Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
Roman Danyliw <rdd@cert.org> Wed, 17 July 2019 21:13 UTC
Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A27AE120116 for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2019 14:13:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCGZUwREHxyl for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2019 14:13:14 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1BEB1200FD for <oauth@ietf.org>; Wed, 17 Jul 2019 14:13:13 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6HLDCsZ007274 for <oauth@ietf.org>; Wed, 17 Jul 2019 17:13:12 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x6HLDCsZ007274
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1563397992; bh=XDzTnRgkPAII2XBoENs8MGtyaD+qBOqf1Qe6vF9B1go=; h=From:To:Subject:Date:References:In-Reply-To:From; b=rETuku1evRf4bUtO6CWLiHnOPh6fQ7u9deijX/Ie+PfScHz1CZF7PdzNUWd50ajky NwscD6885NvAl+DQqqC0XUJSQORlSQ1B0XK9JOC5Uih3wiBud94kcVIkhMdedV1I7Z D533s1uddV94Ui6wYBCg6AF3g0WTfhKs9atGz7UQ=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x6HLD8lS017367 for <oauth@ietf.org>; Wed, 17 Jul 2019 17:13:08 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0439.000; Wed, 17 Jul 2019 17:13:08 -0400
From: Roman Danyliw <rdd@cert.org>
To: "'oauth@ietf.org'" <oauth@ietf.org>
Thread-Topic: AD Review: draft-ietf-oauth-resource-indicators-02
Thread-Index: AdU8LNOah0VUVvCrRz+gltwjhgJkfgAs5qCA
Date: Wed, 17 Jul 2019 21:13:07 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B33D76EF@marchand>
References: <359EC4B99E040048A7131E0F4E113AFC01B33D6046@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33D6046@marchand>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pCxckPi2hTJgrSIS5a7ySZX0DFE>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 21:13:16 -0000
Hi!
I forgot one more thing about this draft after re-reading draft-ietf-oauth-token-exchange.
Per the IANA action in Section 4.1, I need help understanding on the thinking to resolve this TODO:
o Parameter usage location: authorization request, token request
[[TODO: draft-ietf-oauth-token-exchange will have already
registered this for 'token request' and this draft has a more
generalized usage and needs to somehow either update that
registration or do a partial registration and reference]]
o Change controller: IESG
o Specification document(s): [[ this specification ]]
My read of draft-ietf-oauth-token-exchange it that it defines 'resource' for 'token exchange'. This draft (draft-ietf-oauth-resource-indicators) has guidance on 'resource' for 'authorization request' but also additional guidance for 'token request'. Is the token guidance request stated here applicable to draft-ietf-oauth-token-exchange too (i.e., is the text effectively saying oauth-resource-indicators updates oauth-token-exhange)? I ask because these drafts don't reference each other.
Correct me because there is likely a history, but it seems the TODO is that there is a dependency to resolve and a need to coming up with a way to signal in the registry which draft should be read for what usage location. Could draft-ietf-oauth-resource-indicators officially register 'resource'; and instead of draft-ietf-oauth-token-exchange including the text defining 'resource' in Section 2.1, it would make a normative reference to Section 2 of draft-ietf-oauth-resource-indicators?
Roman
> -----Original Message-----
> From: Roman Danyliw
> Sent: Tuesday, July 16, 2019 7:23 PM
> To: oauth@ietf.org
> Subject: AD Review: draft-ietf-oauth-resource-indicators-02
>
> Hi!
>
> The following is my AD review of draft-ietf-oauth-resource-indicators-02.
> The document is in good shape.
>
> (1) Section 2. Per "The parameter can carry the location of a protected
> resource, typically as an https URL, or a more abstract identifier", is this
> "abstract identifier" still an absolute URI per Section 4.3 of RFC3986?
>
> (2) Section 2.2. in the sentence "To the extent possible, when issuing access
> tokens, the authorization server should adapt the scope value associated
> with an access token to the value the respective resource is able to process
> and needs to know":
>
> -- is this language suggesting that the authorization server is modifying the
> scope value based on the resource it sees? I'm trying to understand what
> "adapt" means, especially in relation to the improved security and privacy the
> subsequent sentence suggests.
>
> -- (Depending on the above) Is there a security consideration here for the
> server relative to confidential scope values and how they might be modified?
>
> (3) Editorial
> ** Section 1 and 2.1. Multiple Typo. s/the the/the/g
>
> ** Section 2. Editorial. s/resource at which/resource to which/
>
> ** Section 2. Editorial.
> s/ And can also be used to inform the client that it has requested an invalid
> combination of resource and scope./ It can also be used to inform the client
> that it has requested an invalid combination of resource and scope./
>
> ** Section 2.1. Multiple Typo. s/an an/an/g
>
> ** Section 2.2. Editorial. s/token request and response/token request
> (Figure 3) and response (Figure 4)/
>
> ** Section 3. Typo. s/a invalid/an invalid/
>
> ** Section 3. Missing words. "A bearer token that has multiple intended
> recipients (audiences) can be used by any one of those recipients at any
> other." Is it protected resource?
- [OAUTH-WG] AD Review: draft-ietf-oauth-resource-i… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw