IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-03.txt

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sat, 23 June 2012 14:30 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25DF321F8507 for <oauth@ietfa.amsl.com>; Sat, 23 Jun 2012 07:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.52
X-Spam-Level:
X-Spam-Status: No, score=-103.52 tagged_above=-999 required=5 tests=[AWL=1.079, BAYES_00=-2.599, GB_I_LETTER=-2, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9TBA+cyhxiLH for <oauth@ietfa.amsl.com>; Sat, 23 Jun 2012 07:30:22 -0700 (PDT)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 52EA521F842B for <oauth@ietf.org>; Sat, 23 Jun 2012 07:30:22 -0700 (PDT)
Received: (qmail invoked by alias); 23 Jun 2012 14:30:20 -0000
Received: from a88-115-216-191.elisa-laajakaista.fi (EHLO [192.168.100.109]) [88.115.216.191] by mail.gmx.net (mp033) with SMTP; 23 Jun 2012 16:30:20 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19/DLZgC2R/8P+C1G6P1DZzqJfg+MDn79/R5Tr0kV OqM3lePUMkirZo
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="iso-8859-1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CA+k3eCT2jGW7MF-0jH7Z6Mw6ZWKsgH_=esU5kwy0c3As1LeT_A@mail.gmail.com>
Date: Sat, 23 Jun 2012 17:30:19 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <C23E2DE1-7B0B-4FED-A316-F20305E410BB@gmx.net>
References: <20120621175317.32545.76545.idtracker@ietfa.amsl.com> <4E1F6AAD24975D4BA5B16804296739436656323F@TK5EX14MBXC283.redmond.corp.microsoft.com> <0F4BC83D-9C3E-44CD-9D8C-5784A7495486@gmx.net> <DE39D7C5-5265-44D3-A8C0-F8CA39DBC5C1@gmx.net> <CA+k3eCT2jGW7MF-0jH7Z6Mw6ZWKsgH_=esU5kwy0c3As1LeT_A@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.1084)
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-urn-sub-ns-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2012 14:30:24 -0000

Hi Brian, 

Hi Brian, 

On Jun 21, 2012, at 11:48 PM, Brian Campbell wrote:

> On Thu, Jun 21, 2012 at 1:48 PM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net> wrote:
>> Btw, in a discussion with Brian we check the policies for the three extensions in the OAuth core specification
>> 
>> 1) Section 8.3.  Defining New Authorization Grant Types
>> 
>> If you don't define additional token endpoint parameters then there is actually no requirement for expert review or a specification.
>> It is probably FCFS.
> 
> 
> That raises a different question/issue.
It is a related issue. 

The core document says you need an URI for defining new extensions and that means everyone can almost do whatever they want (as I tried to explain in this mail). Note that I saw "almost" -- as you will see below.  


> 
> My understanding of the core spec was that it used URIs in extension
> points that might be profiled by actual specifications as well as by
> vendor-specific or other less rigorous implementations.

Correct. 

For the extensions that are registered under urn:ietf:params:oauth we do, however, need to define the policy. 

> 
> To the extent that's true, §8.3 of OAuth core[1] is problematic in
> that it allows for any URI defining the grant type but requires
> additional parameters the grant type might use to be registered in the
> The OAuth Parameters Registry (and new grant types will most likely
> need additional parameters).

I agree with you. 

> 
> Inf fact, I've already got a vendor-specific grant type that uses an
> unregistered parameter on the token endpoint - it's a simple grant
> type for access token introspection [2]. At the time I was thinking
> the parameter was implicitly qualified by the grant type and this was
> all okay. But looking at it again, per the letter of the spec, this
> would seem to be a violation. But what should we have done? How does a
> vendor-specific extension go about registering a parameter? Would that
> even be a good idea?

The URN you have chosen for your product (urn:pingidentity.com:oauth2:validated_token) is, however, IMHO incorrect. There is no URN registered that starts with urn:pingidentity.com (see http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xml) but I am happy to be educated otherwise. 

You could have just used http://www.pingidentity.com/oauth2/validated_token (or anything like that). The problem with that is that some folks will then try to do a lookup on this URI and will, surprise - surprise, not find anything because this URI is just meant for a different purpose. That's the only problem. 

Of course we could also allow a vendor specific branch in the URN we are defining (something which uses a enterprise id, see http://www.iana.org/assignments/enterprise-numbers). 

Ciao
Hannes


> 
> [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-28#section-8.3
> [2] http://documentation.pingidentity.com/display/PF66/Grant+Type+Parameters#GrantTypeParameters-1079271

v2.23.0 | Report a Bug | By Email