Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
Justin Richer <jricher@mitre.org> Thu, 06 June 2013 17:49 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76D5221F9AE2 for <oauth@ietfa.amsl.com>; Thu, 6 Jun 2013 10:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.465
X-Spam-Level:
X-Spam-Status: No, score=-6.465 tagged_above=-999 required=5 tests=[AWL=0.133, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzibl4S+INsN for <oauth@ietfa.amsl.com>; Thu, 6 Jun 2013 10:49:19 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4274021F9AA2 for <oauth@ietf.org>; Thu, 6 Jun 2013 10:49:19 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E23D9226006E; Thu, 6 Jun 2013 13:49:18 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id CD17D226004A; Thu, 6 Jun 2013 13:49:18 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 6 Jun 2013 13:49:18 -0400
Message-ID: <51B0CB6D.7060004@mitre.org>
Date: Thu, 06 Jun 2013 13:48:29 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com> <F319CA95-B5A8-4BD5-A8BA-F57BCBA6806B@oracle.com> <51A8E0BD.9090908@mitre.org> <521EB2A2-C786-43BE-9449-A12324347E6D@oracle.com> <002701ce5e33$620faaa0$262effe0$@reminetworks.com> <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com> <51A8FCA6.9050109@mitre.org> <004401ce5e3a$01854b70$048fe250$@reminetworks.com> <CA+ZpN24S9fEfFsgMtu8pN-ct-100+HVSHAfqO4Yy2SksrYt1eA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151B105DA5@WSMSG3153V.srv.dir.telstra.com> <CA+ZpN25_tguPtPDkt!> <m> <M8q=72EgnesignTuWE19wi61gCTLLL_g@mail.gmail.com> <1373E8CE237FCC43BCA36C6558612D2A9F26D0@USCHMBX001.nsn-intra.net> <919FB49B-2705-42E4-B5C3-B433C3F81C7F@ve7jtb.com> <9209089C-5B60-4212-88EA-376855DBCEA0@oracle.com> <51B0C14D.5020306@mitre.org> <1CCDB2B8-CAD9-4827-8113-F92537F70375@oracle.com> <51B0C8CE.6070309@! mitre.org> <B7DA2604-0B04-478C-96C3-75E4D3503DB6@oracle.com>
In-Reply-To: <B7DA2604-0B04-478C-96C3-75E4D3503DB6@oracle.com>
Content-Type: multipart/alternative; boundary="------------010600070709040202010904"
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 17:49:24 -0000
I thought we were talking about the registration access token, not the initial access token? -- Justin On 06/06/2013 01:48 PM, Phil Hunt wrote: > This is why this to-MAY-to vs. to-MAH-to distinction around is the > initial access token an authorization token is important. > > The purpose for the initial access token is dramatically different > then normal access tokens. This is for "registration" and does not > constitute authentication or authorization. > > Therefore, in this case, I do not believe that defining access tokens > in the broader sense makes this issue clearer. > > Registration is a very specific process different than authorization. > > This might be a good paper to look at so the group understands why I > am differentiating authorization from what is happening with initial > access: > http://tools.ietf.org/html/draft-hallambaker-httpauth-00 > > Phil > > @independentid > www.independentid.com <http://www.independentid.com> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > > > > > > On 2013-06-06, at 10:37 AM, Justin Richer wrote: > >> Interoperability of the processing of OAuth tokens is a separate >> issue that needs to be solved not just for registration. When it is >> solved in the wider case, Registration as-is will inherit the solution. >> >> So today, if you're using an Initial Access Token (which is >> optional), then you're locked to whatever process you want to use to >> verify/validate that token. Since it's just an OAuth token, you've >> got a number of things that you can do (assertions, introspection, >> magic). >> >> I'd rather we solve the *real* cross-domain issue in the wider case >> than just try to cram something into registration. >> >> -- Justin >> >> On 06/06/2013 01:33 PM, Phil Hunt wrote: >>> >>> Phil >>> >>> @independentid >>> www.independentid.com <http://www.independentid.com/> >>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> >>> >>> >>> >>> >>> >>> On 2013-06-06, at 10:05 AM, Justin Richer wrote: >>> >>>> >>>> On 06/06/2013 11:20 AM, Phil Hunt wrote: >>>>> As I've said before the initial auth token should nothing to do >>>>> with auth. It is simply an assertion given to the developer to >>>>> distribute in order to pass on signed claims about the software. >>>> >>>> Phil, as I and several others have explained previously, that's not >>>> true at all. It's a token that gives authorization to the >>>> registration endpoint. The fact that you can use it as an assertion >>>> to pass along signed claims is an artifact of it being an OAuth >>>> token and an OAuth token is an opaque string. Please read through >>>> the dynamic registration draft again -- it says absolutely nothing >>>> about assertions, signatures, or claims with regard to this token. >>> It depends which case you are using. If the developer is talking to >>> a single deployment domain and obtains an initial access token and >>> then ships it with all clients, then sure. In this scenario, the >>> contents are totally controlled by the local domain. >>> >>> I agree. In this case, you don't care about inter-op. The whole >>> environment is siloed. But then, if this is your case, I'm not sure >>> why this draft is at the IETF. >>> >>> The interoperability case is where a third party generates that >>> assertion and the deployment domain has to decide to accept it. So >>> you are a developer and you want to build a client for a Microsoft >>> or Oracle app. You want to be able to ship that to your customers. >>> You register