IETF Logo Mail Archive

Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

Phil Hunt <phil.hunt@oracle.com> Wed, 14 August 2013 09:29 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A20EB21F9B90 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 02:29:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.235
X-Spam-Level:
X-Spam-Status: No, score=-5.235 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMAQzypOgqr3 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 02:29:13 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 0333721F9B18 for <oauth@ietf.org>; Wed, 14 Aug 2013 02:29:12 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7E9T5bM017218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 14 Aug 2013 09:29:06 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7E9T3TZ018641 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Aug 2013 09:29:04 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7E9T3Xs015338; Wed, 14 Aug 2013 09:29:03 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 Aug 2013 02:29:02 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <520B2472.4040104@gmx.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <D28D9D59-4A04-4C15-9357-BF30FD42900B@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 14 Aug 2013 02:29:01 -0700
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 09:29:20 -0000

+1 to Hannes comments. I was referring to the server issues. 

George, I believe only in the openid case and a few others would a client hold tokens to multiple endpoints of the same api. 

For the vast majority of apps, clients would be permanently associated to a single endpoint for the resource endpoint. 

That said, having multiple tokens for multiple endpoints isn't that confusing. But, having multiple tokens for EACH of multiple endpoints is confusing. 

Compound that with the fact that each api endpoint and each reg endpoint may use different types of credentials (passwords, tokens, hoks) and the client has to he pretty darn smart dealing with all the options and permutations. 

1. We need to eliminate reg access tokens as long term retained tokens. If we must have crud than use normal access tokens issued in the normal way. 

2. We need to look to change the design to reduce options at the registration endpoint The assertion swap method is one possibility. 

3. We should also consider amending 6749. For example make client id optional for implicit flow or javascript based on service provider choice. Or depend on a developer issued client id, etc. Dyn reg isn't actually improving security in these cases anyway. Why go through this much work for an identifier if it doesn't help client or server other than the ability to make a conforming call?

Phil

On 2013-08-13, at 23:32, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> George is correct with his statements. There is, however, a difference between a shared secret and an assertion as Phil pointed out. For the assertion the server does not need to maintain state on a per-client basis. On the other hand since the client secret isn't really used in the classical sense of a password either but rather as a "cookie" (if used in the style of Section 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to them:
> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
> 
> 
> On 08/13/2013 07:21 PM, George Fletcher wrote:
>> Hi Phil,
>> 
>> I'm sorry for not following completely. Some questions inline...
>> 
>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>> Dyn reg and the scim reg variant depend too much/biased towards
>>> passwords expressed as client secrets.
>> I'm not sure what you mean in regards to "client secrets". There are
>> OAuth2 bearer tokens that need to be protected because they are bearer
>> tokens. That said, there is nothing in the spec that requires these to
>> be opaque blobs vs signed tokens. So both the "Initial Access Token" and
>> the "Registration Access Token" can be signed tokens. However, the
>> client still has to protect them as if they were a "secret" because they
>> are a bearer token and can be replayed. So it's the same amount of work
>> on the client either way.
>> 
>>> 
>>> A signed token approach has many advantages for service providers like
>>> not having to maintain a secure database of secrets/passwords.
>> If the concern here is the amount of data the Authorization Server has
>> to store to manage these clients, then the current spec doesn't preclude
>> using a "signed token". Both OAuth2 bearer tokens identified in the
>> current spec can be signed tokens.
>>> 
>>> Finally issuing both a client secret and registration token is costly
>>> and confusing to client developers.  I relented somewhat when I
>>> realized kerberos does this--but i still feel it is a bad design at
>>> cloud scale.
>> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm
>> not sure how you abstract the client developer from having to deal with
>> them. The client developer is going to be dealing with multiple OAuth2
>> tokens to multiple endpoints regardless so I don't see another token as
>> costly or complex. At a minimum there is the refresh_token and
>> access_token. Where is the added client developer complexity?
>> 
>> Thanks,
>> George
>> 
>>> 
>>> Phil
>>> 
>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>> <mailto:jricher@mitre.org>> wrote:
>>> 
>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>> premium for you, then switch based on input parameters and other
>>>> things. And you're still not clear on which "secrets" you're taking
>>>> issue with.
>>>> 
>>>> -- Justin
>>>> 
>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>> 
>>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>>> is an OAuth item but it’s growing out of control, we are trying to
>>>>> move away from secrets and management of these endpoints as this
>>>>> would be just another one we have to support, monitor and report on
>>>>> 
>>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>> 
>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>> *To:* Anthony Nadalin
>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>> don't remove!
>>>>> 
>>>>> Hi Tony,
>>>>> 
>>>>> Could you please explain a little more?
>>>>> 
>>>>> For issue 1:
>>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>>> an optional client_secret. I'm not sure why this would cause
>>>>> management issues? Or are you referring to the "Registration Access
>>>>> Token"?
>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>> talking to more than just the /authorize and /token endpoints anyway
>>>>> so I'm confused regarding the extra complexity?
>>>>> 
>>>>> For issue 2:
>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>> multiple Authorization Servers?
>>>>> 
>>>>> Thanks,
>>>>> George
>>>>> 
>>>>> [snip...]
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> --
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email