IETF Logo Mail Archive

Re: [OAUTH-WG] Refactoring Dynamic Registration

Justin Richer <jricher@mitre.org> Wed, 28 August 2013 14:57 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0375C11E80FA for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 07:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.973
X-Spam-Level:
X-Spam-Status: No, score=-4.973 tagged_above=-999 required=5 tests=[AWL=-1.480, BAYES_00=-2.599, MANGLED_EMAIL=2.3, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dI1+Ekuv3KP3 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 07:57:01 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 26E7A11E8197 for <oauth@ietf.org>; Wed, 28 Aug 2013 07:56:54 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 735411F0422; Wed, 28 Aug 2013 10:56:54 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 5D79B1F0767; Wed, 28 Aug 2013 10:56:54 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 10:56:54 -0400
Message-ID: <521E0FAC.20907@mitre.org>
Date: Wed, 28 Aug 2013 10:56:44 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Eve Maler <eve@xmlgrrl.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com> <0FD93772-1AEC-4400-8A7D-C9F6D44E2E5E@ve7jtb.com> <4B81034F-7B26-488A-B7FA-E4DBFEB2256C@xmlgrrl.com>
In-Reply-To: <4B81034F-7B26-488A-B7FA-E4DBFEB2256C@xmlgrrl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 14:57:06 -0000

Just wanted to respond to one point:

 > SHOULD around open registration

The reason behind that was to encourage wider adoption. If you don't 
have to do any out of band or manual steps to get your client 
registered, you're more likely as a developer to use it (in my view at 
least), so I'd like to see more service providers work in that mode. Of 
course, it's not a MUST and really shouldn't be a MUST, because as you 
correctly point out there are many valid mechanisms for getting access 
to the registration API. Some are more automated and robust than others. 
What we've tried to do with BlueButton+ is require open registration but 
set policy (which we can specify in our use case) around the difference 
between openly registered clients and registry-backed clients (which 
requires a manual pre-registration step to get a software assertion 
that's presented as an access token). I forsee that when we start to 
build UMA's mechanisms into BB+, we'll have another class of clients 
that have different policies as well, and while we're not quite there 
yet I think it's important to keep the user-introduction flow like this 
in mind and possible, too.

  -- Justin

On 08/27/2013 05:12 PM, Eve Maler wrote:
> Unfortunately I haven't been able to attend the design meetings, but I've continued to follow along here with interest.
>
> I confess that the core/management split seems a little artificial to me. I can imagine a potential use case for splitting things this way -- even a client that was *statically* provisioned its credentials might still want to manage its representation at the authorization server over time. But even so, I would normally expect to see all of this considered part of the "management" bucket, with the first step allowed to happen either on-stage or off-stage. In any case, if the split satisfies some other need I'm missing, I don't want to stand in the way.
>
> Also, I'm still a little stumped at the reluctance to allow a full set of management operations. Is this still a concern over similarity to SCIM, which also has a full set of CRUD-type operations? If so, perhaps it's worth pointing out that many (millions?) of APIs leverage the HTTP verbs in nearly identical ways to "provision" web resources. In fact, my SCIM-related slideware even says "If you've seen one RESTful CRUD API, you've seen 'em all" :), and points out that its unique value is in the *nature* of the resources being provisioned (scoped to user identity data, as noted in the SCIM API spec itself). Similarity like this is a feature of REST, not a bug.
>
> As an aside, I'm surprised the core spec has a SHOULD around open registration. Different APIs have different business models, and the range of possibilities legitimately includes APIs that require approval workflows etc. for onboarding devs and their client apps. In fact, that's one of the exciting things about defining dynamic (machine-to-machine) client registration that can nonetheless put gates in front of client provisioning: it makes OAuth protection more easily achievable even in "circle of trust" scenarios.
>
> Net on the important bits:
> - I'm weakly in favor of a recombined core+management spec but I'm fine with the split if others find it valuable.
> - I'm in favor of keeping the management functions in scope.
>
> 	Eve
>
> On 27 Aug 2013, at 11:52 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> I appreciate that is your opinion.   Lets finish splitting the document and agree on what we agree on, then the chairs and others can render a opinion on if http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is in scope for this WG.    I happen to think it is in scope, and I suspect I am not alone in that.
>>
>> Right now lets focus on the core of the spec we agree on and leave the scope issue to a later knife fight.
>>
>> John B.
>>
>> On 2013-08-27, at 2:41 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>>
>>> I believe the http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is out of scope for this WG and needs to go to the APPS area since we don't deal with other OAuth management issues
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P.
>>> Sent: Tuesday, August 27, 2013 7:06 AM
>>> To: oauth mailing list
>>> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>>>
>>> After last week's design team call, at Derek's suggestion, I took time today to refactor the Dynamic Registration draft into two pieces: "core" and "management". The former contains the definition of the Registration Endpoint and the semantics surrounding that, the latter contains the Client Configuration Endpoint as well as the "non-essential" client metadata parameters.
>>>
>>> I did this refactoring with an axe, so there are almost certainly bits and pieces that are in the wrong document. In particular, I've kept the use cases in the "core" document even though they reference concepts and constructs defined in the "management" spec. This way people that don't want to deal with a configuration management API can implement just the "core" registration spec and call it a day, while people who want to have full lifecycle control can do the "management" spec on top of it. This does increase the optionality by making the client configuration endpoint parameters optional, but that's the tradeoff for having things cut this way.
>>>
>>> You can read both the specs here:
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>>>
>>> I've uploaded these as individual submissions for now. If the working group decides to move forward with this refactoring, I expect both documents to move in tandem through the RFC approval process.
>>>
>>> -- Justin
>
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.31.3 | Report a Bug | By Email | System Status