IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Discovery

John Bradley <ve7jtb@ve7jtb.com> Sat, 28 November 2015 23:41 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47E6C1A6F83 for <oauth@ietfa.amsl.com>; Sat, 28 Nov 2015 15:41:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Punsck_xebou for <oauth@ietfa.amsl.com>; Sat, 28 Nov 2015 15:41:38 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 354DA1A6F7B for <oauth@ietf.org>; Sat, 28 Nov 2015 15:41:38 -0800 (PST)
Received: by qkao63 with SMTP id o63so47087224qka.2 for <oauth@ietf.org>; Sat, 28 Nov 2015 15:41:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=1HqaR3uchW455S9xDlwOlLuYaF5jFushcWLEKdNEdmw=; b=ntvPorvp3qpS9XK4D0jJV1uU5HymcSPO4oYBHVefo/sqXTwA2+FgaW99MTb0vPeS9k UhRQOkRqKiv0Lic+7ctr/eqN63gKg9fVUOLMA3a3PhkLpA8u69oU0VJKUHJY0O+LjD+C JuF8FgHjBHZk0bG0h0snA63qWUClZbfNXBVwT4OLj3CsGiBlB1fWB1z/ZXrMx7mqXE+N vi06oSihSgxaE0sddoz2Nh7KwY5OKAU6Cr7ihC3cMNpiOeK0hb2KU6fCX7JQ9KMS/kmn OQnht+HgSr2oyeBrGrsG8qttCcMVd1sVIrSqTzaje09EeNZrMJk6aZ+eQAN+hMVVv431 4AkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=1HqaR3uchW455S9xDlwOlLuYaF5jFushcWLEKdNEdmw=; b=a0Xvi9ogkDA6/DyHyX+3ybVLqfC7GDal7qm0laNRASk+baNIFQcB1lb73zl9vjtJTW vgJUmdJ+MXeVj/IYxzxmopJXQg4g1Y5B1rysoLTwZDV6DUp5bbQI8n9d9R4iXYpIUMAb la76LXDI35FZ202oAZwXnHYq1V4MojklTYYfMkduEVzyk1NkxMcrwV1mF2l75DaCUd04 FanfRzPUasSEqQBl++DqDHh7GzeQYSwD2+Wgs3Zdv99TpVjB9qtWSNFeu15vQquk3+yU eIeK8TBrsCC+yOh30pQbjoHeJkKDa8//lynAVcxiKNy6/1c4lR0VhoYzGP4hVdi2Cd5n qt2A==
X-Gm-Message-State: ALoCoQmMi7NTmPF5s25Z3g8BcRVz31x5z07RUM/IK18gu7Ruy9LBGCxCvIeq7wh2Anz9oEo95G0j
X-Received: by 10.55.75.87 with SMTP id y84mr62979871qka.56.1448754097330; Sat, 28 Nov 2015 15:41:37 -0800 (PST)
Received: from [192.168.8.100] ([181.202.153.166]) by smtp.gmail.com with ESMTPSA id d64sm12117089qgd.48.2015.11.28.15.41.35 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 28 Nov 2015 15:41:36 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_0B2E87BE-CABF-4B7B-8626-C14B4B08CC1E"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <E278B927-7A52-4526-B9FF-09B6724FBFBC@oracle.com>
Date: Sat, 28 Nov 2015 20:41:32 -0300
Message-Id: <8271D74C-7DA4-4B12-82AC-D3C3303006ED@ve7jtb.com>
References: <BY2PR03MB4420981B312D92924AD6BFFF5050@BY2PR03MB442.namprd03.prod.outlook.com> <128376572.11963058.1448683100369.JavaMail.yahoo@mail.yahoo.com> <BY2PR03MB442BDB413693994CA405044F5020@BY2PR03MB442.namprd03.prod.outlook.com> <5F43839D-06E7-4E56-BAAC-0F0DE3A553D7@oracle.com> <E278B927-7A52-4526-B9FF-09B6724FBFBC@oracle.com>
To: Prateek Mishra <Prateek.Mishra@oracle.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/h9_ltK-jlBbIHp9nn6sNE3HhDcU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2015 23:41:41 -0000

No one is saying we shouldn’t.

What I said was that Connect will consider refactoring it’s discovery to be based on the IETF version once there is one if it is posable.

If it is not posable for Connect to use the OAuth discovery from this WG then that would be a fail.

I think we are in agreement.

What Mike and I submitted is a starting point.

John B.


> On Nov 28, 2015, at 7:24 PM, Prateek Mishra <Prateek.Mishra@oracle.com> wrote:
> 
> +1
> [quote]
>> 
>> I would like to understand these broader requirements, use cases, and security considerations first. 
>> 
>> 
>> 
>> Phil
>> 
> 
> [\quote]
> 
> 
> OAuth is being used in a *much* broader set of use-cases and contexts than OpenID connect. 
> 
> I think its very important to have a solution that addresses these flows. 
> 
> - prateek
> 
> 
>> On Nov 27, 2015, at 20:05, Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
>> 
>>> It allows non-Connect implementation of OAuth 2.0 to also have a standard discovery capability – and one that can later be updated to also support OpenID Connect with no breaking changes, should that be desired in the future.
>>>  
>>>                                                           -- Mike
>>>   <>
>>> From: Bill Mills [mailto:wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com>] 
>>> Sent: Friday, November 27, 2015 7:58 PM
>>> To: Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>; oauth@ietf.org <mailto:oauth@ietf.org>
>>> Subject: Re: [OAUTH-WG] OAuth Discovery
>>>  
>>> Can you elaborate on the advantage of having a separate parallel spec to OpenID Discovery?
>>>  
>>>  
>>> On Wednesday, November 25, 2015 3:37 PM, Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
>>>  
>>> I’m pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification.  This fills a hole in the current OAuth specification set that is necessary to achieve interoperability.  Indeed, the Interoperability section of OAuth 2.0  <https://tools.ietf.org/html/rfc6749#section-1.8>states:
>>> In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery).  Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.
>>>   
>>> This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.
>>>  
>>> This specification enables discovery of both endpoint locations and authorization server capabilities.
>>>  
>>> This specification is based upon the already widely deployed OpenID Connect Discovery 1.0 <http://openid.net/specs/openid-connect-discovery-1_0.html> specification and is compatible with it, by design.  The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints.  It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location.  Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.
>>>  
>>> The specification is available at:
>>> ·         http://tools.ietf.org/html/draft-jones-oauth-discovery-00 <http://tools.ietf.org/html/draft-jones-oauth-discovery-00>
>>>  
>>> An HTML-formatted version is also available at:
>>> ·         http://self-issued.info/docs/draft-jones-oauth-discovery-00.html <http://self-issued.info/docs/draft-jones-oauth-discovery-00.html>
>>>  
>>>                                                                 -- Mike
>>>  
>>> P.S.  This note was also posted at http://self-issued.info/?p=1496 <http://self-issued.info/?p=1496> and as @selfissued <https://twitter.com/selfissued>.
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>

v2.23.0 | Report a Bug | By Email