IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration

"Richer, Justin P." <jricher@mitre.org> Tue, 13 January 2015 23:09 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7858F1B2B58 for <oauth@ietfa.amsl.com>; Tue, 13 Jan 2015 15:09:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Al2qTfKqn8Lv for <oauth@ietfa.amsl.com>; Tue, 13 Jan 2015 15:09:02 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) by ietfa.amsl.com (Postfix) with ESMTP id 4BE191B2B32 for <oauth@ietf.org>; Tue, 13 Jan 2015 15:09:02 -0800 (PST)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 891C072E067; Tue, 13 Jan 2015 18:09:01 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpvbsrv1.mitre.org (Postfix) with ESMTP id 80C5672E05C; Tue, 13 Jan 2015 18:09:01 -0500 (EST)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.185]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.03.0224.002; Tue, 13 Jan 2015 18:09:01 -0500
From: "Richer, Justin P." <jricher@mitre.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration
Thread-Index: AQHQLlidU4rOELMb8EiQ/dpBvkV0+Zy/AvOA
Date: Tue, 13 Jan 2015 23:08:59 +0000
Message-ID: <9013AEED-9B4E-4F22-8E91-AE1430372530@mitre.org>
References: <54B3ABF8.8050007@gmx.net>
In-Reply-To: <54B3ABF8.8050007@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.146.15.76]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <856129CFEBDF2B4C81D87C671A487A51@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/fsl7-IKCPdUaq1h7Q4ixrzhIAe0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2015 23:09:05 -0000

Hi Hannes, thanks for the review. Comments inline.

On Jan 12, 2015, at 6:11 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> Hi Justin, Hi all,
> 
> as noted in my status update I am trying to finalize the pending items.
> 
> Hence, I re-read the draft-ietf-oauth-dyn-reg-21 document since my
> review of draft-ietf-oauth-dyn-reg-management raised some questions
> about the terminology.
> 
> If you look at the structure of the ToC then you will notice the following:
> 
>   3.  Client Registration Endpoint  . . . . . . . . . . . . . . . .  13
>     3.1.  Client Registration Request . . . . . . . . . . . . . . .  14
>       3.1.1.  Client Registration Request Using a Software
>               Statement . . . . . . . . . . . . . . . . . . . . . .  15
>     3.2.  Client Registration Response  . . . . . . . . . . . . . .  16
>   4.  Responses . . . . . . . . . . . . . . . . . . . . . . . . . .  16
>     4.1.  Client Information Response . . . . . . . . . . . . . . .  17
>     4.2.  Client Registration Error Response  . . . . . . . . . . .  18
> 
> There is no 'Client Registration Response' in the protocol (only the
> Client Information Response) and section 3.2 is pretty much empty and
> only points to the later sections. So, I would suggest to do the following.
> 
>   3.  Client Registration Endpoint
>     3.1.  Client Registration Request
>       3.1.1.  Client Registration Request Using a Software Statement
>     3.2.  Client Registration Response
>       3.2.1.  Client Information Response
>       3.2.2.  Client Registration Error Response
> 
> (A section with only a single sub-section is also a sign of a bad
> structure.)
> 

I'm actually OK with this re-organization, as long as there's no objection from the WG at this stage. I think what we have might be slightly vestigial of the existing document. There *is* a client registration response, but it's one of two things: the information or error response. Collapsing them as above will likely make that section easier to read. Thoughts?

> I re-read the terminology and looked at Figure 1 to see whether it makes
> sense and it still does not. I know that there may be many different
> deployment options but it should at least be clear to the reader where
> information comes from and where does it go.
> 
> For example, when I try to follow the flow of the software statement
> then I read the following:
> "
> Software Statement: In some cases, a software statement will be issued
> directly by the organization or developer that creates the client software.
> "
> 
> What does the figure tell us? It shows us that the client or developer
> gets the software assertion.
> 
>        +--------(A)- Initial Access Token (OPTIONAL)
>        |
>        |   +----(B)- Software Statement (OPTIONAL)
>        |   |
>        v   v
>    +-----------+                                      +---------------+
>    |           |--(C)- Client Registration Request -->|    Client     |
>    | Client or |                                      | Registration  |
>    | Developer |<-(D)- Client Information Response ---|   Endpoint    |
>    |           |                                      +---------------+
>    +-----------+
> 
> Maybe we should illustrate one example that makes sense and then say
> that there are others that could be used.

