[OAUTH-WG] Dynamic Client Registration
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 12 January 2015 11:12 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2267C1A8AAF for <oauth@ietfa.amsl.com>; Mon, 12 Jan 2015 03:12:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PDSTJnRqaA1 for <oauth@ietfa.amsl.com>; Mon, 12 Jan 2015 03:11:56 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402241A6F10 for <oauth@ietf.org>; Mon, 12 Jan 2015 03:11:56 -0800 (PST)
Received: from [172.16.254.109] ([80.92.123.55]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LoaCE-1XYXzs0h7y-00gXTB for <oauth@ietf.org>; Mon, 12 Jan 2015 12:11:54 +0100
Message-ID: <54B3ABF8.8050007@gmx.net>
Date: Mon, 12 Jan 2015 12:11:52 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="oNCKLiCDPd3loIMsSsqwIDLCAITmvETrJ"
X-Provags-ID: V03:K0:g12yFr0msvW8MgvS5s7uhAl1C7cEwy2TQSnDp3j8bDMNc7UQoLg /D/krSsu/BITxRFiS/qFjnJ/cSDbv/+4fhv7XsfE8gFQPJz6/JAtmrV/CRXvSjsxqnTjuDp 7RO0N5wVNfGr4yU2Kv/xFhK3dhjxbYUdN9X/6cKY7rn8VkAixBVUCCniCAmP8Xh0fXjcPSL TvYISVwb8YBdxd8rHn0Zw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/gZO08Pmbp9dN2qMrEQKGzWUVyY8>
Subject: [OAUTH-WG] Dynamic Client Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 11:12:01 -0000
Hi Justin, Hi all, as noted in my status update I am trying to finalize the pending items. Hence, I re-read the draft-ietf-oauth-dyn-reg-21 document since my review of draft-ietf-oauth-dyn-reg-management raised some questions about the terminology. If you look at the structure of the ToC then you will notice the following: 3. Client Registration Endpoint . . . . . . . . . . . . . . . . 13 3.1. Client Registration Request . . . . . . . . . . . . . . . 14 3.1.1. Client Registration Request Using a Software Statement . . . . . . . . . . . . . . . . . . . . . . 15 3.2. Client Registration Response . . . . . . . . . . . . . . 16 4. Responses . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.1. Client Information Response . . . . . . . . . . . . . . . 17 4.2. Client Registration Error Response . . . . . . . . . . . 18 There is no 'Client Registration Response' in the protocol (only the Client Information Response) and section 3.2 is pretty much empty and only points to the later sections. So, I would suggest to do the following. 3. Client Registration Endpoint 3.1. Client Registration Request 3.1.1. Client Registration Request Using a Software Statement 3.2. Client Registration Response 3.2.1. Client Information Response 3.2.2. Client Registration Error Response (A section with only a single sub-section is also a sign of a bad structure.) I re-read the terminology and looked at Figure 1 to see whether it makes sense and it still does not. I know that there may be many different deployment options but it should at least be clear to the reader where information comes from and where does it go. For example, when I try to follow the flow of the software statement then I read the following: " Software Statement: In some cases, a software statement will be issued directly by the organization or developer that creates the client software. " What does the figure tell us? It shows us that the client or developer gets the software assertion. +--------(A)- Initial Access Token (OPTIONAL) | | +----(B)- Software Statement (OPTIONAL) | | v v +-----------+ +---------------+ | |--(C)- Client Registration Request -->| Client | | Client or | | Registration | | Developer |<-(D)- Client Information Response ---| Endpoint | | | +---------------+ +-----------+ Maybe we should illustrate one example that makes sense and then say that there are others that could be used. It also does not make sense to show the developer in the box together with the client since the developer does not execute a protocol exchange with the client registration endpoint. Here is a proposal for improving this: FROM: +--------(A)- Initial Access Token (OPTIONAL) | | +----(B)- Software Statement (OPTIONAL) | | v v +-----------+ +---------------+ | |--(C)- Client Registration Request -->| Client | | Client or | | Registration | | Developer |<-(D)- Client Information Response ---| Endpoint | | | +---------------+ +-----------+ Figure 1: Abstract Dynamic Client Registration Flow TO: +-------- O -- (A)- Initial Access Token (OPTIONAL) | /|\ | +---- / \ -- (B)- Software Statement (OPTIONAL) | | Client | | Developer | | v v +--------------+ +---------------+ | |--(C)- Client Registration Request -->| Client | | Client | | Registration | | |<-(D)- Client Information Response ---| Endpoint | +--------------+ +---------------+ Figure 1: Abstract Dynamic Client Registration Flow Alternatively, one could also separate the distribution of software statements and the actual protocol exchange. Here is the proposal: +--------(A)- Initial Access Token (OPTIONAL) | | +----(B)- Software Statement (OPTIONAL) | | v v +-----------+ +---------------+ | |--(C)- Client Registration Request -->| Client | | Client | | Registration | | |<-(D)- Client Information Response ---| Endpoint | +-----------+ +---------------+ Figure 1: Abstract Dynamic Client Registration Flow +---------------+ | Authorization | | Server | +---------------+ | Initial |(A) Access | Token v O Client +------ /|\ Developer |+----- / \ || (A)||(B) Software || Statement vv +-----------+ | | | Client | | | +-----------+ Figure 2: Software Statement / Initial Access Token Distribution Example. Then, there is also this statement in the Software Statement definition: " In other cases, a software statement will be issued by a third party organization for use by the organization or developer that creates the client software. " In the terminology section we are defining all the parties that are involved and now this mysterious "third party organization" is introduced. Is this one of the already defined parties or is this yet another organization? Finally, the client developer is defined as a single individual or an entire organization (i.e., a group of people). However, in the text you write 'client developer or organization'. For example, look at the software statement: "In some cases, a software statement will be issued directly by the organization or developer that creates the client software. " Wouldn't it be more consistent to use the client developer definition as is and just turn this sentence into " In some cases, a software statement will be issued directly by the client developer. " Ciao Hannes
- [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Eve Maler
- Re: [OAUTH-WG] Dynamic Client Registration William Mills
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Derek Atkins
- Re: [OAUTH-WG] Dynamic Client Registration Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Torsten Lodderstedt
- Re: [OAUTH-WG] Dynamic Client Registration Justin Richer
- Re: [OAUTH-WG] Dynamic Client Registration Eran Hammer
- Re: [OAUTH-WG] Dynamic Client Registration Igor Faynberg
- [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- [OAUTH-WG] Dynamic Client Registration Hannes Tschofenig
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- Re: [OAUTH-WG] Dynamic Client Registration Phil Hunt
- Re: [OAUTH-WG] Dynamic Client Registration Richer, Justin P.
- Re: [OAUTH-WG] Dynamic Client Registration John Bradley