[OAUTH-WG] Dynamic Client Registration

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 12 January 2015 11:12 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2267C1A8AAF for <oauth@ietfa.amsl.com>; Mon, 12 Jan 2015 03:12:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PDSTJnRqaA1 for <oauth@ietfa.amsl.com>; Mon, 12 Jan 2015 03:11:56 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402241A6F10 for <oauth@ietf.org>; Mon, 12 Jan 2015 03:11:56 -0800 (PST)
Received: from [172.16.254.109] ([80.92.123.55]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0LoaCE-1XYXzs0h7y-00gXTB for <oauth@ietf.org>; Mon, 12 Jan 2015 12:11:54 +0100
Message-ID: <54B3ABF8.8050007@gmx.net>
Date: Mon, 12 Jan 2015 12:11:52 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="oNCKLiCDPd3loIMsSsqwIDLCAITmvETrJ"
X-Provags-ID: V03:K0:g12yFr0msvW8MgvS5s7uhAl1C7cEwy2TQSnDp3j8bDMNc7UQoLg /D/krSsu/BITxRFiS/qFjnJ/cSDbv/+4fhv7XsfE8gFQPJz6/JAtmrV/CRXvSjsxqnTjuDp 7RO0N5wVNfGr4yU2Kv/xFhK3dhjxbYUdN9X/6cKY7rn8VkAixBVUCCniCAmP8Xh0fXjcPSL TvYISVwb8YBdxd8rHn0Zw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/gZO08Pmbp9dN2qMrEQKGzWUVyY8>
Subject: [OAUTH-WG] Dynamic Client Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 11:12:01 -0000

Hi Justin, Hi all,

as noted in my status update I am trying to finalize the pending items.

Hence, I re-read the draft-ietf-oauth-dyn-reg-21 document since my
review of draft-ietf-oauth-dyn-reg-management raised some questions
about the terminology.

If you look at the structure of the ToC then you will notice the following:

   3.  Client Registration Endpoint  . . . . . . . . . . . . . . . .  13
     3.1.  Client Registration Request . . . . . . . . . . . . . . .  14
       3.1.1.  Client Registration Request Using a Software
               Statement . . . . . . . . . . . . . . . . . . . . . .  15
     3.2.  Client Registration Response  . . . . . . . . . . . . . .  16
   4.  Responses . . . . . . . . . . . . . . . . . . . . . . . . . .  16
     4.1.  Client Information Response . . . . . . . . . . . . . . .  17
     4.2.  Client Registration Error Response  . . . . . . . . . . .  18

There is no 'Client Registration Response' in the protocol (only the
Client Information Response) and section 3.2 is pretty much empty and
only points to the later sections. So, I would suggest to do the following.

   3.  Client Registration Endpoint
     3.1.  Client Registration Request
       3.1.1.  Client Registration Request Using a Software Statement
     3.2.  Client Registration Response
       3.2.1.  Client Information Response
       3.2.2.  Client Registration Error Response

(A section with only a single sub-section is also a sign of a bad
structure.)

I re-read the terminology and looked at Figure 1 to see whether it makes
sense and it still does not. I know that there may be many different
deployment options but it should at least be clear to the reader where
information comes from and where does it go.

For example, when I try to follow the flow of the software statement
then I read the following:
"
Software Statement: In some cases, a software statement will be issued
directly by the organization or developer that creates the client software.
"

What does the figure tell us? It shows us that the client or developer
gets the software assertion.

        +--------(A)- Initial Access Token (OPTIONAL)
        |
        |   +----(B)- Software Statement (OPTIONAL)
        |   |
        v   v
    +-----------+                                      +---------------+
    |           |--(C)- Client Registration Request -->|    Client     |
    | Client or |                                      | Registration  |
    | Developer |<-(D)- Client Information Response ---|   Endpoint    |
    |           |                                      +---------------+
    +-----------+

Maybe we should illustrate one example that makes sense and then say
that there are others that could be used. It also does not make sense to
show the developer in the box together with the client since the
developer does not execute a protocol exchange with the client
registration endpoint.

Here is a proposal for improving this:


FROM:

        +--------(A)- Initial Access Token (OPTIONAL)
        |
        |   +----(B)- Software Statement (OPTIONAL)
        |   |
        v   v
    +-----------+                                      +---------------+
    |           |--(C)- Client Registration Request -->|    Client     |
    | Client or |                                      | Registration  |
    | Developer |<-(D)- Client Information Response ---|   Endpoint    |
    |           |                                      +---------------+
    +-----------+

    Figure 1: Abstract Dynamic Client Registration Flow

TO:

    +--------  O  -- (A)- Initial Access Token (OPTIONAL)
    |         /|\
    |   +---- / \ -- (B)- Software Statement (OPTIONAL)
    |   |   Client
    |   |   Developer
    |   |
    v   v
+--------------+                                      +---------------+
|              |--(C)- Client Registration Request -->|    Client     |
|   Client     |                                      | Registration  |
|              |<-(D)- Client Information Response ---|   Endpoint    |
+--------------+                                      +---------------+

  Figure 1: Abstract Dynamic Client Registration Flow


Alternatively, one could also separate the distribution of software
statements and the actual protocol exchange. Here is the proposal:

    +--------(A)- Initial Access Token (OPTIONAL)
    |
    |   +----(B)- Software Statement (OPTIONAL)
    |   |
    v   v
+-----------+                                      +---------------+
|           |--(C)- Client Registration Request -->|    Client     |
|   Client  |                                      | Registration  |
|           |<-(D)- Client Information Response ---|   Endpoint    |
+-----------+                                      +---------------+

 Figure 1: Abstract Dynamic Client Registration Flow


           +---------------+
           | Authorization |
           | Server        |
           +---------------+
                 |    Initial
                 |(A) Access
                 |    Token
                 v
                  O  Client
         +------ /|\ Developer
         |+----- / \
         ||
      (A)||(B) Software
         ||    Statement
         vv
  +-----------+
  |           |
  |   Client  |
  |           |
  +-----------+

Figure 2: Software Statement / Initial Access Token Distribution Example.

Then, there is also this statement in the Software Statement definition:

"
      In other cases, a
      software statement will be issued by a third party organization
      for use by the organization or developer that creates the client
      software.
"

In the terminology section we are defining all the parties that are
involved and now this mysterious "third party organization" is
introduced. Is this one of the already defined parties or is this yet
another organization?

Finally, the client developer is defined as a single individual or an
entire organization (i.e., a group of people). However, in the text you
write 'client developer or organization'. For example, look at the
software statement:

"In some cases, a software statement will be issued directly by the
organization or developer that creates the client software.
"

Wouldn't it be more consistent to use the client developer definition as
is and just turn this sentence into

"
In some cases, a software statement will be issued directly by the
client developer.
"

Ciao
Hannes