Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-par-00.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 30 September 2019 15:59 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5630B120813 for <oauth@ietfa.amsl.com>; Mon, 30 Sep 2019 08:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id my-E12KerWCH for <oauth@ietfa.amsl.com>; Mon, 30 Sep 2019 08:59:46 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0F6F1200DB for <oauth@ietf.org>; Mon, 30 Sep 2019 08:59:45 -0700 (PDT)
Received: from [73.202.53.104] (helo=[10.0.0.153]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from <torsten@lodderstedt.net>) id 1iEy5O-0000pr-EK; Mon, 30 Sep 2019 17:59:42 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <D8EA88AE-55D1-498E-BAE4-022B7139E0E1@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_4BFFEDE1-9B53-4236-9D71-24042BA7EA29"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 30 Sep 2019 08:59:39 -0700
In-Reply-To: <CA+k3eCRJho42cYGG1OfHvRg1CdTH3W8peFHnZtFrsB5Fsvru2A@mail.gmail.com>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
References: <156906284888.22977.8893219801768603786.idtracker@ietfa.amsl.com> <1842D9CD-1B5B-420A-AA43-7B30F3CE13B8@lodderstedt.net> <CAGBSGjqdrCOZAu_2VvtjHVD+rBEK+0B86wNjoyXiQKAwS2Q4hA@mail.gmail.com> <BB0AE29D-5CD0-4441-B3B6-FEB6D3F749EE@mit.edu> <CA+k3eCRJho42cYGG1OfHvRg1CdTH3W8peFHnZtFrsB5Fsvru2A@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mvQvcJY4aKwsFj4yOrlaj7VkorQ>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-par-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 15:59:49 -0000

What if PAR would use another parameter? It could even return the actual authorization URL.

> On 30. Sep 2019, at 08:45, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> 
> 
> On Thu, Sep 26, 2019 at 10:50 AM Justin Richer <jricher@mit.edu> wrote:
>>  If, for whatever reason, it is required that this value is
>> actually a URI, is there some expected namespace to use other than
>> "example"? I worry that if all the examples in the spec are just
>> "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2" then developers will end up
>> using the text "example" because they don't understand why it's there,
>> and then it serves no purpose really.’
> 
> This field must be a URI, as per JAR:
> 
>    request_uri  The absolute URI as defined by RFC3986 [RFC3986
> ] that
>       points to the Request Object (
> Section 2.1
> ) that holds
>       authorization request parameters stated in 
> section 4
>  of OAuth 2.0
>       [
> RFC6749
> ].
> 
> Somewhat awkwardly, the JAR spec currently states that the AS has to do an HTTP GET on the request URI, so that will need to be fixed in JAR before it goes forward. I don’t think that was always the case though, and I’m not sure how that changed. 
> 
> JAR does have a somewhat awkward allowance for not doing a GET in https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-5.2.3 saying an AS "MUST send an HTTP "GET" request to the request_uri to retrieve the referenced Request Object, unless it is stored in a way so that it can retrieve it through other mechanism securely." 
> 
> So I'm guessing maybe nothing actually changed but it's just hard to find in the document.
> 
>  
> As for the namespace, “example” is ok for an example URN. The problem with URNs is that nobody really understands how to do domain-safe fully compliant URNs. So perhaps we should instead use “urn:fdc:example.com:….” Instead (as per https://tools.ietf.org/html/rfc4198). 
> 
> Something else to consider additionally or alternately is that the document could provide some suggestions/guidance or even requirements on the structure of the URN for this self referential case. It could, for example, use the RFC6755 subnamespace and registry and be of the form urn:ietf:params:oauth:request_uri:<handle> or urn:ietf:params:oauth:request_uri;<handle> or urn:ietf:params:oauth:request_uri?value=<handle> or urn:ietf:params:oauth:request_uri#<handle> or however the proper way to do that would be.
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth