Re: [OAUTH-WG] We appear to still be litigating OAuth, oops

Justin Richer <> Fri, 26 February 2021 13:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 678983A0597 for <>; Fri, 26 Feb 2021 05:16:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3Rr2zY7aofRn for <>; Fri, 26 Feb 2021 05:16:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7A0E83A046B for <>; Fri, 26 Feb 2021 05:16:21 -0800 (PST)
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 11QDGGmg025699 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 26 Feb 2021 08:16:17 -0500
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DC8F432B-A9B8-40C6-94D6-10935E063B14"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Fri, 26 Feb 2021 08:16:16 -0500
In-Reply-To: <>
To: Evert Pot <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [OAUTH-WG] We appear to still be litigating OAuth, oops
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Feb 2021 13:16:24 -0000

> On Feb 25, 2021, at 2:59 PM, Evert Pot <> wrote:
> On 2021-02-25 3:41 a.m., Seán Kelleher wrote:
>> Yep, this is the big point - OAuth is designed to require the the third leg of trust that creates the NxM problem.
>> I believe the snippet of Justin's that you quoted actually shows you how you can forgo the trust element using dynamic client registration. It still allows a "server" to identify requests and impose security policies via the client ID, but without requiring the client author to manually register the client in advance of using it (e.g. in the case where the client author doesn't even know what servers the client is going to be connecting to). You still need the client ID, but anyone can get one whenever they need it.
> Apologies if this a dumb question, but how would you discover the dynamic client registration endpoint after getting a 401 unauthorized?
> I couldn't really find anything in RFC7591 about this.
We deliberately left that level of discovery out of the registration spec (7591) because, as it turns out, RS-first discovery is a lot harder than it looks on the surface. There are some tricky privacy considerations around divulging an AS to an unknown party, and while not a dead-stop there you’ve got a lot of use cases where it hurts more than it helps.

In the end, we decided not to solve those aspects together and leave discovery for another spec. I think the call made sense at the time. Now, obviously, this assumption goes halfway out the window when you start doing the registration programmatically, and so discovery on a static relationship vs. discovery on a dynamic relationship are pretty different. 

We’re taking a different approach in GNAP, based on work that was done in User Manage Access (UMA): <>

Caveat, there are still a lot of open questions about the details of this, the focus in GNAP has been on the core delegation protocol so far, but it’s on our radar and we welcome the input.

And then there’s the considerations about hooking up more RS’s in real time, or even having the user/client SPECIFY the AS for the RS to talk to. So ultimately it’s an NxMxP problem, with client, AS, and RS in each slot varying differently depending on the API in question. In most OAuth use cases, the AS and RS have a pre-existing relationship that the client doesn’t know or care about. The client’s just trying to “call this API” and so it gets configured with all the bits it needs to ahead of time when it gets registered. But with a common API, like POP or IMAP, the client just needs to know how to get to the next step to keep going. 

This is one thing I’ve found security engineers simply Do Not Get more often than not: client developers don’t care about your security protocol. Your security is what gets in the way of them doing what they want to do, which is use the API and build an awesome thing. The simpler-to-follow we can make the security process, the better it will be for everyone.

 — Justin