IETF Logo Mail Archive

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Nat Sakimura <sakimura@gmail.com> Fri, 11 March 2016 02:25 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA06412DC51 for <oauth@ietfa.amsl.com>; Thu, 10 Mar 2016 18:25:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j63xzhE1Vyz5 for <oauth@ietfa.amsl.com>; Thu, 10 Mar 2016 18:25:01 -0800 (PST)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC89D12DD49 for <oauth@ietf.org>; Thu, 10 Mar 2016 18:25:00 -0800 (PST)
Received: by mail-qg0-x232.google.com with SMTP id t4so87683765qge.0 for <oauth@ietf.org>; Thu, 10 Mar 2016 18:25:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=tzr2JOinMPzKM9Y6WnelGghsYQlWP4e6pxsslspuHnY=; b=WEbrSbnEjRRCGVX+H11xMclsfOiLbI0TQhuBeKBjZP9q7o1KIeVa6/mLh008TlZytp TXGEFh8arBKlr8fVqF/a2yHYMIWaAJZDREAq1ihNM8vwkE/iqhSMMM2U8Jn8ZEFjtl9w O+e6Haqm1NRZkObRhTygaZVzBecvWOSvf/xH5GmprytNxHSHA43bdmb2PTSa2dRdA90Y XWi4DEJ7YZtRpFqgvzCYSuKvtHRtNGP4KG7gEMbwcqJPjTRPiHPmzQ5MbGBIIwjyYlp0 Oqf91WtRNiBwGve+BzI8mJVP9KETFZIHqkbD5hJCqF4NTHSum9vGBikNsjn5tFK+QkOo eHRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=tzr2JOinMPzKM9Y6WnelGghsYQlWP4e6pxsslspuHnY=; b=RSXvad78AUZjUgqxzGY7ZVBohWrtesXB1Vh/tPUOI84HymkcXk07iGmmaJgRPboRTL fOv0xjmTSVPIuVReT12UVPZawDJKYV5HEfwMHQ7a4ZhFV3qrGUfYMdyjwrlh/7xpYPvb RMrz42znRtIv1dJn8siDzBKCAj8YbQVhgC3HWn9nWjdVDjvEjqYh8NOAW7geH9jziyRl 7xuzWIMZOpjh/iI+T5TeaEjkOVXpmbORQo6xocQOLml9AywpT4KhCeDD+oFMjRc840I0 sLKjTgdMMkz6q/h/M8VRXSsyCQy84PRsZRiRe6KnvM647nCKbQMcnXcVu75VKLmB2cdm vhaQ==
X-Gm-Message-State: AD7BkJKhZXn8wkpaJjDilL39mX61TP9thzsEE++fWpTJV4o9eTW4a7MpmM8vM7pp8yW2iabit15WyCgX0enWaw==
MIME-Version: 1.0
X-Received: by 10.140.225.6 with SMTP id v6mr9218183qhb.0.1457663099786; Thu, 10 Mar 2016 18:24:59 -0800 (PST)
Received: by 10.55.24.203 with HTTP; Thu, 10 Mar 2016 18:24:59 -0800 (PST)
In-Reply-To: <64D743EA-3F8D-403B-B05E-74539124A847@oracle.com>
References: <56C5C9D5.6040703@gmx.net> <D5D8B85B-68E6-4E88-89F7-88E6851381E4@adm.umu.se> <CA+k3eCQOX6DgiJFp4b0A8R0boVQxVwGJP2-dY8_TbrCpJowOtw@mail.gmail.com> <56E19B6D.6060509@connect2id.com> <64D743EA-3F8D-403B-B05E-74539124A847@oracle.com>
Date: Fri, 11 Mar 2016 11:24:59 +0900
Message-ID: <CABzCy2D0P0NZW573g6NG3yYtbdVBifio=4hZi4QkYc3EKxOV5Q@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a1138f42843e20d052dbca3fb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/nhz3bNPepvquY8fFG-BrevQdM00>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 02:25:03 -0000

Phil,

Right. So what my conditional approvals (11 conditions in total) said was
to drop the word "discovery" from everywhere. This is not a discovery spec.
This is a configuration lookup spec as you correctly points out. So, I am
with you here.

Also, my 2nd conditiion is essentially saying to drop section 3.

One thing that I overlooked and am with you is that we need to be able to
express the AS-RS relationships. I have been preaching this in the other
thread for so many times as you know so I thought I pointed it out, but
missed apparently in my previous comment. So, I would add my 12th
condition:

12. A way to express a list of valid RSs for this AS needs to be added to
section 2.

Best,

Nat

2016-03-11 2:09 GMT+09:00 Phil Hunt (IDM) <phil.hunt@oracle.com>:

> I strongly oppose. 2 major issues.
>
> This is not service discovery this is configuration lookup. The client
> must have already discovered the oauth issuer uri and the resource uri.
>
> The objective was to provide a method to ensure the client has a valid set
> of endpoints to prevent mitm of endpoints like the token endpoint to the
> resource server.
>
> The draft does not address the issue of a client being given a bad
> endpoint for an rs. What we end up with is a promiscuous authz service
> giving out tokens to an unwitting client.
>
> Phil
>
> On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov <vladimir@connect2id.com>
> wrote:
>
> +1 to move forward with these
>
> On 10/03/16 17:35, Brian Campbell wrote:
>
> +1
>
> On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg <roland.hedberg@umu.se> <roland.hedberg@umu.se>
> wrote:
>
>
> I support this document being moved forward with these two changes:
>
> - change name to “OAuth 2.0 Authorization Server Discovery Metadata” as
> proposed by Brian and
> - use the URI path suffix ’oauth-authorization-server’ instead of
> ’openid-configuration’ as proposed by Justin.
>
>
> 18 feb 2016 kl. 14:40 skrev Hannes Tschofenig <hannes.tschofenig@gmx.net
> :
>
> Hi all,
>
> This is a Last Call for comments on the  OAuth 2.0 Discovery
>
> specification:
>
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-01
>
> Since this document was only adopted recently we are running this last
> call for **3 weeks**.
>
> Please have your comments in no later than March 10th.
>
> Ciao
> Hannes & Derek
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> — Roland
>
> ”Everybody should be quiet near a little stream and listen."
> From ’Open House for Butterflies’ by Ruth Krauss
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

v2.23.0 | Report a Bug | By Email