IETF Logo Mail Archive

Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 14 August 2013 06:32 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D9D411E8124 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:32:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZarPASYCy-wq for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:32:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 0555611E8122 for <oauth@ietf.org>; Tue, 13 Aug 2013 23:32:09 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.114.247]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M6SJX-1W1trr3z8F-00yPQE for <oauth@ietf.org>; Wed, 14 Aug 2013 08:32:05 +0200
Message-ID: <520B2472.4040104@gmx.net>
Date: Wed, 14 Aug 2013 08:32:18 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com>
In-Reply-To: <520A6B0D.7070103@aol.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:JbWO1a5Cnk9nQ+w11KQ/wgfL/i06NRzFIzlaY/O4thqrA5INLaV h1tW08XRGq5Pv05rPoti7Os/eWaq8LI8/iWOdMVAVOTsPOfCGuCZoRriIGYMHhGr0Xkon9q 098c8pagTdhWVkD4DzXkrFwnarKe5aPkQNK83MFBZBqa1JD3u2DmdK2YUFmggkP4wVi3dwU SE2aAlQ/x+3q/H0Gj+ybg==
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 06:32:14 -0000

George is correct with his statements. There is, however, a difference 
between a shared secret and an assertion as Phil pointed out. For the 
assertion the server does not need to maintain state on a per-client 
basis. On the other hand since the client secret isn't really used in 
the classical sense of a password either but rather as a "cookie" (if 
used in the style of Section 2.3.1 of RFC6749) one could easy apply the 
concept of stateless tokens to them:
http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01


On 08/13/2013 07:21 PM, George Fletcher wrote:
> Hi Phil,
>
> I'm sorry for not following completely. Some questions inline...
>
> On 8/13/13 11:00 AM, Phil Hunt wrote:
>> Dyn reg and the scim reg variant depend too much/biased towards
>>  passwords expressed as client secrets.
> I'm not sure what you mean in regards to "client secrets". There are
> OAuth2 bearer tokens that need to be protected because they are bearer
> tokens. That said, there is nothing in the spec that requires these to
> be opaque blobs vs signed tokens. So both the "Initial Access Token" and
> the "Registration Access Token" can be signed tokens. However, the
> client still has to protect them as if they were a "secret" because they
> are a bearer token and can be replayed. So it's the same amount of work
> on the client either way.
>
>>
>> A signed token approach has many advantages for service providers like
>> not having to maintain a secure database of secrets/passwords.
> If the concern here is the amount of data the Authorization Server has
> to store to manage these clients, then the current spec doesn't preclude
> using a "signed token". Both OAuth2 bearer tokens identified in the
> current spec can be signed tokens.
>>
>> Finally issuing both a client secret and registration token is costly
>> and confusing to client developers.  I relented somewhat when I
>> realized kerberos does this--but i still feel it is a bad design at
>> cloud scale.
> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm
> not sure how you abstract the client developer from having to deal with
> them. The client developer is going to be dealing with multiple OAuth2
> tokens to multiple endpoints regardless so I don't see another token as
> costly or complex. At a minimum there is the refresh_token and
> access_token. Where is the added client developer complexity?
>
> Thanks,
> George
>
>>
>> Phil
>>
>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>> <mailto:jricher@mitre.org>> wrote:
>>
>>> The spec doesn't care where you deploy at -- if URL space is at a
>>> premium for you, then switch based on input parameters and other
>>> things. And you're still not clear on which "secrets" you're taking
>>> issue with.
>>>
>>>  -- Justin
>>>
>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>
>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>> is an OAuth item but it’s growing out of control, we are trying to
>>>> move away from secrets and management of these endpoints as this
>>>> would be just another one we have to support, monitor and report on
>>>>
>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>
>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>> *To:* Anthony Nadalin
>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>> don't remove!
>>>>
>>>> Hi Tony,
>>>>
>>>> Could you please explain a little more?
>>>>
>>>> For issue 1:
>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>> an optional client_secret. I'm not sure why this would cause
>>>> management issues? Or are you referring to the "Registration Access
>>>> Token"?
>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>> talking to more than just the /authorize and /token endpoints anyway
>>>> so I'm confused regarding the extra complexity?
>>>>
>>>> For issue 2:
>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>> server acting on behalf of multiple tenants and so appearing as
>>>> multiple Authorization Servers?
>>>>
>>>> Thanks,
>>>> George
>>>>
>>>> [snip...]
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> --
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email