>>>> PUT or POST and not DELETE. Doing PUT with empty content is almost the
>>>>> same as DELETE. Could you explain?
>>>>> 
>>>>> =nat via iPhone
>>>>> 
>>>>> Feb 14, 2013 0:10、John Bradley <ve7jtb@ve7jtb.com> のメッセージ:
>>>>> 
>>>>>> I am not violently opposed to PUT as a option that completely replaces the resource setting all unsent claims back to the defaults.
>>>>>> 
>>>>>> I don't have a good feeling about DELETE,  I think we still need more discussion on what it means, what privileges it takes to invoke it etc.
>>>>>> It could be a bad thing if we get wrong or is not implemented consistently.
>>>>>> 
>>>>>> Personally I don't think a client should ever be able to DELETE it's record.
>>>>>> 
>>>>>> I think marking a client_id as pending provisioning, suspended,  revoked etc is better and that can be done with a claim in the update endpoint.
>>>>>> 
>>>>>> It should only be the server that deletes a record after satisfying it's audit requirements.
>>>>>> 
>>>>>> John B.
>>>>>> 
>>>>>> On 2013-02-13, at 12:00 PM, Justin Richer <jricher@mitre.org> wrote:
>>>>>> 
>>>>>>> Would it be reasonable to mark the PUT and DELETE methods as optional for the server to implement, but with defined semantics if they do? I want to keep GET and POST(create) as mandatory, as I think that's the minimal set of functionality required.
>>>>>>> 
>>>>>>> -- Justin
>>>>>>> 
>>>>>>> On 02/11/2013 08:51 PM, John Bradley wrote:
>>>>>>>> I would always include the client_id on update.
>>>>>>>> 
>>>>>>>> I think it is also us full to have other tokens used at the update endpoint.  I can see the master token used to update all the clients it has registered as part of API management.
>>>>>>>> Relying on the registration_access_token is probably a design that will cause trouble down the road.
>>>>>>>> 
>>>>>>>> I think GET and POST are relatively clear.   I don't know about expelling PUT to developers.  I think POST with a client_id to a (separate discussion) update_uri works without restricting it to PUT.
>>>>>>>> 
>>>>>>>> I think DELETE needs to be better understood.   I think a status that can be set for client lifecycle is better than letting a client delete a entry.
>>>>>>>> In some cases there will be more than one instance of a client and letting them know they have been turned off for a reason is better than making there registration disappear.
>>>>>>>> So for the moment I would levee out DELETE.
>>>>>>>> 
>>>>>>>> John B.
>>>>>>>> 
>>>>>>>> On 2013-02-11, at 6:14 PM, Justin Richer <jricher@mitre.org> wrote:
>>>>>>>> 
>>>>>>>>> Draft -05 of OAuth Dynamic Client Registration [1] defines several operations that the client can take on its behalf as part of the registration process. These boil down to the basic CRUD operations that you find in many APIs: Create, Read, Update, Delete. Draft -00 defined only the "Create" operation, draft -01 through -04 added the "Update" operation, switched using the "operation=" parameter.
>>>>>>>>> 
>>>>>>>>> Following several suggestions to do so on the list, the -05 draft defines these operations in terms of a RESTful API for the client. Namely:
>>>>>>>>> 
>>>>>>>>> - HTTP POST to registration endpoint => Create (register) a new client
>>>>>>>>> - HTTP PUT to update endpoint (with registration_access_token) => Update the registered information for this client
>>>>>>>>> - HTTP GET to update endpoint (with registration_access_token) => read the registered information for this client
>>>>>>>>> - HTTP DELETE to update endpoint (with registration_access_token) => Delete (unregister/de-provision) this client
>>>>>>>>> 
>>>>>>>>> The two main issues at stake here are: the addition of the READ and DELETE methods, and the use of HTTP verbs following a RESTful design philosophy.
>>>>>>>>> 
>>>>>>>>> Pro:
>>>>>>>>> - RESTful APIs (with HTTP verbs to differentiate functionality) are the norm today
>>>>>>>>> - Full lifecycle management is common and is going to be expected by many users of this protocol in the wild
>>>>>>>>> 
>>>>>>>>> Cons:
>>>>>>>>> - Update semantics are still under debate (full replace? patch?)
>>>>>>>>> - Somewhat increased complexity on the server to support all operations
>>>>>>>>> - Client has to understand all HTTP verbs for full access (though plain registration is just POST)
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Alternatives include using an operational switch parameter (like the old drafts), defining separate endpoints for every action, or doing all operations on a single endpoint using verbs to switch.
>>>>>>>>> 
>>>>>>>>> -- Justin
>>>>>>>>> 
>>>>>>>>> [1] http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-05
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> -- 
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>

v2.35.0 | Report a Bug | By Email | System Status