IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-10.txt

"Richer, Justin P." <jricher@mitre.org> Thu, 09 May 2013 20:51 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868D421F8518 for <oauth@ietfa.amsl.com>; Thu, 9 May 2013 13:51:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IPn-Uxmpk2BY for <oauth@ietfa.amsl.com>; Thu, 9 May 2013 13:51:36 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 70EB921F89A5 for <oauth@ietf.org>; Thu, 9 May 2013 13:51:26 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3E6F32A50464; Thu, 9 May 2013 16:51:15 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 2D6A52A50463; Thu, 9 May 2013 16:51:15 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.137]) by IMCCAS04.MITRE.ORG ([129.83.29.81]) with mapi id 14.02.0342.003; Thu, 9 May 2013 16:51:15 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Josh Mandel <jmandel@gmail.com>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-10.txt
Thread-Index: AQHOS0Wu5Sf7tCtsl0WcxmZ0zKLbDJj6dviAgALM14CAAFaeAA==
Date: Thu, 09 May 2013 20:51:15 +0000
Message-ID: <F86EB9C6-2235-4C10-9CE0-DFD136936480@mitre.org>
References: <20130505194505.24986.11173.idtracker@ietfa.amsl.com> <CANSMLKHy-zhSX+UXodcPjvUBFkP-t8QdF4ueMu5LKuKk1Z6U+A@mail.gmail.com> <5FAB4732-821E-451F-97F0-868619075F7F@mitre.org> <CANSMLKHBge5wXfFiBaa9adcJAyyQPiaaOjdCNYVi2tBo=V0ErQ@mail.gmail.com>
In-Reply-To: <CANSMLKHBge5wXfFiBaa9adcJAyyQPiaaOjdCNYVi2tBo=V0ErQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.36.117]
Content-Type: multipart/alternative; boundary="_000_F86EB9C622354C109CE0DFD136936480mitreorg_"
MIME-Version: 1.0
Cc: "<oauth@ietf.org> WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-10.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 May 2013 20:51:41 -0000

So if that's the case -- you've got a client that can't keep a secret that has a secret -- you do one of the normal auth methods (like client_secret_basic) and call it a day. I don't think it makes any sense, and the language below is really less about client secrets and more about assertions and other methods of authentication that otherwise "public" clients could use. DynReg makes it so that the client_secret is now a runtime secret, so we're already outside the core definitions of public/confidential clients anyway.

 -- Justin

On May 9, 2013, at 8:41 AM, Josh Mandel <jmandel@gmail.com<mailto:jmandel@gmail.com>>
 wrote:


> A true public client doesn't have a client_secret or its equivalent, so it would have

If this is the case,  then my premise #2 is wrong -- and in that case my  concern about dynamic registration disappears.  But if so: what is the quoted bit of 2.3 *supposed* to indicate? (If not that a public client might,  in some scenarios, be given a client_secret with the explicit expectation that it won't be kept secret and the stipulation that it mustn't be relied upon for authentication... )

Thanks!

  - Josh

> On May 7, 2013, at 10:09 AM, Josh Mandel <jmandel@gmail.com<mailto:jmandel@gmail.com>>
>  wrote:
>
>> As I understand it (corrections welcome!) rfc6749 says that public clients:
>>
>> 1.  are defined functionally, as clients "incapable of maintaining the confidentiality of their credentials" [section 2.1]
>> 2.  "MAY establish a client authentication method" if the server allows. e.g. client password auth [section 2.3]
>>
>> Given 1 and 2, it's technical possible for a public client to be assigned a (not-so-)secret that it uses not for authentication per se, but merely to go through the motions of client password auth.
>>
>> (How) Does dyn-reg support the registration of a public client that (for whatever reason -- code re-use?) seeks to use a client authentication method? It seems to me that, given the current draft, a registration server couldn't tell such a client from a confidential client  (token_endpoint_auth_method, grant_types, and response_types would be indistinguishable).
>>
>> Is this use case out of scope?  If so, the spec might benefit from a note to that effect.  If not, an explicit flag at registration time (conveying the app's explicitly asserted "public" vs. "confidential" status) might help servers make better decisions.
>>
>>   -Josh
>>
>>
>> On Sun, May 5, 2013 at 12:45 PM, <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:
>>>
>>>
>>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>>>  This draft is a work item of the Web Authorization Protocol Working Group of the IETF.
>>>
>>>         Title           : OAuth 2.0 Dynamic Client Registration Protocol
>>>         Author(s)       : Justin Richer
>>>                           John Bradley
>>>                           Michael B. Jones
>>>                           Maciej Machulak
>>>         Filename        : draft-ietf-oauth-dyn-reg-10.txt
>>>         Pages           : 25
>>>         Date            : 2013-05-05
>>>
>>> Abstract:
>>>    This specification defines an endpoint and protocol for dynamic
>>>    registration of OAuth 2.0 Clients at an Authorization Server and
>>>    methods for the dynamically registered client to manage its
>>>    registration.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg
>>>
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-10
>>>
>>> A diff from the previous version is available at:
>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dyn-reg-10
>>>
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email