Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
Thomas Broyer <t.broyer@gmail.com> Thu, 10 March 2016 11:51 UTC
Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A94F12D6C6 for <oauth@ietfa.amsl.com>; Thu, 10 Mar 2016 03:51:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NvraaFR16dS5 for <oauth@ietfa.amsl.com>; Thu, 10 Mar 2016 03:51:41 -0800 (PST)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8414312D6C2 for <oauth@ietf.org>; Thu, 10 Mar 2016 03:51:40 -0800 (PST)
Received: by mail-lb0-x22f.google.com with SMTP id bc4so107976263lbc.2 for <oauth@ietf.org>; Thu, 10 Mar 2016 03:51:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LH4z1+9VjU7pMtoqRH8+QBdzLyxezM3VY4XmSMV11cs=; b=Krr1FIhz33R+ZlXLtU2Y2ZvPZghbfHV56rMleW4uiZKx0k29JE3dc/hLLCT6+MZXbi cVBf4Z3EHVyZf6ZuEWG4gQEbrE1VzCDLzdgkvwGJy2v8JWjJU9nRwbRujGP8yyN9Eofk XURyZ54qwU24gCpeV1nvx3/e7B7tWKfBgnMV1ONK929Vic8GYN4pbMDptht9kkdUgvrk PVQ3PXwf9a7QmaG27z/e/gxPONWczZdkZQvY/7X2CQPvyiqvbpGcbXZdeEOCAk3O7I66 qAqowIiULkFTVdhC5YNQB1VTffVuyX8tklBXC+h2240X+FXxhKNvpesszwRp8w0Gs5b1 m4vw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LH4z1+9VjU7pMtoqRH8+QBdzLyxezM3VY4XmSMV11cs=; b=Jb6dgjNi31sQcK2tDgcCKTIlqz09Jcw3+SGQN/DgClwkbyXltZqhsL85o6k1lAgCwA iDqDkCU8jg+eQCU5U44QK6ra/LcrixTAdxYYSZMuKiLYVFxM1NNHyXNLprt1S7DlD08S yLZWBSOZZj0094/vWi3BzUfmm4UcIhYTmlN/MoWjHSsuulwhP6BRX83+eHm28io9koK0 0hqVsNz/90WfjUKzHvzoIj1uxzebkXNTK/mymInEvOZ5+n0hf6HeiCSVSZMAovWl2s/G 7oTMPtZ+0FzgXMV5cyPS84lMmJRqBJMyN73bCxpw8I4sHyXhHJn9stm7nsekHi3nJ7O2 RRZw==
X-Gm-Message-State: AD7BkJK2KdkNZiV9oQrEUHWypDpr+FPgonatcnGItLA/vj94P7tZZxYis4TgoIpJ5Ov+7ikSn80OXiMrLb8Biw==
X-Received: by 10.25.143.65 with SMTP id r62mr834117lfd.58.1457610698448; Thu, 10 Mar 2016 03:51:38 -0800 (PST)
MIME-Version: 1.0
References: <56C5C9D5.6040703@gmx.net> <CAF2hCbbjgoyCza=dM24h9KALuG=jkt24AZsWhTFWnnhxE11oGA@mail.gmail.com> <SN1PR0301MB1645E0CD7293E541DC2AA993F5B40@SN1PR0301MB1645.namprd03.prod.outlook.com>
In-Reply-To: <SN1PR0301MB1645E0CD7293E541DC2AA993F5B40@SN1PR0301MB1645.namprd03.prod.outlook.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Thu, 10 Mar 2016 11:51:28 +0000
Message-ID: <CAEayHENwX+Tg6QVwjoHfGO-58k4=dV0Wb2Y+dxCi=WMybK+cyA@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Samuel Erdtman <samuel@erdtman.se>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a114035fee6e916052db06f2d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/e8QZSVUJt_jH_HPop04r6MrsfRk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Mar 2016 11:51:43 -0000
I agree with Samuel's comments wrt jwks_uri and registration_endpoint; and support the name change to “OAuth 2.0 Authorization Server Discovery Metadata” (or possibly “OAuth 2.0 Authorization Server Discovery”; but I'd rather narrow down the scope to only talk about metadata, without discovery mechanism of that metadata; I won't fight for that though, it's just a preference, not a strong opinion) On Thu, Mar 10, 2016 at 12:33 PM Mike Jones <Michael.Jones@microsoft.com> wrote: > Thanks for your comments, Samuel. Yes, you’re right that jwks_uri should > be OPTIONAL, since not all use cases need keys. Likewise, > registration_endpoint should be OPTIONAL, rather than RECOMMENDED. > > > > The grant_type values are defined in OAuth Dynamic Client Registration > [RFC 7591] and are identifiers for the grant type concept defined in RFC > 6749. They identify the grant types that can be used at the Token > Endpoint. The response_type concept is defined in RFC 6749, and identifies > a response syntax from the authorization endpoint. We can say more to > differentiate these in the next draft. > > > > BTW, lest it be in doubt, I support this draft moving forward, with the > name changed to “OAuth 2.0 Authorization Server Discovery” or “OAuth 2.0 > Authorization Server Discovery Metadata” – as discussed in the thread > “OAuth 2.0 Discovery Location”. I’m also open to introducing the “/.well-known/oauth-authorization-server” > identifier, as discussed in that thread. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Samuel > Erdtman > *Sent:* Wednesday, March 9, 2016 11:28 PM > *To:* Hannes Tschofenig <hannes.tschofenig@gmx.net> > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery > > > > Hi, > > > > I sent a few comments two weeks ago that has not been explicitly commented > on. (I might have sent them in the wrong way, if so sorry about that) > > > > https://mailarchive.ietf.org/arch/msg/oauth/Z0LCBuvFDCQTd4xfwoddlbC2P7w > > > > Most of the comments are minor but I would like to se > > jwks_uri to be changed from REQUIRED to OPTIONAL or RECOMMENDED > > and at least get a comment of the difference > between response_types_supported and grant_types_supported > > > > Best regards > > //Samuel > > > > > > > > > > On Thu, Feb 18, 2016 at 2:40 PM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > > Hi all, > > This is a Last Call for comments on the OAuth 2.0 Discovery specification: > https://tools.ietf.org/html/draft-ietf-oauth-discovery-01 > > Since this document was only adopted recently we are running this last > call for **3 weeks**. > > Please have your comments in no later than March 10th. > > Ciao > Hannes & Derek > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Working Group Last Call on OAuth 2.0 D… Hannes Tschofenig
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Samuel Erdtman
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Thomas Broyer
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Samuel Erdtman
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Roland Hedberg
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Nat Sakimura
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… William Denniss
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Phil Hunt (IDM)
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Nat Sakimura
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Phil Hunt (IDM)
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Melvin Carvalho
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… George Fletcher
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… George Fletcher
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… John Bradley
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Phil Hunt (IDM)
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… John Bradley
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Phil Hunt (IDM)
- Re: [OAUTH-WG] Working Group Last Call on OAuth 2… Thomas Broyer