Re: [OAUTH-WG] OAuth Discovery

John Bradley <ve7jtb@ve7jtb.com> Thu, 26 November 2015 00:59 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65A521A1A1C for <oauth@ietfa.amsl.com>; Wed, 25 Nov 2015 16:59:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GYOWWrEqFkkz for <oauth@ietfa.amsl.com>; Wed, 25 Nov 2015 16:59:32 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2E211A0856 for <oauth@ietf.org>; Wed, 25 Nov 2015 16:59:31 -0800 (PST)
Received: by qgea14 with SMTP id a14so44827226qge.0 for <oauth@ietf.org>; Wed, 25 Nov 2015 16:59:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=Tgp9lmibL+hzWdeMxam5D2GWTfKsF4+7nbjzhqkL0Ps=; b=H5Ggqjek8Tf8e+tfYYsNBpq0AnrseYiKrBb+d2AN7iQqXTrI5CHaAj/qnCxMjEPqn8 VOImN7GtzT1Y+6fYRTQR9BWRCJASF1/WLmr/Q7hlzCYfUH3mWUPQM4NSU5/DWy0OHuJY UyZc7joNJ3dX/TuQjCNvwXRlurXCH23oHCTi3B/MpW/RMNmqWiLVKfnNQT6C7erY1Sid NXebuntWWu5kMC6rFl0SskF7YUeuPq9jUJ0rgILYIcv1yWqm97PQ9srQ2xxTqfOCPEap zS5PxBQtUOVqPRt5MDHku3FgkVdVMfNkEvn9y0zqdLLf+aQ0YhfvokntJZTsaFgUi+z/ TdlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Tgp9lmibL+hzWdeMxam5D2GWTfKsF4+7nbjzhqkL0Ps=; b=LE0g6gYzOAoHq6JBsGVGFg3XLOESZBb2b0FixNvZEWSxCeulRqG0PB3c8yxEMlINHD RALg4iHxzzYXkijhHCWqayU2eTq0YbS/ij/OC/gSjiEGkFQMxokHewMmEVPva796mTvd PWAh4CbbSbwUwKKiHp2eXkbtznoie0CGcYK9W241OtRq2fcVqg21ZP2YUqw+EG+KVwM1 0LKQ3It/Ws0/865taTyVCjMUKh/zLFZi04MtmvLfT0V+UGFIZ8Dbjq+LiZF7/L8x3X5V Drn1TIPJfi12nCwjDZplHmr6gAW85fqNnjAfu+BUB+vu9PpZPPEaE0BfM2GZdf3Yz1tW /k9A==
X-Gm-Message-State: ALoCoQnY2kkpbtUU7P9ZfF4D1dbm1/gZ2ftWhDTmsBSG9lmvAhm8/vi0j2BeiJMicg/EfqtXGZ7N
X-Received: by 10.140.106.201 with SMTP id e67mr32562590qgf.80.1448499570840; Wed, 25 Nov 2015 16:59:30 -0800 (PST)
Received: from [192.168.1.216] ([191.115.122.254]) by smtp.gmail.com with ESMTPSA id q133sm6307288qhq.20.2015.11.25.16.59.26 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 Nov 2015 16:59:29 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_1A35F566-BF9D-426A-B155-C511E62ABF85"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAAP42hDvTqEFDREwMOwXqimNMi+7W=SMLZ2z+HJ_Cw75xVQz_Q@mail.gmail.com>
Date: Wed, 25 Nov 2015 21:59:18 -0300
Message-Id: <DC6E5F9B-9CDB-43CC-A68C-38E0D936C330@ve7jtb.com>
References: <BY2PR03MB4420981B312D92924AD6BFFF5050@BY2PR03MB442.namprd03.prod.outlook.com> <CAAP42hDvTqEFDREwMOwXqimNMi+7W=SMLZ2z+HJ_Cw75xVQz_Q@mail.gmail.com>
To: William Denniss <wdenniss@google.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/hDIXM8mEt77cAgv6xzUHDPcgBlg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2015 00:59:35 -0000

Inline
> On Nov 25, 2015, at 9:01 PM, William Denniss <wdenniss@google.com> wrote:
> 
> Looks good. A few review notes:
> 
> 1.
> Can we add a xref to the WebFinger spec (RFC7033) in section 2?
Yes that should be OK
> 
> 2.
> Is the only way to discover the location of the discovery document via WebFinger?
> 
> In Yokohama we also talked about the AS returning the discovery document host (i.e. issuer) on the auth and token endpoints.  What are the reasons for choosing WebFinger over that method?

