IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt

Dale Olds <olds@vmware.com> Thu, 24 July 2014 16:32 UTC

Return-Path: <olds@vmware.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77F1C1A01E7 for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 09:32:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.912
X-Spam-Level:
X-Spam-Status: No, score=-4.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ALGIZQX_tEa for <oauth@ietfa.amsl.com>; Thu, 24 Jul 2014 09:32:41 -0700 (PDT)
Received: from smtp-outbound-1.vmware.com (smtp-outbound-1.vmware.com [208.91.2.12]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CD841A0282 for <oauth@ietf.org>; Thu, 24 Jul 2014 09:32:41 -0700 (PDT)
Received: from sc9-mailhost1.vmware.com (sc9-mailhost1.vmware.com [10.113.161.71]) by smtp-outbound-1.vmware.com (Postfix) with ESMTP id 06A0A28180 for <oauth@ietf.org>; Thu, 24 Jul 2014 09:32:38 -0700 (PDT)
Received: from EX13-CAS-005.vmware.com (EX13-CAS-005.vmware.com [10.113.191.55]) by sc9-mailhost1.vmware.com (Postfix) with ESMTP id 02B2018E53 for <oauth@ietf.org>; Thu, 24 Jul 2014 09:32:38 -0700 (PDT)
Received: from EX13-MBX-025.vmware.com (10.113.191.45) by EX13-MBX-012.vmware.com (10.113.191.32) with Microsoft SMTP Server (TLS) id 15.0.775.38; Thu, 24 Jul 2014 09:32:32 -0700
Received: from [192.168.0.24] (10.113.160.246) by EX13-MBX-025.vmware.com (10.113.191.45) with Microsoft SMTP Server (TLS) id 15.0.775.38; Thu, 24 Jul 2014 09:32:14 -0700
Message-ID: <53D1350C.7020908@vmware.com>
Date: Thu, 24 Jul 2014 09:32:12 -0700
From: Dale Olds <olds@vmware.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <201407221830.s6MIUYrf031075@outgoing.mit.edu> <6859A770-F6D2-4481-BD5F-2E73779BC745@ve7jtb.com> <4E1F6AAD24975D4BA5B16804296739439ADDE116@TK5EX14MBXC294.redmond.corp.microsoft.com> <CABzCy2Ar_pJt30ctP6hQ47rpSUGMh-+rrYssWe+XFNY73dA_YQ@mail.gmail.com> <CAEayHENLvazYAcu==_3CM9x91DDqhHngtSarm4_qBu5Zf_-ipw@mail.gmail.com> <B3031E2C-8F1E-4DEC-B739-2F! 2FFC349D39@lodderstedt.net> <B86C4C6C-AC24-45DF-A3B4-F8D1A88BC64A@ve7jtb.com> <d4b20f338a298530b4a3430386502d25@lodderstedt.net> <1E5B5066-E619-4965-B941-62C2CD72A37E@ve7jtb.com> <CABzCy2Dmms4MGTsuQkzu3uQGChLtNDKQREo1_S7UwfaW3hQnqA@mail.gmail.com> <CA+k3eCSiwB3pC5j+zFgrLHg7DdnWMjdJ7VVfY=NWbeY-3ndoyA@mail.gmail.com> <9dbf8c7384e341a08334a9ee093697f8@BLUPR03MB309.namprd03.prod.outlook.com> <CA+k3eCTFpOyM78r7NAY=LVbYgdYC5dXUP4ej9i1ZUT6m_rO8PQ@mail.gmail.com> <45D858DE-6F5E-46D4-828C-9C4C80C3AC2A@oracle.com> <CABzCy2Da1P1GJ8jfUvQZ3dGFGgUwCMGbetX0CQvnsa3jFxAFbA@mail.gmail.com> <5BB520C5-EBBB-41A7-8D1A-0ED48DE44E21@oracle.com>
In-Reply-To: <5BB520C5-EBBB-41A7-8D1A-0ED48DE44E21@oracle.com>
Content-Type: multipart/alternative; boundary="------------090702080807020509010009"
X-Originating-IP: [10.113.160.246]
X-ClientProxiedBy: EX13-CAS-013.vmware.com (10.113.191.65) To EX13-MBX-025.vmware.com (10.113.191.45)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/pP_22lWwUpbpxSHJNacHeISZUXY
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 16:32:47 -0000

Phil,

I thoroughly enjoy working with you whenever I can, and I really liked 
your work on SCIM, but from the perspective of the web developers I work 
with, I have a few concerns about what you wrote:

1. Developer experience and usability of the standards

You keep mentioning that web developers are demanding the new spec 
because they don't understand/use OAuth2 properly. I estimate that most 
people on this thread know web developers that they can claim to 
represent -- so I'd rather hear what you think and why.

