IETF Logo Mail Archive

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

George Fletcher <gffletch@aol.com> Fri, 11 March 2016 14:37 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACCFD12D7AD for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 06:37:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mx.aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKQDZNwnA1lf for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 06:37:16 -0800 (PST)
Received: from omr-a018e.mx.aol.com (omr-a018e.mx.aol.com [204.29.186.64]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D8E12D55A for <oauth@ietf.org>; Fri, 11 Mar 2016 06:36:07 -0800 (PST)
Received: from mtaout-aac01.mx.aol.com (mtaout-aac01.mx.aol.com [172.27.2.33]) by omr-a018e.mx.aol.com (Outbound Mail Relay) with ESMTP id 7E0043800115; Fri, 11 Mar 2016 09:36:06 -0500 (EST)
Received: from [10.172.102.179] (unknown [10.172.102.179]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aac01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 4E92F38000095; Fri, 11 Mar 2016 09:36:05 -0500 (EST)
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>, Nat Sakimura <sakimura@gmail.com>
References: <56C5C9D5.6040703@gmx.net> <D5D8B85B-68E6-4E88-89F7-88E6851381E4@adm.umu.se> <CA+k3eCQOX6DgiJFp4b0A8R0boVQxVwGJP2-dY8_TbrCpJowOtw@mail.gmail.com> <56E19B6D.6060509@connect2id.com> <64D743EA-3F8D-403B-B05E-74539124A847@oracle.com> <CABzCy2D0P0NZW573g6NG3yYtbdVBifio=4hZi4QkYc3EKxOV5Q@mail.gmail.com> <DADBDF61-8C6F-4E58-9A0A-6AAC7D3738EC@oracle.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56E2D7D5.6070101@aol.com>
Date: Fri, 11 Mar 2016 09:36:05 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <DADBDF61-8C6F-4E58-9A0A-6AAC7D3738EC@oracle.com>
Content-Type: multipart/alternative; boundary="------------070600090802050801020505"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1457706966; bh=VIXuutmGQpoAd6lkRV6vvTT44EW9yYQSt45HW4OqG20=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=vQs22kTuqAuSFvQ9VySvZ48xAHqINMKYCuVN5m8kwuR8R3hIWYjpt1fKsXI/uHZRr R90Xu9eIVd48PKVaAYlmTZ7YIS8rj7aE4fY8AdIrOTs6viX3JoIw2K7R3mtpd0xiwu +T+gTcsAfbGfDnSUml5zU7+yYtj+teG/ebyCQOkw=
x-aol-sid: 3039ac1b022156e2d7d53797
X-AOL-IP: 10.172.102.179
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/f66hmfCdbIqjycEvq0fd6zSHP6c>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 14:37:18 -0000

I am strongly against requiring the AS to know about RS URIs and 
managing that based on a client request for a token. I've stated my 
reasons previously.

Happy to agree to disagree:)

Thanks,
George

On 3/10/16 10:17 PM, Phil Hunt (IDM) wrote:
> Nat,
>
> Agree with your points.
>
> Regarding the last, I am not sure an AS should release the set of 
> valid rs's. I think the returned data has to be limited somehow. Maybe 
> by aud uri or maybe just a yes/no to a uri the client provides. This 
> needs discussion.
>
> Am worried about the resource side discovery and how much we can 
> intrude here. It may have similar issues disclosing approved ASs.
>
> Finally since we might not control rs discovery it may be possible 
> that the discovery is fake. Maybe this is where something like 
> software statements comes into play as it would at least prevent a 
> mitm from changing the assertions in its discovery. It would not have 
> the RS's private key and this signed statements might build trust.
>
> Phil
>
> On Mar 10, 2016, at 18:24, Nat Sakimura <sakimura@gmail.com 
> <mailto:sakimura@gmail.com>> wrote:
>
>> Phil,
>>
>> Right. So what my conditional approvals (11 conditions in total) said 
>> was to drop the word "discovery" from everywhere. This is not a 
>> discovery spec. This is a configuration lookup spec as you correctly 
>> points out. So, I am with you here.
>>
>> Also, my 2nd conditiion is essentially saying to drop section 3.
>>
>> One thing that I overlooked and am with you is that we need to be 
>> able to express the AS-RS relationships. I have been preaching this 
>> in the other thread for so many times as you know so I thought I 
>> pointed it out, but missed apparently in my previous comment. So, I 
>> would add my 12th condition:
>>
>> 12. A way to express a list of valid RSs for this AS needs to be 
>> added to section 2.
>>
>> Best,
>>
>> Nat
>>
>> 2016-03-11 2:09 GMT+09:00 Phil Hunt (IDM) <phil.hunt@oracle.com 
>> <mailto:phil.hunt@oracle.com>>:
>>
>>     I strongly oppose. 2 major issues.
>>
>>     This is not service discovery this is configuration lookup. The
>>     client must have already discovered the oauth issuer uri and the
>>     resource uri.
>>
>>     The objective was to provide a method to ensure the client has a
>>     valid set of endpoints to prevent mitm of endpoints like the
>>     token endpoint to the resource server.
>>
>>     The draft does not address the issue of a client being given a
>>     bad endpoint for an rs. What we end up with is a promiscuous
>>     authz service giving out tokens to an unwitting client.
>>
>>     Phil
>>
>>     On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov
>>     <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote:
>>
>>>     +1 to move forward with these
>>>
>>>     On 10/03/16 17:35, Brian Campbell wrote:
>>>>     +1
>>>>
>>>>     On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg<roland.hedberg@umu.se> <mailto:roland.hedberg@umu.se>
>>>>     wrote:
>>>>
>>>>>     I support this document being moved forward with these two changes:
>>>>>
>>>>>     - change name to “OAuth 2.0 Authorization Server Discovery Metadata” as
>>>>>     proposed by Brian and
>>>>>     - use the URI path suffix ’oauth-authorization-server’ instead of
>>>>>     ’openid-configuration’ as proposed by Justin.
>>>>>
>>>>>>     18 feb 2016 kl. 14:40 skrev Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>
>>>>>>     :
>>>>>>
>>>>>>     Hi all,
>>>>>>
>>>>>>     This is a Last Call for comments on the  OAuth 2.0 Discovery
>>>>>     specification:
>>>>>>     https://tools.ietf.org/html/draft-ietf-oauth-discovery-01
>>>>>>
>>>>>>     Since this document was only adopted recently we are running this last
>>>>>>     call for **3 weeks**.
>>>>>>
>>>>>>     Please have your comments in no later than March 10th.
>>>>>>
>>>>>>     Ciao
>>>>>>     Hannes & Derek
>>>>>>
>>>>>>     _______________________________________________
>>>>>>     OAuth mailing list
>>>>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>     — Roland
>>>>>
>>>>>     ”Everybody should be quiet near a little stream and listen."
>>>>>      From ’Open House for Butterflies’ by Ruth Krauss
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     OAuth mailing list
>>>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>     OAuth mailing list
>>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>> -- 
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email