Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
Dale Olds <olds@vmware.com> Thu, 24 July 2014 16:32 UTC
Return-Path: <olds@vmware.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77F1C1A01E7 for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 09:32:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.912
X-Spam-Level:
X-Spam-Status: No, score=-4.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ALGIZQX_tEa for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 09:32:41 -0700 (PDT)
Received: from smtp-outbound-1.vmware.com (smtp-outbound-1.vmware.com [208.91.2.12]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CD841A0282 for <oauth@ietf.org>; Thu, 24 Jul 2014 09:32:41 -0700 (PDT)
Received: from sc9-mailhost1.vmware.com (sc9-mailhost1.vmware.com [10.113.161.71]) by smtp-outbound-1.vmware.com (Postfix) with ESMTP id 06A0A28180 for <oauth@ietf.org>; Thu, 24 Jul 2014 09:32:38 -0700 (PDT)
Received: from EX13-CAS-005.vmware.com (EX13-CAS-005.vmware.com [10.113.191.55]) by sc9-mailhost1.vmware.com (Postfix) with ESMTP id 02B2018E53 for <oauth@ietf.org>; Thu, 24 Jul 2014 09:32:38 -0700 (PDT)
Received: from EX13-MBX-025.vmware.com (10.113.191.45) by EX13-MBX-012.vmware.com (10.113.191.32) with Microsoft SMTP Server (TLS) id 15.0.775.38; Thu, 24 Jul 2014 09:32:32 -0700
Received: from [192.168.0.24] (10.113.160.246) by EX13-MBX-025.vmware.com (10.113.191.45) with Microsoft SMTP Server (TLS) id 15.0.775.38; Thu, 24 Jul 2014 09:32:14 -0700
Message-ID: <53D1350C.7020908@vmware.com>
Date: Thu, 24 Jul 2014 09:32:12 -0700
From: Dale Olds <olds@vmware.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <201407221830.s6MIUYrf031075@outgoing.mit.edu> <6859A770-F6D2-4481-BD5F-2E73779BC745@ve7jtb.com> <4E1F6AAD24975D4BA5B16804296739439ADDE116@TK5EX14MBXC294.redmond.corp.microsoft.com> <CABzCy2Ar_pJt30ctP6hQ47rpSUGMh-+rrYssWe+XFNY73dA_YQ@mail.gmail.com> <CAEayHENLvazYAcu==_3CM9x91DDqhHngtSarm4_qBu5Zf_-ipw@mail.gmail.com> <B3031E2C-8F1E-4DEC-B739-2F! 2FFC349D39@lodderstedt.net> <B86C4C6C-AC24-45DF-A3B4-F8D1A88BC64A@ve7jtb.com> <d4b20f338a298530b4a3430386502d25@lodderstedt.net> <1E5B5066-E619-4965-B941-62C2CD72A37E@ve7jtb.com> <CABzCy2Dmms4MGTsuQkzu3uQGChLtNDKQREo1_S7UwfaW3hQnqA@mail.gmail.com> <CA+k3eCSiwB3pC5j+zFgrLHg7DdnWMjdJ7VVfY=NWbeY-3ndoyA@mail.gmail.com> <9dbf8c7384e341a08334a9ee093697f8@BLUPR03MB309.namprd03.prod.outlook.com> <CA+k3eCTFpOyM78r7NAY=LVbYgdYC5dXUP4ej9i1ZUT6m_rO8PQ@mail.gmail.com> <45D858DE-6F5E-46D4-828C-9C4C80C3AC2A@oracle.com> <CABzCy2Da1P1GJ8jfUvQZ3dGFGgUwCMGbetX0CQvnsa3jFxAFbA@mail.gmail.com> <5BB520C5-EBBB-41A7-8D1A-0ED48DE44E21@oracle.com>
In-Reply-To: <5BB520C5-EBBB-41A7-8D1A-0ED48DE44E21@oracle.com>
Content-Type: multipart/alternative; boundary="------------090702080807020509010009"
X-Originating-IP: [10.113.160.246]
X-ClientProxiedBy: EX13-CAS-013.vmware.com (10.113.191.65) To EX13-MBX-025.vmware.com (10.113.191.45)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/pP_22lWwUpbpxSHJNacHeISZUXY
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 16:32:47 -0000
Phil, I thoroughly enjoy working with you whenever I can, and I really liked your work on SCIM, but from the perspective of the web developers I work with, I have a few concerns about what you wrote: 1. Developer experience and usability of the standards You keep mentioning that web developers are demanding the new spec because they don't understand/use OAuth2 properly. I estimate that most people on this thread know web developers that they can claim to represent -- so I'd rather hear what you think and why. From my reading, the rough consensus appears to be that everyone agrees that OIDC and OAuth2 could be improved, and better developer experience is one of those improvements. However, after reading your draft (basically because of Ian's presentation) it does appear to me that some minor changes/additions to OIDC would suffice. Personally, I don't see the requirement to NOT return an access token as significant or even desirable in most use cases. I'd rather focus on the one point in 30 years where the industry has agreed on a core identity stack (OAuth2/OIDC/SCIM) and move on to adoption and improved developer education/experience. 