Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt
Peter Saint-Andre <stpeter@stpeter.im> Sat, 26 March 2011 20:30 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7CFA23A6836 for <oauth@core3.amsl.com>; Sat, 26 Mar 2011 13:30:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.962
X-Spam-Level:
X-Spam-Status: No, score=-101.962 tagged_above=-999 required=5 tests=[AWL=-0.432, BAYES_00=-2.599, DATE_IN_PAST_06_12=1.069, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CERsbEpsROUK for <oauth@core3.amsl.com>; Sat, 26 Mar 2011 13:30:16 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id B07BB3A6821 for <oauth@ietf.org>; Sat, 26 Mar 2011 13:30:16 -0700 (PDT)
Received: from dhcp-104b.meeting.ietf.org (dhcp-104b.meeting.ietf.org [130.129.16.75]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 04D5540046; Sat, 26 Mar 2011 14:33:17 -0600 (MDT)
Message-ID: <4D8DF070.30106@stpeter.im>
Date: Sat, 26 Mar 2011 14:56:00 +0100
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9
MIME-Version: 1.0
To: Eran Hammer-Lahav <eran@hueniverse.com>
References: <CD86669D-CFBA-4557-9680-448DF65CFB0A@gmx.net> <4D8A65BF.7060506@stpeter.im> <90C41DD21FB7C64BB94121FBBC2E7234465642FEAB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234465642FEAB@P3PW5EX1MB01.EX1.SECURESERVER.NET>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070201080204060305080808"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Mar 2011 20:30:46 -0000
[written while in transit, delivery will be delayed] Thanks for the clarifications. A few comments and questions inline, other topics elided for brevity. On 3/25/11 1:42 AM, Eran Hammer-Lahav wrote: > >> -----Original Message----- >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf >> Of Peter Saint-Andre >> Sent: Wednesday, March 23, 2011 2:27 PM > >> 3. In the definition of "token endpoint" in Section 2, should "used to >> exchange an authorization grant for an access token" be "used to exchange >> an authorization grant or refresh token for an access token"? > > I guess. A refresh token is an authorization grant of sorts. Section 1.4 is about authorization grants and Section 1.5 is about refresh tokens, so I assumed that the latter is not included in the former. Thus my confusion. >> 5. Section 3 states: >> >> The authorization server SHOULD NOT issue client credentials to >> clients incapable of keeping their secrets confidential. >> >> How does the authorization server know that a client is not capable of >> keeping its secrets confidential? > > Ask. Most services ask about the client type in their registration process. Now that you phrase it that way, it makes sense (no in-band discovery needed). Perhaps add a parenthetical phrase such as: The authorization server SHOULD NOT issue client credentials to clients incapable of keeping their secrets confidential (e.g., as determined when the client registers with the authorization server). >> 7. The various subsections of Section 4 have lots of repeated text for the >> parameter definitions (e.g., "client_id" and "scope", as well as the error >> codes). I think it would be cleaner to define these once and reference those >> definitions throughout the spec. > > Tried that. It was nicer for the editor but much less readable. Most people are not expected to read the entire specification, just the parts they care about. This is the result of many long rewrites. OK, I just worry about saying the same thing in different places but in slightly different ways. We'll want to harmonize them at the end (could be handled via XML entities within the source document). >> 8. The various subsections of Section 4 also provide conflicting information >> about various parameter values. For example, Section 4.1.1 says of >> "response_type" that it "MUST be set to "code"" whereas Section >> 4.2.1 says "MUST be set to "token"". It would reduce the possibility of >> confusion to say "When the request is an authorization request, the >> response_type MUST be set to "code"" or somesuch. > > Added to 2.1: > > The REQUIRED "response_type" request parameter is used to identify > which grant type the client is requesting: authorization code or > implicit, described in Section 4.1.1 and Section 4.2.1 respectively. > If the request is missing the "response_type" parameter, the > authorization server SHOULD return an error response as described in > Section 4.1.2.1. WFM. >> 9. What is the expected lifetime of access tokens? Does it make sense to >> have expires_at (in UTC) instead of, or in addition to, expires_in (a number >> of seconds)? > > Lifetime is out of scope. As for the parameter, we had a few long threads and the conclusion was that expires_in is easier to issue and as easy to parse. The client can always take the Date header and add the value to it. In low latency environments, this reduces the need for clock synchronization since the value is relative. OK. >> 10. In Section 4.3.2 there is an open issue regarding internationalization of >> the client's username and password. What is the current thinking about a >> resolution? > > Nothing. Leave it where HTTP Basic left