Re: [OAUTH-WG] PAR metadata
Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 31 December 2019 16:06 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC81120043 for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 08:06:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bo8MpdB_1UiP for <oauth@ietfa.amsl.com>; Tue, 31 Dec 2019 08:06:41 -0800 (PST)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33AE0120013 for <oauth@ietf.org>; Tue, 31 Dec 2019 08:06:41 -0800 (PST)
Received: by mail-wr1-x433.google.com with SMTP id t2so35509976wrr.1 for <oauth@ietf.org>; Tue, 31 Dec 2019 08:06:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=qYJvoGst3tJpXkyK76xWrIh3h7PntVWfswhUsoaI6Zk=; b=LUet9W0CSTyzweWtgXen95iI/Z3i+ZErSRvcwZsF5sJP1ijIFJoJLo8A4CXG2L129Q bBoFiC9LNFjPVvD8+IGr0atnSIKDaRMaAt5wwR9qsDWkxQOxEI5WO/ZIvhEXJSxNh8XG oOvhoEidn5v3faKLeVA4j68UEYfhER3oWQ0pp8ZZ7GxJ4ntMxwr5TA+SlHVkou9XwreE fBeqPhLML0p1s/pkLaEDGFAXjoeCvlkZrpQIf+gqidNLB1TYJ1RbXI1n9aV3nj+7tQkJ MXOBGvT21ngoU/MDcDqg6NXsyIRig9SZDbiH2Ps3k5xQwXQj6vB9CsKuqOG/LDisJ+Kh 6YSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=qYJvoGst3tJpXkyK76xWrIh3h7PntVWfswhUsoaI6Zk=; b=d5CjZTv++vGUPdEsXsWpZtB0Y1p6bXbZigPaGkT06Hl6Np2CbDB1H870H6ZVTybP0c sxznhX7SGfawKYfp+1gOL/dEEK5gXZaXAzuh+erMdlwkhN0sI+QbToOOw8YFrTyaDZyT Qq6WZOnv/uZeIEfY8RiIhjwoo7e9f/hr6Z1cfVmeygC5086J34gfnM15fyStmXFq9Jho KZ8lCctXuECw3I8kicS40DZ2bRfReZU7jfEu1anVTZWvp/RRZXtMBwqXRFJszXXTSrRT +BKQHGgimAt8SWroaQrI2Kdg0+E6pwNBi7q6C8/S88vdRsDIQdDnqtPILKWPW1EEcf4l Riyw==
X-Gm-Message-State: APjAAAXG1tMqWY/YkxWyTvGgknhP6OF4VxpsMNZ+MKVmklhjKzI6aTYs mV7toKGIX6CNoVUZpr1JgCZIqw==
X-Google-Smtp-Source: APXvYqwSgoejoOzAPM0EQI9sgRMTJSFvZvZYvf24sEkYOcI+IrYleIEtJ3ipboXCgP4N5KhX1vPCiw==
X-Received: by 2002:adf:f288:: with SMTP id k8mr77214909wro.301.1577808399591; Tue, 31 Dec 2019 08:06:39 -0800 (PST)
Received: from p200300eb8f1a50e4853495bb51a8296f.dip0.t-ipconnect.de (p200300EB8F1A50E4853495BB51A8296F.dip0.t-ipconnect.de. [2003:eb:8f1a:50e4:8534:95bb:51a8:296f]) by smtp.gmail.com with ESMTPSA id n189sm2975154wme.33.2019.12.31.08.06.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Dec 2019 08:06:38 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <50191CC6-0A19-42B4-87C2-880F53FD3C4F@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_4F740B29-FD50-4381-AB54-8DCBCD4CA8BD"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Tue, 31 Dec 2019 17:06:06 +0100
In-Reply-To: <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com>
Cc: oauth <oauth@ietf.org>, Dave Tonge <dave.tonge@moneyhub.com>, Nat Sakimura <nat@sakimura.org>, Brian Campbell <bcampbell@pingidentity.com>, Roland Hedberg <roland@catalogix.se>
To: Filip Skokan <panva.ip@gmail.com>
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net> <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lTUIVhoym6Vvzdbz50pVRpDRJHg>
Subject: Re: [OAUTH-WG] PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2019 16:06:43 -0000
Hi Filip, > On 31. Dec 2019, at 16:22, Filip Skokan <panva.ip@gmail.com> wrote: > > I don't think we need a *_auth_method_* metadata for every endpoint the client calls directly, none of the new specs defined these (e.g. device authorization endpoint or CIBA), meaning they also didn't follow the scheme from RFC 8414 where introspection and revocation got its own metadata. In most cases the unfortunately named `token_endpoint_auth_method` and its related metadata is what's used by clients for all direct calls anyway. > > The same principle could be applied to signing (and encryption) algorithms as well. > > This I do not follow, auth methods and their signing is dealt with by using `token_endpoint_auth_methods_supported` and `token_endpoint_auth_signing_alg_values_supported` - there's no encryption for the `_jwt` client auth methods. > Unless it was meant to address the Request Object signing and encryption metadata, which is defined and IANA registered by OIDC. PAR only references JAR section 6.1 and 6.2 for decryption/signature validation and these do not mention the metadata (e.g. request_object_signing_alg) anymore since draft 07. Dammed! You are so right. Sorry, I got confused somehow. > > PS: I also found this comment related to the same question about auth metadata but for CIBA. Thanks for sharing. > > Best, > Filip thanks, Torsten. > > > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > Hi all, > > Ronald just sent me an email asking whether we will define metadata for > > pushed_authorization_endpoint_auth_methods_supported and > pushed_authorization_endpoint_auth_signing_alg_values_supported. > > The draft right now utilises the existing token endpoint authentication methods so there is basically no need to define another parameter. The same principle could be applied to signing (and encryption) algorithms as well. > > What’s your opinion? > > best regards, > Torsten.
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Filip Skokan
- [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Filip Skokan
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR metadata Vladimir Dzhuvinov
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Justin Richer