[OAUTH-WG] Last call review of draft-ietf-oauth-dyn-reg-10

Phil Hunt <phil.hunt@oracle.com> Wed, 15 May 2013 20:30 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E3F1C11E80DF for <oauth@ietfa.amsl.com>; Wed, 15 May 2013 13:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.156
X-Spam-Status: No, score=-6.156 tagged_above=-999 required=5 tests=[AWL=-0.442, BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id j9yjdZS-D8ef for <oauth@ietfa.amsl.com>; Wed, 15 May 2013 13:30:50 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com []) by ietfa.amsl.com (Postfix) with ESMTP id AA34421F86DD for <oauth@ietf.org>; Wed, 15 May 2013 13:30:50 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com []) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r4FKUm4s025907 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Wed, 15 May 2013 20:30:48 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com []) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4FKUmZO020484 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Wed, 15 May 2013 20:30:49 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com []) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r4FKUmmd004380 for <oauth@ietf.org>; Wed, 15 May 2013 20:30:48 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 15 May 2013 13:30:48 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3FBFFF9E-CB0F-41BD-9A42-2C91D677ACF3"
Date: Wed, 15 May 2013 13:30:54 -0700
Message-Id: <85AA2C66-108B-4276-92EE-2D7566E54990@oracle.com>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1283)
X-Mailer: Apple Mail (2.1283)
X-Source-IP: ucsinet21.oracle.com []
Subject: [OAUTH-WG] Last call review of draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2013 20:30:56 -0000

It seems unfortunate that I have not gotten a chance to get into this level of detail much earlier. But then, I guess that's what LC review is for! My apologies for not getting many of these concerns to the WG much earlier.

I think dynamic registration is a critical part of the OAuth framework now that we are starting to consider how individual client applications should operate when there is one or more deployments of a particular resource API. We've moved from the simple use case of a single API provider like Facebook or Flickr and moved on to standards based, open source based, and commercial based deployments where there are multiple service endpoints and many clients to manage.

The dynamic registration spec is actually dealing with a couple of issues that I would like to see made more clear in early part of the spec:

1.  How is a new client application recognized for the first time when deployed against a particular SP endpoint?  Should clients actually assert an application_id UUID that never changes and possibly a version id that does change with versions?

2.  How are client credentials managed. Are we assuming client credentials have a limited lifetime or rotation policy?  How does a client authenticate the first time and subsequent times to the registration service?

3.  How is versioning of clients managed? Should each new version of a client require a change in client registration including possibly changing client_id and authentication credential? I don't have a strong feeling, but it is something that implementors should consider.

4.  What is the registration access token? Why is is used? What is its life-cycle?  When is it issued, when is it changed? When is it deleted?

If we distinguish between first time registration of a particular client software package, it is possible that somethings like authentication method can be negotiate in or out-of-band at that time. Subsequent registrations should only have parameters for items that could change per deployment (like tos_uri).  I think token_endpoint_auth_method is one thing that should not be negotiated per instance.

When subsequent instances register, I have to ask the question, for example when would things like "token_endpoint_auth_method" be negotiated or be different for the same client software? Should not all instances use the same authentication method.

Finally, there seems to be an inconsistent style approach with draft-hardjono-oauth-resource-reg which uses ETags. Should this draft do so as well?

Specific items:

There is some confusion as to whether this applies to server or client authentication.  Suggest renaming parameter to "token_endpoint_client_auth_method"

* Currently, the API only supports a single value instead of an array.  If the purpose is to allow the client to know what auth methods it supports, this should be an array indicated what methods the client supports - or it should not be used.

* There is no authn method for "client_secret_saml" or "private_key_saml".

There are no profiles referenced or defined for "client_secret_jwt" or "private_key_jwt". Neither of the JWT or SAML Bearer drafts referenced cover these types of flows. They only cover bearer flows.  "client_secret_jwt" and "private_key_jwt" seem to have some meaning within OpenID Connect, but I note that OIDC does not fully define these either.

There is no authentication method defined for "client_bearer_saml" or "client_bearer_jwt" or "client_bearer_ref".  Since the bearer specs say this is acceptable,  the dynamic registration spec should accept these.

A possible suggestion is to remove client_secret_jwt and private_key_jwt and define those as register extensions since these profiles are not defined.

About "tos_uri" and "policy_uri"

The distinction between tos_uri and policy_uri is unclear.  Can we clarify or combine them?

Also, aren't these really URIs or are they meant to be URLs?

About "jwks_uri"

A normative reference for http://tools.ietf.org/html/draft-ietf-jose-json-web-key-09 is needed. 
Should be URL instead of URI?

Section 2.1

In the table urn:ietf:params:oauth:grant-type:jwt-bearer is missing.

“As such, a server supporting these fields SHOULD take steps to ensure that a client cannot register itself into an inconsistent state.”

We may want to define more detailed HTTP error response. E.g. 400 status code + defined error code (“invalid_client_metadata”)?

Section 2.2

May want to add:

When “#” language tag is missing, (e.g. “#en” is missing in “client_name”, instead of “client_name#en”) the OAuth server may use interpret the language used based on server configuration or heuristics.

Section 3

Existing text:

“In order to support open registration and facilitate wider interoperability, the Client Registration Endpoint SHOULD allow initial registration requests with no authentication.  These requests MAY be rate-limited or otherwise limited to prevent a denial-of-service attack on the Client Registration Endpoint.”

I would suggest to change the first “SHOULD” to “MAY”.   In most cloud services, the first client is registered by a human user. Then, other clients can be further used to automate other client registration.  So, the first request would typically come with an authenticated user identity. 

On the flip side, the earlier paragraph:

“The Client Registration Endpoint MAY accept an initial authorization credential in the form of an OAuth 2.0 [RFC6749] access token in order to limit registration to only previously authorized parties. The method by which this access token is obtained by the registrant is generally out-of-band and is out of scope of this specification.”

I tend to think it would be better to change this “MAY” to “SHOULD”.

That access token would carry a human user authenticated identity somehow. In some cases, it can be a pure authenticated user assertion token.

About section 4.3:

If the client does not exist on this server, the server MUST respond
   with HTTP 401 Unauthorized, and the Registration Access Token used to
   make this request SHOULD be immediately revoked.

If the Client does not exist on this server, shouldn't it return a "404 Not Found"?

If revoking the registration access token, is it bound to a single client registration?  This is not clear.  What is the lifecycle around registration access token? Only hint is in the Client Information Response in section 5.1.
About section 5.1:

Is registration_access_token unique?  Or is it shared by multiple instances?   If shared, then registration_access_token can't be revoked on delete of client.

Suggest rename “expires_at” to “client_secret_expires_at”, 

Suggest to rename “issued_at” to “id_issued_at”

Section 7

When a client_secret expires is it the intent that clients do an update or refresh to get a new client secret?