it. Not ideal but after almost a year, no one offered a text (including the person who raised the issue). I think that's fine here given that these are the usernames and passwords of automated clients, not human users (as RFC 2277 says, "internationalization is for humans"). >> 13. In Section 8.2, are we really recommending "x_"? I must finish work on >> draft-saintandre-xdash-considered-harmful... > > It's the simplest way to curve out a namespace for vendor specific parameters that have no value or place being registered. We can't use URI's for parameter names (that would be awful). Got other suggestions? Not yet. I'll give it more thought. >> 14. In Sections 10.1 and 10.2, I'm uncomfortable with this text: >> >> Before a period of 14 days has passed, the Designated Expert(s) will >> either approve or deny the registration request, communicating this >> decision both to the review list and to IANA. Denials should include >> an explanation and, if applicable, suggestions as to how to make the >> request successful. Registration requests that are undetermined for >> a period longer than 21 days can be brought to the IESG's attention >> (using the iesg@iesg.org mailing list) for resolution. > > It's from RFC 5785 which was negotiated with the IESG before RFC 5988. I'll make the switch to 5988. This was a bone of contention during IESG discussions of what became RFC 5988, so the language from the latter spec should be less controversial. >> 15. Section 10.2.1 says: >> >> Parameter usage location: >> The location(s) where parameter can be used. The possible >> locations are: authorization request, authorization response, >> token request, or token response. >> >> Are those the only allowable locations? I notice that the bearer token spec >> adds a locations of "resource request" and "resource response". I'm not >> quite saying we need a registry of locations, but it might be good to have a >> well-defined way of adding to the list of allowable locations (otherwise a >> document like the bearer spec might need to say that it updates the base >> spec). > > The bearer token proposal to extend the locations available is in violation of the protocol and specification architecture. It is just a really bad idea. Specifically, the idea of any registry defining HTTP URI query request parameters is a violation of the provider's namespace. We can define a registry for OAuth endpoints but not for protected resources which may not even support any URI query or form-encoded body parameters. Doing so would REQUIRE updating 2616. > > There are no use cases or requirements for extending the locations and no extensibility is needed. So will draft-ietf-oauth-v2-bearer be fixed? Peter -- Peter Saint-Andre https://stpeter.im/
- [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Hannes Tschofenig
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Brian Campbell
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Chuck Mortimore
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Peter Saint-Andre
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Chuck Mortimore
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Peter Saint-Andre
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Manger, James H
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phillip Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Chuck Mortimore
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Justin Richer
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt George Fletcher
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Prateek Mishra
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Eran Hammer-Lahav
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Mike Jones
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phil Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Skylar Woodward
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Phillip Hunt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Francisco Corella
- [OAUTH-WG] to TLS or not on redirect on consumer … Dick Hardt
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Eran Hammer-Lahav
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Francisco Corella
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Eran Hammer-Lahav
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Dick Hardt
- Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt Prateek Mishra
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Brian Eaton
- Re: [OAUTH-WG] Authorization code security issue … Oleg Gryb
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phillip Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phil Hunt
- Re: [OAUTH-WG] Authorization code security issue … Brian Eaton
- Re: [OAUTH-WG] Authorization code security issue … Eran Hammer-Lahav
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Francisco Corella
- Re: [OAUTH-WG] to TLS or not on redirect on consu… Francisco Corella
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Phillip Hunt
- Re: [OAUTH-WG] Authorization code security issue … Skylar Woodward
- Re: [OAUTH-WG] Authorization code security issue … Chuck Mortimore