Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt
Brian Campbell <bcampbell@pingidentity.com> Tue, 22 March 2016 15:08 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977E012D866 for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 08:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id spcsIFby0Yff for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2016 08:08:30 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B159D12D8A2 for <oauth@ietf.org>; Tue, 22 Mar 2016 08:08:29 -0700 (PDT)
Received: by mail-ig0-x230.google.com with SMTP id cl4so56915276igb.0 for <oauth@ietf.org>; Tue, 22 Mar 2016 08:08:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NjpYKbRtZeIMy1ZS765JAw4Sw/trNcwGcPftjERDw2A=; b=bwxdPJWeDcMH5PejL18wxYMwpx41ds0KqId0p29Cuv6AK7g72LMTv4yCA28YoUFKPh QogeJRunMlPDgaSz3ebrmuH0S5tXrEB2zp5DImCarbflKkQcy0dUpqRqW0kDdPBPqslZ 0QmQjQUw5iVembIZaTUtwFvj93/uE3fyRQ9no=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NjpYKbRtZeIMy1ZS765JAw4Sw/trNcwGcPftjERDw2A=; b=Ze34I0PH47sVQl760gOXFjT10VzI8tgdFwAeJKtwbZZc8soirldeZ1+N16sDVribEO wtYq9rXpCvogMn2NQpKSc/OxqdMP7mIG5Jfqleje+BusjpDqV3D+HIGoZs9+OAbkJ5v9 Z9GuBDEPdv6mhDkRqewkEUQL3s1ujd/Z6MCN+uADhFEB+oU99lMMizqdd+6r47DNf9w3 IBbcGN2poO8Hl+MTvVeg7c1x9pq5PgEDTExVxHe7rbXodC3KnOqM8m8GCPD2Ki1xWrmG O6W6yfRg6oAh81JY8giDfONJO4nb46DqIp2kww431F7z4G9rxZAKURItTEIgIqcb3f7q AEtQ==
X-Gm-Message-State: AD7BkJIM1cw5Bu2n4YrbPhvt/T3hDaxCgmpbPQDBxC6/Q3vhuGZLRY220uFxwN7XqSMh+GjZoXPtOF0wEWtDjWxh
X-Received: by 10.50.50.198 with SMTP id e6mr18417810igo.57.1458659308968; Tue, 22 Mar 2016 08:08:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.28.196 with HTTP; Tue, 22 Mar 2016 08:07:59 -0700 (PDT)
In-Reply-To: <56F15BDD.9020005@gmail.com>
References: <20160321173103.31961.76817.idtracker@ietfa.amsl.com> <CAAX2Qa2kovVmCoByJc0HsE9a3ZS6Lm+9F2bzgynBoahttcv8Zw@mail.gmail.com> <CA+k3eCSOMkm+1_0+77+RONTVMbS=y9KpPWaO4jAEU0CfiiGF-Q@mail.gmail.com> <0DBACD62-E2FB-43D2-A2F6-F1A16794117A@oracle.com> <56F15BDD.9020005@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 22 Mar 2016 09:07:59 -0600
Message-ID: <CA+k3eCRdQCoCHu5FGxT+1-wK1QeQwBZuA4t5DPe5ocHcvwQpRQ@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bd75df2f5dccc052ea495eb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/fW8M2-E0CSzkwV_dEiVqVqyRyzs>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 15:08:35 -0000
'aud' can't be used b/c it conflicts with the (yet to be registered) 'aud' claim/parameter in https://tools.ietf.org/html/draft-ietf-oauth-jwsreq and JWS/E requests in Connect (honestly, I'd like to use aud because we've already done so in product but I don't think it works given the spec landscape). Also, as you mention, 'resource' is what the client is concerned with accessing. So the name is more representative of what it actually is. Yes, some more discussion of default or legacy behaviors based on config or policy or registration is probably warranted. I suppose that begs the question of if a OAuth Dynamic Client Registration Metadata parameter should be defined too? On Tue, Mar 22, 2016 at 8:51 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > Hi > > Is there any reason why 'resource' parameter can not be named 'aud' or > 'audience' ? > > The text says "AS should audience restrict" the access token and that a > token 'aud' property may be equal to this "resource" value. > > I guess 'audience' is a pure access token property, while as far as client > is concerned, it is a 'resource', but I wonder if it would be a bit simpler > if only a single property was used. > > It also might make sense to mention that the clients can have 'resource' > values associated with them at the registration time - this can be done by > admins, and the client applications will not have to be configured to send > 'resource' given that AS already knows about the resource restrictions. > > Cheers, Sergey > > > > > On 21/03/16 23:15, Phil Hunt wrote: > >> What about server processing rules and error conditions? The client >> passes the resource in with every request. What happens if it sends a >> bad URL. I see the registration for invalid_resource, but I see no >> processing logic for the server that describes when that is returned. >> I’ll assume that is TBD. >> >> The draft seems more finer grained than with bound configuration >> approach. It suggests that the client will make a different URL request >> for each resource URL. This could lead to a lot of unnecessary >> authorizations. I think we still have to resolve the audience to >> resource relationship problem