The examples are included in Appendix A. 

> It also does not make sense to
> show the developer in the box together with the client since the
> developer does not execute a protocol exchange with the client
> registration endpoint.

That's not true, a developer (person or organization) could very easily be using the dynamic registration protocol on behalf of the software that they're developing. This is actually used in practice in a number of places, and if you'd like a concrete example just go to the MIT integration test site: https://mitreid.org/manage/dev/dynreg (log in with user/password).

> 
> Here is a proposal for improving this:
> 
> 
> FROM:
> 
>        +--------(A)- Initial Access Token (OPTIONAL)
>        |
>        |   +----(B)- Software Statement (OPTIONAL)
>        |   |
>        v   v
>    +-----------+                                      +---------------+
>    |           |--(C)- Client Registration Request -->|    Client     |
>    | Client or |                                      | Registration  |
>    | Developer |<-(D)- Client Information Response ---|   Endpoint    |
>    |           |                                      +---------------+
>    +-----------+
> 
>    Figure 1: Abstract Dynamic Client Registration Flow
> 
> TO:
> 
>    +--------  O  -- (A)- Initial Access Token (OPTIONAL)
>    |         /|\
>    |   +---- / \ -- (B)- Software Statement (OPTIONAL)
>    |   |   Client
>    |   |   Developer
>    |   |
>    v   v
> +--------------+                                      +---------------+
> |              |--(C)- Client Registration Request -->|    Client     |
> |   Client     |                                      | Registration  |
> |              |<-(D)- Client Information Response ---|   Endpoint    |
> +--------------+                                      +---------------+
> 
>  Figure 1: Abstract Dynamic Client Registration Flow
> 
> 
> Alternatively, one could also separate the distribution of software
> statements and the actual protocol exchange. Here is the proposal:
> 
>    +--------(A)- Initial Access Token (OPTIONAL)
>    |
>    |   +----(B)- Software Statement (OPTIONAL)
>    |   |
>    v   v
> +-----------+                                      +---------------+
> |           |--(C)- Client Registration Request -->|    Client     |
> |   Client  |                                      | Registration  |
> |           |<-(D)- Client Information Response ---|   Endpoint    |
> +-----------+                                      +---------------+
> 
> Figure 1: Abstract Dynamic Client Registration Flow
> 
> 
>           +---------------+
>           | Authorization |
>           | Server        |
>           +---------------+
>                 |    Initial
>                 |(A) Access
>                 |    Token
>                 v
>                  O  Client
>         +------ /|\ Developer
>         |+----- / \
>         ||
>      (A)||(B) Software
>         ||    Statement
>         vv
>  +-----------+
>  |           |
>  |   Client  |
>  |           |
>  +-----------+
> 
> Figure 2: Software Statement / Initial Access Token Distribution Example.
> 

This is inaccurate, as described above. I believe we should leave this as is.

> Then, there is also this statement in the Software Statement definition:
> 
> "
>      In other cases, a
>      software statement will be issued by a third party organization
>      for use by the organization or developer that creates the client
>      software.
> "
> 
> In the terminology section we are defining all the parties that are
> involved and now this mysterious "third party organization" is
> introduced. Is this one of the already defined parties or is this yet
> another organization?

This is just exemplary text, saying one way that it could happen. The "mysterious" third party organization is someone who is not the authorization server or software API publisher who issued the statement (those cases are covered by the preceding sentence). They're not a named party, it's just "whoever made the software statement". We are not specifying which software statements the AS decides to trust, since that's a policy decision outside of our control as spec authors. Many authorization servers will only trust software statements that they issue, but others will have a configured set of third parties that they will accept software statements from, probably as part of a trust framework. I think this text should be left as it is unless there's a way to word this so that it doesn't sound like we're adding another explicitly named party to the mix.

> 
> Finally, the client developer is defined as a single individual or an
> entire organization (i.e., a group of people). However, in the text you
> write 'client developer or organization'. For example, look at the
> software statement:
> 
> "In some cases, a software statement will be issued directly by the
> organization or developer that creates the client software.
> "
> 
> Wouldn't it be more consistent to use the client developer definition as
> is and just turn this sentence into
> 
> "
> In some cases, a software statement will be issued directly by the
> client developer.
> "
> 

Since "developer" can mean individual or organization, I'm fine with this simplifying change as long as there's no objection from the WG.

Thanks again for the review.
 -- Justin

v2.23.0 | Report a Bug | By Email