Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 14 August 2013 06:32 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D9D411E8124 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:32:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level:
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZarPASYCy-wq for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:32:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 0555611E8122 for <oauth@ietf.org>; Tue, 13 Aug 2013 23:32:09 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.114.247]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M6SJX-1W1trr3z8F-00yPQE for <oauth@ietf.org>; Wed, 14 Aug 2013 08:32:05 +0200
Message-ID: <520B2472.4040104@gmx.net>
Date: Wed, 14 Aug 2013 08:32:18 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com>
In-Reply-To: <520A6B0D.7070103@aol.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:JbWO1a5Cnk9nQ+w11KQ/wgfL/i06NRzFIzlaY/O4thqrA5INLaV h1tW08XRGq5Pv05rPoti7Os/eWaq8LI8/iWOdMVAVOTsPOfCGuCZoRriIGYMHhGr0Xkon9q 098c8pagTdhWVkD4DzXkrFwnarKe5aPkQNK83MFBZBqa1JD3u2DmdK2YUFmggkP4wVi3dwU SE2aAlQ/x+3q/H0Gj+ybg==
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 06:32:14 -0000
George is correct with his statements. There is, however, a difference between a shared secret and an assertion as Phil pointed out. For the assertion the server does not need to maintain state on a per-client basis. On the other hand since the client secret isn't really used in the classical sense of a password either but rather as a "cookie" (if used in the style of Section 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to them: http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01 On 08/13/2013 07:21 PM, George Fletcher wrote: > Hi Phil, > > I'm sorry for not following completely. Some questions inline... > > On 8/13/13 11:00 AM, Phil Hunt wrote: >> Dyn reg and the scim reg variant depend too much/biased towards >> passwords expressed as client secrets. > I'm not sure what you mean in regards to "client secrets". There are > OAuth2 bearer tokens that need to be protected because they are bearer > tokens. That said, there is nothing in the spec that requires these to > be opaque blobs vs signed tokens. So both the "Initial Access Token" and > the "Registration Access Token" can be signed tokens. However, the > client still has to protect them as if they were a "secret" because they > are a bearer token and can be replayed. So it's the same amount of work > on the client either way. > >> >> A signed token approach has many advantages for service providers like >> not having to maintain a secure database of secrets/passwords. > If the concern here is the amount of data the Authorization Server has > to store to manage these clients, then the current spec doesn't preclude > using a "signed token". Both OAuth2 bearer tokens identified in the > current spec can be signed tokens. >> >> Finally issuing both a client secret and registration token is costly >> and confusing to client developers. I relented somewhat when I >> realized kerberos does this--but i still feel it is a bad design at >> cloud scale. > Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm > not sure how you abstract the client developer from having to deal with > them. The client developer is going to be dealing with multiple OAuth2 > tokens to multiple endpoints regardless so I don't see another token as > costly or complex. At a minimum there is the refresh_token and > access_token. Where is the added client developer complexity? > > Thanks, > George > >> >> Phil >> >> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org >> <mailto:jricher@mitre.org>> wrote: >> >>> The spec doesn't care where you deploy at -- if URL space is at a >>> premium for you, then switch based on input parameters and other >>> things. And you're still not clear on which "secrets" you're taking >>> issue with. >>> >>> -- Justin >>> >>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote: >>>> >>>> #1, its yet another endpoint to have to manage secrets at, yes this >>>> is an OAuth item but it’s growing out of control, we are trying to >>>> move away from secrets and management of these endpoints as this >>>> would be just another one we have to support, monitor and report on >>>> >>>> #2 yes, 1 physical endpoint acting as multiple authorization servers >>>> >>>> *From:*George Fletcher [mailto:gffletch@aol.com] >>>> *Sent:* Tuesday, August 13, 2013 7:40 AM >>>> *To:* Anthony Nadalin >>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org >>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please >>>> don't remove! >>>> >>>> Hi Tony, >>>> >>>> Could you please explain a little more? >>>> >>>> For issue 1: >>>> * Which "secret" are you referring to? OAuth2 by default allows for >>>> an optional client_secret. I'm not sure why this would cause >>>> management issues? Or are you referring to the "Registration Access >>>> Token"? >>>> * Why is a separate endpoint an issue? Any client is going to be >>>> talking to more than just the /authorize and /token endpoints anyway >>>> so I'm confused regarding the extra complexity? >>>> >>>> For issue 2: >>>> * What specifically do you mean by "multi-tenant"? Is this one >>>> server acting on behalf of multiple tenants and so appearing as >>>> multiple Authorization Servers? >>>> >>>> Thanks, >>>> George >>>> >>>> [snip...] >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > -- > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OX needs Dynamic Registration: please … mike
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… George Fletcher
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Hannes Tschofenig
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Justin Richer
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Justin Richer
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… mike
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Anthony Nadalin
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… George Fletcher
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Anthony Nadalin
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Anthony Nadalin
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Justin Richer
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… George Fletcher
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Justin Richer
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Hannes Tschofenig
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Justin Richer
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… George Fletcher
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Hannes Tschofenig
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] Observations about registration ty… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Nat Sakimura
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… John Bradley
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… John Bradley
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Eve Maler
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Anthony Nadalin
- Re: [OAUTH-WG] Observations about registration ty… Prateek Mishra
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Torsten Lodderstedt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Justin Richer
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Phil Hunt
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Anthony Nadalin
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Anthony Nadalin
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Sergey Beryozkin
- Re: [OAUTH-WG] OX needs Dynamic Registration: ple… Sergey Beryozkin