and just how much detail the AS service >> needs to know. >> >> I note that we have a similar issue with bound config on how granular >> resource URL processing is needed. My main goal is for config to >> validate the domain name only as a major improvement as we just need to >> make sure the client is talking to a valid server and not a MITM proxy. >> >> Finally, there is the question of optionality (in order to have >> backwards compatibility for static clients). If resource is optional, >> than how do we deal with dynamic clients that simply don’t both to use >> the resource parameter? >> >> We’re depending on client developers taking an extra step to provide the >> resource parameter. Maybe optionality for resource url becomes part of >> the client_id registration? In contrast, config discovery is brand new, >> so making validation required is not such a big deal as static clients >> wouldn’t use discovery. >> >> Another failure condition both drafts should consider: >> * when an authorization, token, or resource endpoint starts to fail, >> should the client fall back to discovery to re-verify configuration? If >> so, on what errors? A valid usecase would be a service provider >> deciding to re-configure its services naturally over time. >> * what are the issues when an endpoint that was part of configuration >> issues a re-direct? There are good and bad scenarios (e.g. to a specific >> cluster node), a resource that was relocated, or a hacked service that >> wants to steal tokens. In these cases, should the client re-validate >> the new resource URI either using this draft or the bound config method? >> >> *On a positive note, unrelated to security, there have been a lot of >> inquiries over the years about how to authorize against on user-owned >> resources. E.g. How can I ask for authorizations to Brian’s github >> project? I think this is worth discussing. Weighing the security and >> functionality needs would be a worthwhile discussion in BA.* >> >> Phil >> >> @independentid >> www.independentid.com <http://www.independentid.com> >> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >> >> >> >> >> >> On Mar 21, 2016, at 10:41 AM, Brian Campbell >>> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote: >>> >>> Very minor update to this draft before the deadline that moves Hannes >>> from Acknowledgements to Authors in acknowledgment of his similar work >>> a few years ago. Also fleshed out the IANA section with the formal >>> registration requests. >>> >>> >>> ---------- Forwarded message ---------- >>> From: ** <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> >>> Date: Mon, Mar 21, 2016 at 11:31 AM >>> Subject: New Version Notification for >>> draft-campbell-oauth-resource-indicators-01.txt >>> To: Hannes Tschofenig <hannes.tschofenig@gmx.net >>> <mailto:hannes.tschofenig@gmx.net>>, Hannes Tschofenig >>> <Hannes.Tschofenig@gmx.net <mailto:Hannes.Tschofenig@gmx.net>>, Brian >>> Campbell <brian.d.campbell@gmail.com >>> <mailto:brian.d.campbell@gmail.com>>, John Bradley <ve7jtb@ve7jtb.com >>> <mailto:ve7jtb@ve7jtb.com>> >>> >>> >>> >>> >>> A new version of I-D, draft-campbell-oauth-resource-indicators-01.txt >>> has been successfully submitted by Brian Campbell and posted to the >>> IETF repository. >>> >>> Name: draft-campbell-oauth-resource-indicators >>> Revision: 01 >>> Title: Resource Indicators for OAuth 2.0 >>> Document date: 2016-03-21 >>> Group: Individual Submission >>> Pages: 8 >>> URL: >>> >>> https://www.ietf.org/internet-drafts/draft-campbell-oauth-resource-indicators-01.txt >>> Status: >>> >>> https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/ >>> Htmlized: >>> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-01 >>> Diff: >>> >>> https://www.ietf.org/rfcdiff?url2=draft-campbell-oauth-resource-indicators-01 >>> >>> Abstract: >>> This straw-man specification defines an extension to The OAuth 2.0 >>> Authorization Framework that enables the client and authorization >>> server to more explicitly to communicate about the protected >>> resource(s) to be accessed. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission >>> until the htmlized version and diff are available at tools.ietf.org >>> <http://tools.ietf.org/>. >>> >>> The IETF Secretariat >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Phil Hunt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Sergey Beryozkin
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … torsten@lodderstedt.net
- Re: [OAUTH-WG] Fwd: New Version Notification for … John Bradley