 From my reading, the rough consensus appears to be that everyone agrees 
that OIDC and OAuth2 could be improved, and better developer experience 
is one of those improvements.

However, after reading your draft (basically because of Ian's 
presentation) it does appear to me that some minor changes/additions to 
OIDC would suffice. Personally, I don't see the requirement to NOT 
return an access token as significant or even desirable in most use cases.

I'd rather focus on the one point in 30 years where the industry has 
agreed on a core identity stack (OAuth2/OIDC/SCIM) and move on to 
adoption and improved developer education/experience.

2. Standards bodies, corporations, and IPR issues

John's suggestion to link OIDC and an IETF draft for the minor additions 
sounds reasonable as well, but, from my limited recent involvement, it 
brings up a MUCH more concerning issue. I've always associated IETF as 
the primary example of successful standards that are not overly 
influenced by useless specs and large corporations. Interestingly, 
overlarge, unnecessary specs and large corporations tend to go together.

Is the real issue here that some large corporations object to OIDF IPR 
policy or weren't in the initial bandwagon -- so they must drive another 
spec. Really? Is this just WS-Fed vs SAML again?

Personally, I'd hate to see the great individualistic, running-code, 
rough-consensus body of the IETF do unnecessary (and market confusing) 
work to satisfy a few lawyers' comfort zone.

--Dale


On 07/24/2014 08:57 AM, Phil Hunt wrote:
> Nat,
>
> You don't have to convince me.
>
> You have to sell all the people not implementing OpenId who think 
> OAuth is sufficient.
>
> I agree A4C is currently too long. I think Mike and John may be on to 
> something even better.
>
> Phil
>
> On Jul 24, 2014, at 11:50, Nat Sakimura <sakimura@gmail.com 
> <mailto:sakimura@gmail.com>> wrote:
>
>>
>> 2014-07-24 10:30 GMT-04:00 Phil Hunt <phil.hunt@oracle.com 
>> <mailto:phil.hunt@oracle.com>>:
>>
>>     I’m not at all saying that OpenID is bad. If you want an IDP, its
>>     fine.  But if all a client wants is authentication, they think
>>     why can’t I just use RFC6749?
>>
>>
>> If all what one wants is to build a simple client, there is a 
>> standing document called OpenID Connect Basic Client Implementer's 
>> Guide 1.0.
>>
>> It is a profile that deals only the 'code' flow.
>> Size-wise, it is 32 pages. The break down are as below approximately:
>>
>> Abstract, Intro, ToC - 2.5 pages
>> Terminology - 1.5 pages
>> Getting ID Token - 9 pages
>> ID Token Validation - 1 page (Seems missing from a4c draft?)
>> Userinfo Endpoint - 7 pages
>> Serializations - 1 page (missing in a4c?)
>> String Operations etc. - 1 pages (missing in a4c?)
>> Considerations - 2 pages (very brief in a4c)
>> References, Acknowledgement - 2 pages
>> Document History etc. - 7 pages
>>
>> The a4c draft is 14 pages long. It will be longer than this in the 
>> end as it is missing bunch of things.
>> The comparable portion of the Basic Client Profile is 14 pages or so.
>>
>> Just one data point.
>>
>> -- 
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/ 
>> <https://urldefense.proofpoint.com/v1/url?u=http://nat.sakimura.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=tZSv3T50ptdrF5VJeQfPow%3D%3D%0A&m=%2FHNlBS8t0nyksP6%2BTpUnVRbQACmczqcvThYucu1ZQ2w%3D%0A&s=732c8cb2c5d1c3c9a006c865feda78fd7564d8b192d20b2c7879bb53c23d25d9>
>> @_nat_en
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://urldefense.proofpoint.com/v1/url?u=https://www.ietf.org/mailman/listinfo/oauth&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=tZSv3T50ptdrF5VJeQfPow%3D%3D%0A&m=%2FHNlBS8t0nyksP6%2BTpUnVRbQACmczqcvThYucu1ZQ2w%3D%0A&s=a9405b77aec5d4156f53d2912a337b972dbbc4ba7ebd16121efbd325de47c65a

v2.23.0 | Report a Bug | By Email