Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents
John Bradley <ve7jtb@ve7jtb.com> Wed, 30 April 2014 21:32 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C9B01A0948 for <oauth@ietfa.amsl.com>; Wed, 30 Apr 2014 14:32:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4BA-HlDn89-u for <oauth@ietfa.amsl.com>; Wed, 30 Apr 2014 14:32:25 -0700 (PDT)
Received: from mail-qc0-f178.google.com (mail-qc0-f178.google.com [209.85.216.178]) by ietfa.amsl.com (Postfix) with ESMTP id D149E1A079F for <oauth@ietf.org>; Wed, 30 Apr 2014 14:32:24 -0700 (PDT)
Received: by mail-qc0-f178.google.com with SMTP id i8so2559067qcq.37 for <oauth@ietf.org>; Wed, 30 Apr 2014 14:32:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=A+7iuJG8RjY0JHa2JqkGVdiwiHxKn3DqU3GsWOn7RBU=; b=KhyRGsqYQmhbJLsZKQLjB1FxLfLtC8Aga5ubKCuAJbjy/NHJuAkX4seN7ScZMswkxX Ywgs0FTgk2PcxzlpoXBhgPq4PQLvU/iB+c5W6tKyDqAMU3EdutMpkbS9EL+0GwUkBWdk EZmXGrKIuzIHehbFGlTiHldYnqecfknRZ9Z5wM6A7lJ7oTYRLkQsEZgxGqacXAfNlEem Jkx6hBmbETCw8mcglm2HWAE434Q5zu8qRhdJKiyGjfhdxzdlYhSI8TDAQD1Hf6cROVVG FRfcxrjhhHZLl0oCQ802AAUpGqCCgd5VbrwOERxTWodIm9aHI8OHKhp6Ran3Dpm0YnsP 8s4w==
X-Gm-Message-State: ALoCoQmjSCJX9KoAAtpZd3tb51Dk6bSGu1Ma1vU/Q7dDTAIuNJ6htr6LbDIsW2JSkLwh3ZFpJk0z
X-Received: by 10.140.26.39 with SMTP id 36mr8358118qgu.111.1398893542860; Wed, 30 Apr 2014 14:32:22 -0700 (PDT)
Received: from [192.168.0.200] ([201.189.26.19]) by mx.google.com with ESMTPSA id n105sm32316329qgd.7.2014.04.30.14.32.14 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 30 Apr 2014 14:32:22 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_546656DE-27A7-42BC-935A-45D843942F31"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CA+k3eCTeNpMi-=jeaa0UMEEMmGSohmRgDJ1doshWtY+M7B_cKA@mail.gmail.com>
Date: Wed, 30 Apr 2014 17:32:18 -0400
Message-Id: <FB8B4550-ECC8-412D-80FB-86BB82394813@ve7jtb.com>
References: <533E77C3.9000509@gmx.net> <53539DF1.4020103@lodderstedt.net> <CA+k3eCTeNpMi-=jeaa0UMEEMmGSohmRgDJ1doshWtY+M7B_cKA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kK4yKpZ789gDEq2SY2rIflfQvH0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 21:32:27 -0000
The "jwks" meta-data parameter may also be required for some of the Proof of Possession flows. Allowing a client to register its public key is important for reducing the number of long term symetric keys that need to be maintained. On Apr 30, 2014, at 5:15 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > As Mike and Torsten have said, and for the same reasons, I would also like to see the "jwks" metadata parameter added. > > > On Sun, Apr 20, 2014 at 4:14 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi all, > > I also believe both documents should be merged. > > Nevertheless, here are my comments on the current drafts: > > > * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 > > 1.2. Terminology > > " Multiple instances of the same piece of client software MAY use > the same Client ID value at an authorization server, provided that > the Redirection URI values and potentially other values dictated > by authorization server policy are the same for all instances." > > Which entity determines whether the same client id is used for different instances? Given the current protocol design, I would assume it is at the discretion of the authz server. Other opinions? > > "Software Statement ... It may also be accepted by some authorization servers > directly as a Client ID value, without prior registration." > > under which circumstances does an authz server accept a software statement as client_id? How does the client know? I think the idea is valuable but needs much more text in order to come up with an interoperable protocol design. > > 1.3. Protocol Flow > > Initial Access Token vs. Software Statement: In my opinion, those concepts are two different ways to authorize client registration. Although there are the typical differences between tokens and assertions (such as opaque content vs. defined syntax), I feel software statements could supersede initial access tokens. > Thoughts? > > 2. Client Metadata > > "redirect_uris ... It is > RECOMMENDED that clients using these flows register this > parameter, and an authorization server SHOULD require ..." > > I consider this a rather weak statement - does this foster interop? Why not requiring registration of redirect_uris for all clients using web-based grant types. > > last paragraph: > "If the same client metadata name is present in both > locations, the value in the software statement SHOULD take > precedence." > > why not MUST? > > 3. Software Statement > > Is there a need to require a certain signature method for JWTs used as software statement (interop)? JWT itself requires "HMAC" and "none", which both are of no or limited value in this context. RSA is just recommended by the JWT spec. > > 5.1 > > "If a software statement was used as part of the registration, its > value SHOULD be returned in the response and its value MUST be > returned if the authorization server supports registration management > operations [OAuth.Registration.Management] that would require its > presence in subsequent operations." > > I don't get the connection between software statements and the management API. In the management API spec, I only found a reference to software statements in the introduction. Should this text just be removed? > > 5.2 > > error codes - invalid_client_metadata > > I consider this underspecified. How is the client supposed to react if this error occurs? I would expect the authz server to give more detailed information regarding error conditions, e.g. notify the client if particular requested grant types are not supported. Otherwise, the client cannot handle those error differently. > > > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 > > I would suggest to add "jwks" (as defined in http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) in order to support native clients. > > regards, > Torsten. > > Am 04.04.2014 11:13, schrieb Hannes Tschofenig: >> Hi all, >> >> This is a Last Call for comments on the dynamic client registration >> documents: >> >> * OAuth 2.0 Dynamic Client Registration Core Protocol >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 >> >> * OAuth 2.0 Dynamic Client Registration Metadata >> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 >> >> Since we have to do the last call for these two documents together we >> are setting the call for **3 weeks**. >> >> Please have your comments in no later than April 25th. >> >> Ciao >> Hannes & Derek >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > > Brian Campbell > [Enter Title] > @ bcampbell@pingidentity.com > +1 720.317.2061 > Connect with us… > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Working Group Last Call on Dynamic Cli… Hannes Tschofenig
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Justin Richer
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Bill Mills
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Torsten Lodderstedt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Hannes Tschofenig
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Bill Mills
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Torsten Lodderstedt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Phil Hunt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Phil Hunt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Torsten Lodderstedt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… John Bradley