IETF Logo Mail Archive

Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

Mike Jones <Michael.Jones@microsoft.com> Fri, 17 May 2013 20:27 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7459321F9603 for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 13:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jGkIIH32JXdU for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 13:27:47 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 2D9A821F8556 for <oauth@ietf.org>; Fri, 17 May 2013 13:27:45 -0700 (PDT)
Received: from BN1AFFO11FD012.protection.gbl (10.58.52.200) by BN1AFFO11HUB027.protection.gbl (10.58.52.137) with Microsoft SMTP Server (TLS) id 15.0.687.1; Fri, 17 May 2013 20:27:29 +0000
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.37) by BN1AFFO11FD012.mail.protection.outlook.com (10.58.52.72) with Microsoft SMTP Server (TLS) id 15.0.698.0 via Frontend Transport; Fri, 17 May 2013 20:27:29 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.161]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0318.003; Fri, 17 May 2013 20:26:33 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
Thread-Index: AQHOUoliz4X67XowG0mWW52R1yHjnpkI+JSwgAAJYYCAAAa3sIAAHCOAgACuEVA=
Date: Fri, 17 May 2013 20:26:32 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943677344BC@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <C0CE9538-4B72-4882-9462-B08A2D386720@oracle.com> <4E1F6AAD24975D4BA5B1680429673943677327E5@TK5EX14MBXC283.redmond.corp.microsoft.com> <655FB525-6952-4517-BD4B-8ECD67F3087E@oracle.com> <4E1F6AAD24975D4BA5B168042967394367733A24@TK5EX14MBXC283.redmond.corp.microsoft.com> <A59C5E83-FADC-4621-9B43-8C9FC2CA0E65@oracle.com> <4E1F6AAD24975D4BA5B168042967394367733D51@TK5EX14MBXC283.redmond.corp.microsoft.com> <D0EBAF34-A8C1-4D5E-A92E-53E2B6AE6EC6@oracle.com>
In-Reply-To: <D0EBAF34-A8C1-4D5E-A92E-53E2B6AE6EC6@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943677344BCTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(479174002)(377454002)(189002)(377424003)(50854003)(164054003)(13464003)(24454002)(51704005)(199002)(77982001)(56816002)(47446002)(46102001)(81542001)(80022001)(59766001)(4396001)(31966008)(47736001)(71186001)(81342001)(16236675002)(74662001)(50986001)(69226001)(65816001)(33656001)(47976001)(16601075002)(512874002)(74502001)(74366001)(15202345002)(79102001)(15974865001)(51856001)(66066001)(54316002)(16406001)(53806001)(49866001)(76482001)(56776001)(74706001)(74876001)(54356001)(6806003)(20776003)(55846006)(63696002); DIR:OUT; SFP:; SCL:1; SRVR:BN1AFFO11HUB027; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 08497C3D99
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 20:27:52 -0000

I’m saying that we issue an access token granting access to the registration state for the client and a separate client_id (and sometimes client_secret) used for accessing the Authorization Server.  The first is used by the party writing/registering the client.  The second is used by the client.  Both the resources accessed and the parties accessing the resources are different.

I’m puzzled why you would propose combining/overloading them, given the security differences.  Especially, I wouldn’t want to bake the registration access token into the client – especially a mobile client – because it would mean anyone in possession of an instance of the client could change/deface/maliciously-intentionally-break the client registration for all instances.  Whereas, I *must* bake the client_id and potentially the client_secret into the client.

                                                            -- Mike

From: Phil Hunt [mailto:phil.hunt@oracle.com]
Sent: Friday, May 17, 2013 2:57 AM
To: Mike Jones
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

Or, are you saying reg access token is a signed assertion echoing back the registration?

I have to think about that. Still don't see the value since there should be only one registration per client cred.

To me the client token can also be the registration more easily with less complexity.

Phil

Ps. Apologies just noticed I didn't reply all to group earlier.

On 2013-05-17, at 1:16, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
I think you must understand something here.  The token in the registration spec *is* the token issued to the client by the registration server to represent the client's registration.

-- Mike
________________________________
From: Phil Hunt
Sent: 5/17/2013 9:53 AM
To: Mike Jones
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
Well why not just use the client token?

Phil

On 2013-05-17, at 0:19, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:
Its not there for reasons related to expiration. It's there as an access token so the client can access and possibly update its client registration information.

-- Mike
________________________________
From: Phil Hunt
Sent: 5/17/2013 1:02 AM
To: Mike Jones
Subject: Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
Sure. It isn't a new token format.  But it is yet another token with specific usage and security considerations.

I'm concerned about whether it makes sense to create yetanuthertoken just to handle expiry of a token whose expiry wasn't called for in the group or in the threat model (6749 or 6819).

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>





On 2013-05-16, at 3:26 PM, Mike Jones wrote:

> This is nothing more than an RFC 6750 bearer token.  These can expire, as explained in that draft.  (The can also be issued an a manner that they don't expire.)  Nothing new is being invented in this regard.
>
>                                -- Mike
>
> -----Original Message-----
> From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt
> Sent: Thursday, May 16, 2013 2:35 PM
> To: oauth@ietf.org<mailto:oauth@ietf.org> WG
> Subject: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10
>
> All,
>
> In the dynamic registration draft, a new token type is defined called the "registration access token". Its use is intended to facilitate clients being able to update their registration and obtain new client credentials over time.  The client credential is issued on completion of the initial registration request by a particular client instance.
>
> It appears the need for the registration access token arises from the implied assertion that client credentials should expire.
> --> Is anyone expiring client credentials?
>
> To date, we haven't had much discussion about client credential expiry. It leads me to the following questions:
>
> 1.  Is there technical value with client credential/token expiry?  Keep in mind that client credential is only used with the token endpoint over TLS connection. It is NOT used to access resources directly.
>
> 2.  If yes, on what basis should client credential/token expire?
>  a.  Time?
>  b.  A change to the client software (e.g. version update)?
>  c.  Some other reason?
>
> 3. Is it worth the complication to create a new token type (registration access token) just to allow clients to obtain new client tokens?  Keep in mind that client tokens are only usable with the AS token endpoint.  Why not instead use a client token for dyn reg and token endpoint with the rule that once a client token has expired (if they expire), an expired token may still be used at the registration end-point.
>
> 4. Are there other reasons for the registration token?
>
> Thanks,
>
> Phil
>
> @independentid
> www.independentid.com<http://www.independentid.com>
> phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email