[OAUTH-WG] Re: OAuth Client ID Metadata Document
Dick Hardt <dick.hardt@gmail.com> Mon, 08 July 2024 19:57 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E0F3C217CE7 for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 12:57:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8uujKwtC-Fcd for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 12:57:18 -0700 (PDT)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DE2BC217CD8 for <oauth@ietf.org>; Mon, 8 Jul 2024 12:57:18 -0700 (PDT)
Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-e03c6892e31so4036992276.1 for <oauth@ietf.org>; Mon, 08 Jul 2024 12:57:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720468637; x=1721073437; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wIPZFuAGzT+87lraMnUMCvG0eiRrXn57BBxNsTEaMAY=; b=K45KWYs4ibZNsmZqTz8e2tpf+hsnENH9PGg6d4Vl2w5rRKw9YWbCAkkrx+txCE71JW WrjFHJ8+Gi7RMuoRgerOipq+Ya32iTLVS9kvtiYTxNMqBL7etFsZuuL9thg9BM8ZR1no 0/D+28zJ/kejDophooqNVT3k6PBQx1hcgcoEQ8HlQh1Ki1o6WpkvJ4c63qWPmEIyUc4d rKv12M/PGvaD2IIIFJVo5nfy/2H8TVA0ObFN4wV+MfEP6zXcoOFe/PCSmNjKiOfVkuEI 4MfMUzvJn8zkO3tNfxMq2K2XytM/8Zx9hUcMiTniAI5t2gtNaDvzICX/bnW6pV/lNy2H 5LkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720468637; x=1721073437; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wIPZFuAGzT+87lraMnUMCvG0eiRrXn57BBxNsTEaMAY=; b=jHFKs9TdqwvngWqID1ByTxzpsPQp2KPfs+EK8THz+hLLLqNtDaENmCQ5Xq4V8T3VDz kiPcoBYx/L4BEB6/dF70IFYdpHpHGwD+zQjLd1RRBZVRGAuYUzMRGcNtS0Phf/cAO2yv 5wODDNif9/tibstyqU4NfcXo32bHjLKprIFsOOTG3BZU46tFcdSZ2XUu6GFTiyvxMOME eIlQPr4Uk+xcvkx7MztcQm5+v/dWO6XP6lzr4RhW20L4bxaJVuvAcTwZ/ZGG2kAhGNV7 iujyQRqbCld35fNjUIc7AJ3pkWn7J0gBnXeLonfaBfvKVBnLbneTVgCUBTt5yBMBommD +YFg==
X-Forwarded-Encrypted: i=1; AJvYcCXfiTiBk0ngAucfMY1YMCzBKmJHCSD0RL8F83enU2plUAM+RKWtYNtL+vy4dAE4jhuPHJLNR8dOyWoxuRdyiw==
X-Gm-Message-State: AOJu0YxOgH+74cRGy1SDRSHnQP83nIWY8IcEv3sawEWv7dJOBx45IaQX /TIdV/138kCMMXLI8GrWJ0PWsG+Hl1yuQRbM4SiebW/+dv3Xs77eo0mjjWlHGJkgLM5XIGluwKv REX1Hh4nXu0eLXGtxsfRX/vRWyxHtNZlw
X-Google-Smtp-Source: AGHT+IE99S5Sord50TIYvfNj/Q3391nVudAFfOrDLsq4SZZhPaul2d3iMARv38FiPhcNI3H9a4be7FlpzKAtSYgsY9w=
X-Received: by 2002:a25:2689:0:b0:e02:b5cf:97ac with SMTP id 3f1490d57ef6-e041b03d301mr869337276.3.1720468637284; Mon, 08 Jul 2024 12:57:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-sDwJ3UZq9XtqwkKv7etjKP=9SeJYzhJN6WyEMpiBNAhA@mail.gmail.com> <37510C10-72A2-41C5-A28B-E75DE2723D90@brandedcode.com>
In-Reply-To: <37510C10-72A2-41C5-A28B-E75DE2723D90@brandedcode.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 08 Jul 2024 12:56:40 -0700
Message-ID: <CAD9ie-tj6V_h6UjexTtw7uitVZ9gnttJor6r86FbOTNvZsn_FA@mail.gmail.com>
To: Emelia Smith <emelia@brandedcode.com>
Content-Type: multipart/alternative; boundary="000000000000f90a1f061cc1d16c"
Message-ID-Hash: SF3BJVTLPKZLJTO3CWB3YZMAJDBFJYAA
X-Message-ID-Hash: SF3BJVTLPKZLJTO3CWB3YZMAJDBFJYAA
X-MailFrom: dick.hardt@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: Dick.Hardt@gmail.com
Subject: [OAUTH-WG] Re: OAuth Client ID Metadata Document
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lShj9t61fwP6ZHfXvWqnk7BWn_M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
On Mon, Jul 8, 2024 at 12:38 PM Emelia Smith <emelia@brandedcode.com> wrote: > > > On 8. Jul 2024, at 21:17, Dick Hardt <dick.hardt@gmail.com> wrote: > > > On Mon, Jul 8, 2024 at 11:33 AM Emelia S. <emelia@brandedcode.com> wrote: > >> I would suggest that if an AS were to implement to competing >> specifications for what a client_id means, then it'd be up to the >> implementor to decide what is used when. E.g., it'd be difficult to support >> both OpenID Federation and this I-D simultaneously without some degree of >> work on the implementors' behalf to try to decide which specification >> should be used (both have client_id's as URIs, but operate very differently) >> > > Why would there be any difference between the two? OpenID Connect does not > dictate where the client metadata comes from. > > > This is in relation to OpenID Federation which also allows URIs as > client_id's and has a process for resolving them based on a well-known URI. > > > https://openid.net/specs/openid-federation-1_0.html#name-obtaining-federation-entity > > So how it handles a URI as client_id is different to how our I-D handles > things, you would likely pick one to implement based on your security > requirements. (e.g., a bank or fintech service isn't likely to use client > identifier metadata documents, because they need a much higher level of > trust than something like social networking) > Silly me. I thought you had mistyped OpenID Connect as OpenID Federation and glossed over that. As the resolution will provide different data (and the URL to be resolved is different), an AS could act accordingly based on the result. I think all that is needed for the spec is calling out the potential conflicts and that the AS needs to be able to figure it out. > > The only real mechanism for "claim" here would be through some sort of DNS >> proof, but that requires either some sort of binding between the client >> identifier metadata document and the DNS record, or some pre-existing >> relationship with the AS where the AS provides the value for the proof. I'd >> be inclined to consider this out of scope, and just allow AS's to provide >> access to resources as they see fit (no different to dynamic client >> registration) >> > > Per my comments in GitHub, do we want to be able to treat developers of > software that want localhost differently than people that deploy the > software that are able to deploy without registration? > > If so, then standardizing how to claim your app may be useful. > > There may not be a requirement to actually claim the app though. The > developer might be able to just enter a URI for the client and then have > access to additional features for development. I've not thought through all > the security implications of course! > > > I don't think we do want to support client_id's that resolve to non-public > resources, as there is just too much risk of SSRF attacks and the AS cannot > fetch the client metadata, which is the entire purpose of this I-D: > allowing the AS to request the metadata rather than needing DCR. > I agree we don't want to support client_ids that resolve to non-public metadata. But the metadata could include localhost as a redirect_uri. That was what I thought we were discussing. What are valid redirect_uris, and are they restricted to being a URL containing the client_id. >
- [OAUTH-WG] OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Aaron Parecki
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia Smith
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia S.
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia Smith
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document David Waite