2. Standards bodies, corporations, and IPR issues John's suggestion to link OIDC and an IETF draft for the minor additions sounds reasonable as well, but, from my limited recent involvement, it brings up a MUCH more concerning issue. I've always associated IETF as the primary example of successful standards that are not overly influenced by useless specs and large corporations. Interestingly, overlarge, unnecessary specs and large corporations tend to go together. Is the real issue here that some large corporations object to OIDF IPR policy or weren't in the initial bandwagon -- so they must drive another spec. Really? Is this just WS-Fed vs SAML again? Personally, I'd hate to see the great individualistic, running-code, rough-consensus body of the IETF do unnecessary (and market confusing) work to satisfy a few lawyers' comfort zone. --Dale On 07/24/2014 08:57 AM, Phil Hunt wrote: > Nat, > > You don't have to convince me. > > You have to sell all the people not implementing OpenId who think > OAuth is sufficient. > > I agree A4C is currently too long. I think Mike and John may be on to > something even better. > > Phil > > On Jul 24, 2014, at 11:50, Nat Sakimura <sakimura@gmail.com > <mailto:sakimura@gmail.com>> wrote: > >> >> 2014-07-24 10:30 GMT-04:00 Phil Hunt <phil.hunt@oracle.com >> <mailto:phil.hunt@oracle.com>>: >> >> I’m not at all saying that OpenID is bad. If you want an IDP, its >> fine. But if all a client wants is authentication, they think >> why can’t I just use RFC6749? >> >> >> If all what one wants is to build a simple client, there is a >> standing document called OpenID Connect Basic Client Implementer's >> Guide 1.0. >> >> It is a profile that deals only the 'code' flow. >> Size-wise, it is 32 pages. The break down are as below approximately: >> >> Abstract, Intro, ToC - 2.5 pages >> Terminology - 1.5 pages >> Getting ID Token - 9 pages >> ID Token Validation - 1 page (Seems missing from a4c draft?) >> Userinfo Endpoint - 7 pages >> Serializations - 1 page (missing in a4c?) >> String Operations etc. - 1 pages (missing in a4c?) >> Considerations - 2 pages (very brief in a4c) >> References, Acknowledgement - 2 pages >> Document History etc. - 7 pages >> >> The a4c draft is 14 pages long. It will be longer than this in the >> end as it is missing bunch of things. >> The comparable portion of the Basic Client Profile is 14 pages or so. >> >> Just one data point. >> >> -- >> Nat Sakimura (=nat) >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> <https://urldefense.proofpoint.com/v1/url?u=http://nat.sakimura.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=tZSv3T50ptdrF5VJeQfPow%3D%3D%0A&m=%2FHNlBS8t0nyksP6%2BTpUnVRbQACmczqcvThYucu1ZQ2w%3D%0A&s=732c8cb2c5d1c3c9a006c865feda78fd7564d8b192d20b2c7879bb53c23d25d9> >> @_nat_en > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://urldefense.proofpoint.com/v1/url?u=https://www.ietf.org/mailman/listinfo/oauth&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=tZSv3T50ptdrF5VJeQfPow%3D%3D%0A&m=%2FHNlBS8t0nyksP6%2BTpUnVRbQACmczqcvThYucu1ZQ2w%3D%0A&s=a9405b77aec5d4156f53d2912a337b972dbbc4ba7ebd16121efbd325de47c65a
- [OAUTH-WG] FW: New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] FW: New Version Notification for d… Thomas Broyer
- Re: [OAUTH-WG] FW: New Version Notification for d… Mike Jones
- Re: [OAUTH-WG] FW: New Version Notification for d… Thomas Broyer
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Thomas Broyer
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Thomas Broyer
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… torsten
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Takahiko Kawasaki
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Thomas Broyer
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Thomas Broyer
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Anthony Nadalin
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Anthony Nadalin
- Re: [OAUTH-WG] New Version Notification for draft… Mike Jones
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Anthony Nadalin
- Re: [OAUTH-WG] New Version Notification for draft… Richer, Justin P.
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… torsten
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Dale Olds
- Re: [OAUTH-WG] New Version Notification for draft… Bill Burke
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Anthony Nadalin
- Re: [OAUTH-WG] New Version Notification for draft… John Bradley
- Re: [OAUTH-WG] New Version Notification for draft… Bill Mills
- Re: [OAUTH-WG] New Version Notification for draft… Bill Mills
- Re: [OAUTH-WG] New Version Notification for draft… Nat Sakimura
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Anthony Nadalin
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… Justin Richer
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… Phil Hunt
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin
- Re: [OAUTH-WG] New Version Notification for draft… Sergey Beryozkin