with the appropriate publisher and they give you a >>> signed assertion that can be used as the "Initial Access Token". >>> This token is then accepted by the deployment domain and then it >>> decides if it trusts the signer or not. >>> >>> ===> For this to work, the contents and format of that token MUST be >>> defined. Otherwise how could we ensure a Microsoft signed >>> assertion would be accepted by a PingIdentity OAuth server? Or any >>> other combination of implementations from different vendors/communities? >>> >>>> >>>>> >>>>> Bearer or not bearer is a distraction. The fact that the contents >>>>> and format of this token is out of scope leaves a HUGE interop gap. >>>> >>>> The fact that some of us (myself included) are *using* this token >>>> to carry this kind of information is out of scope for the basic >>>> registration spec. I completely agree that there's value in >>>> defining this stuff, but as a separate and complementary spec from >>>> registration. >>> >>> [PH] I was reacting to John Bradley's assertion that the spec was >>> narrowly defined with interop in mind. Yet this mechanism is a key >>> factor being used to share information about the software. >>> >>>> >>>>> >>>>> Finally never-mind bearer bias, how are client credentials >>>>> rotated interoperably if the only thing rotated is client_secret? >>>> >>>> *any* parameter on the client, including the >>>> registration_access_token and any extension parameters, can be >>>> rotated on any call to the Read or Update methods (except for >>>> client_id). So if you've got another mechanism for doing client >>>> authentication, you can rotate that, too. >>>> >>>>> >>>>> I would say the spec only works for client secrets and/or >>>>> all-in-one domain where there is no interop. >>>> >>>> Considering I've personally used it across domains and without >>>> client secrets (using jwks_uri to register public keys), I have to >>>> empirically disagree with that statement. >>>> >>>> -- Justin >>>> >>>>> >>>>> Phil >>>>> >>>>> On 2013-06-06, at 1:53, John Bradley <ve7jtb@ve7jtb.com >>>>> <mailto:ve7jtb@ve7jtb.com>> wrote: >>>>> >>>>>> There are a couple of reasons. >>>>>> >>>>>> One criticism Hannes and others make of OAuth specs is they are >>>>>> not tightly profiled enough to be interoperable without further >>>>>> out of band configuration and profiling. >>>>>> >>>>>> Making registration work with minimal ambiguity was a priority >>>>>> for Connect and that has carried over. >>>>>> >>>>>> I am not opposed to having this extended at some point in the >>>>>> future, once we have a second token type. The new token type >>>>>> should be available to do updates as well. >>>>>> >>>>>> The problem is that starting down the HoK route potentially >>>>>> requires a registered client that may need to be registered to do >>>>>> the registration. >>>>>> I think that is best left to another spec to sort out the >>>>>> possible turtles. >>>>>> >>>>>> So the default needs to be bearer tokens unless registration is >>>>>> extended by another profile. >>>>>> >>>>>> John B. >>>>>> On 2013-06-06, at 10:15 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" >>>>>> <hannes.tschofenig@nsn.com <mailto:hannes.tschofenig@nsn.com>> wrote: >>>>>> >>>>>>> Because bearer tokens have a stable RFC-numbered spec and are >>>>>>> widely implemented and the registration flow as documented seems >>>>>>> like it should work? -T >>>>>>> That’s the answer for why there is support for bearer tokens but >>>>>>> it is not the answer to why that’s the only supported mechanism. >>>>>>> If we want to support stronger security mechanisms (which the >>>>>>> group has decided to work on already) then we need to have a >>>>>>> story on how to support the other mechanisms as well . >>>>>>> _______________________________________________ >>>>>>> OAuth mailing list >>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >> >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-reg-1… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Richer, Justin P.
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-dyn-r… Phil Hunt
- [OAUTH-WG] review comments on draft-ietf-oauth-dy… Torsten Lodderstedt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Torsten Lodderstedt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Richer, Justin P.
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… John Bradley
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… George Fletcher
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… John Bradley
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… John Bradley
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Richer, Justin P.
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Richer, Justin P.
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Donald F Coffin
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Donald F Coffin
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Tim Bray
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Manger, James H
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Tim Bray
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Manger, James H
- [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer to… Manger, James H
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tim Bray
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Manger, James H
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer
- Re: [OAUTH-WG] review comments on draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Phil Hunt
- Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and beare… Justin Richer