This is a first draft, that is close to the Connect Document.  It needs work, around what a issuer (AS identity) is in OAuth.   Some of the Webdinger stuff is strange without a specific API that you are looking for.   It would be odd to look for someone’s OAuth server.  I could see looking for a persons Photosharing service and getting directed to It’s AS discovery document assuming a well known API.

Nat has a spec on meta-data for the endpoint API.   The WG may elect to merge them or keep them separate.   It would be the endpoint meta-data (headers) that would point at the discovery document.

This is a start.

> 
> 3.
> It looks like an IANA registry was not setup for OpenID Connect discovery params (at least, not in that spec). Is the registry established in http://tools.ietf.org/html/draft-jones-oauth-discovery-00#section-8.1.2 <http://tools.ietf.org/html/draft-jones-oauth-discovery-00#section-8.1.2> designed to be a shared registry for OIDC/OAuth discovery? And if so, should we also register values defined in the OIDC discovery spec, e.g. “subject_types_supported"

I expect that like registration, OAuth would establish the registry and register an initial set, and then Connect would add connect specific claims to that registry once it is established.

John B.
> 
> On Wed, Nov 25, 2015 at 3:37 PM, Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
> I’m pleased to announce that Nat Sakimura, John Bradley, and I have created an OAuth 2.0 Discovery specification.  This fills a hole in the current OAuth specification set that is necessary to achieve interoperability.  Indeed, the Interoperability section of OAuth 2.0  <https://tools.ietf.org/html/rfc6749#section-1.8>states:
> 
> In addition, this specification leaves a few required components partially or fully undefined (e.g., client registration, authorization server capabilities, endpoint discovery).  Without these components, clients must be manually and specifically configured against a specific authorization server and resource server in order to interoperate.
>  
> This framework was designed with the clear expectation that future work will define prescriptive profiles and extensions necessary to achieve full web-scale interoperability.
>  
> 
> This specification enables discovery of both endpoint locations and authorization server capabilities.
> 
>  
> 
> This specification is based upon the already widely deployed OpenID Connect Discovery 1.0 <http://openid.net/specs/openid-connect-discovery-1_0.html> specification and is compatible with it, by design.  The OAuth Discovery spec removes the portions of OpenID Connect Discovery that are OpenID specific and adds metadata values for Revocation and Introspection endpoints.  It also maps OpenID concepts, such as OpenID Provider, Relying Party, End-User, and Issuer to their OAuth underpinnings, respectively Authorization Server, Client, Resource Owner, and the newly introduced Configuration Information Location.  Some identifiers with names that appear to be OpenID specific were retained for compatibility purposes; despite the reuse of these identifiers that appear to be OpenID specific, their usage in this specification is actually referring to general OAuth 2.0 features that are not specific to OpenID Connect.
> 
>  
> 
> The specification is available at:
> 
> ·         http://tools.ietf.org/html/draft-jones-oauth-discovery-00 <http://tools.ietf.org/html/draft-jones-oauth-discovery-00>
>  
> 
> An HTML-formatted version is also available at:
> 
> ·         http://self-issued.info/docs/draft-jones-oauth-discovery-00.html <http://self-issued.info/docs/draft-jones-oauth-discovery-00.html>
>  
> 
>                                                                 -- Mike
> 
>  
> 
> P.S.  This note was also posted at http://self-issued.info/?p=1496 <http://self-issued.info/?p=1496> and as @selfissued <https://twitter.com/selfissued>.
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth