IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens

John Bradley <ve7jtb@ve7jtb.com> Thu, 06 June 2013 16:54 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9027421F99D3 for <oauth@ietfa.amsl.com>; Thu, 6 Jun 2013 09:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[AWL=-0.699, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gwX6IpHLHidn for <oauth@ietfa.amsl.com>; Thu, 6 Jun 2013 09:54:07 -0700 (PDT)
Received: from mail-bk0-x229.google.com (mail-bk0-x229.google.com [IPv6:2a00:1450:4008:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 4A7C121F9A0D for <oauth@ietf.org>; Thu, 6 Jun 2013 09:53:56 -0700 (PDT)
Received: by mail-bk0-f41.google.com with SMTP id jc3so1736203bkc.0 for <oauth@ietf.org>; Thu, 06 Jun 2013 09:53:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=CgH3mo7q8r4pU8BazQkc6zAc1hkVpZZVBr8i6WzFRdU=; b=dtxM85OyE3YC2+/01+IeegJBIBQg+a+2qEYOVhosi2hGtZmP1hCwxpPU6S0wR+dmmI z6d0MPHBCt9sqQM1d6MkE1AnWpQ9iYXVCPTCdHpH1HxPJd4sRd1uySz1QQO6YqF5wHDN OjBan9lng3yngsRL3kPGAK1gxi183tDR2G8rcyIlsBuCg7JR6oJE05WVoz65gFECAC5J Sfo0B5xqbRjBbgymdQ04wIvGPpMQSXb7ZFWf8MZSNwHPFVdu+u2Tp/n2S3W90kZTkINh YVEXMBu4FlcQk1hGu89u5Kv9zZto3kfZGjf7a6i+SnrxjFcdsB+iunpz+zMPmhWAOhaz EmAA==
X-Received: by 10.204.235.129 with SMTP id kg1mr11176830bkb.28.1370537630485; Thu, 06 Jun 2013 09:53:50 -0700 (PDT)
Received: from [10.87.159.63] ([88.128.80.6]) by mx.google.com with ESMTPSA id j8sm28576675bky.17.2013.06.06.09.53.35 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 06 Jun 2013 09:53:49 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_EC8D9D4D-BD58-424C-84B3-31F5CA89931E"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1151B106382@WSMSG3153V.srv.dir.telstra.com>
Date: Thu, 06 Jun 2013 18:53:26 +0200
Message-Id: <D5110B89-BBA2-4BE2-B63E-0E621966EA47@ve7jtb.com>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <51A7ADAE.4070005@mitre.org> <62636DE9-80BD-4B83-817B-3E6622434FD0@oracle.com> <51A7C00B.6050409@mitre.org> <78BAEE23-FB66-4BA5-A1A5-5626D22AA014@oracle.com> <B33BFB58CCC8BE4998958016839DE27E08F97708@IMCMBX01.MITRE.ORG> <18C751E2-31B2-4C7F-BC9A-49F382F96673@oracle.com> <77A0DA5E-09CE-4A5E-9500-54A0842252FB@oracle.com> <F293690C-1E82-4350-80D4-2E2C0EF86E55@oracle.com> <51A8C0ED.6040607@mitre.org> <87E1F74D-9CCA-4330-82D6-AB3D9B8EF48D@oracle.com> <F319CA95-B5A8-4BD5-A8BA-F57BCBA6806B@oracle.com> <51A8E0BD.9090908@mitre.org> <521EB2A2-C786-43BE-9449-A12324347E6D@oracle.com> <002701ce5e33$620faaa0$262effe0$@reminetworks.com> <0561023C-4AFC-4281-BC62-764C12EC763D@oracle.com> <51A8FCA6.9050109@mitre.org> <004401ce5e3a$01854b70$048fe250$@reminetworks.com> <CA+ZpN24S9fEfFsgMtu8pN-ct-100+HVSHAfqO4Yy2SksrYt1eA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151B105DA5@WSMSG3153V.srv.dir.telstra.com> <CA+ZpN25_tguPtPDktm M8q=72EgnesignTuWE19wi61gCTLLL_g@mail.gmail.com> <1373E8CE237FCC43BCA36C6558612D2A9F26D0@USCHMBX001.nsn-intra.net> <919FB49B-2705-42E4-B5C3-B433C3F81C7F@ve7jtb.com> <1373E8CE237FCC43BCA36C6558612D2A9F2764@USCHMBX001.nsn-intra.net> <92B2D90A-59A9-4EC0-93DB-7E226F3C4018@ve7jtb.com> <255B9BB34FB7D647A506DC292726F6E1151B106382@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQlRxkheQ0Ov7ydOm1bKTzI44og9Ng9IG+nGLXrZzfdmGo1ZIJTuXJcu55tLYVwx+Lmo/85r
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 16:54:10 -0000

We haven't defined the various proof of possession tokens yet.  It may be that there are different registration requirements for clients being issued those tokens.

It is possible that the client must have registered and pushed a public key to the AS before it is issued a HoK token.

It may be just fine, but I can't certain of that until we define the other token types.  

What we do know is that what is proposed is in production across multiple providers, and we are gaining experience with it on some of the things that didn't work like using the client's token endpoint credential for updating the registration information.

Extensibility is good but the new token types will have there own issues that will need to be addressed in a profile.
It is not enough to say any OAuth token type can be used without a profile, because people will come back and say how is that interoperable?

Especially if we are issuing HoK tokens to clients we will likely want a way to register the public key of the client.  We don't have that yet as there is no asymmetric HoK token yet.
Once there is then we do an extension of registration to cover it.

We have people going into production soon so we can't wait for every possible token type to be defined.

John B.


On 2013-06-06, at 4:48 PM, "Manger, James H" <James.H.Manger@team.telstra.com> wrote:

> John,
>  
> Why is the circularity of registration any different for a non-bearer scheme?
>  
> A developer browsing a service portal can grab an id & secret, just as easily as grabbing a bearer token, to configure into an app as the initial access token.
> A client registration endpoint can return an id & secret, just as easily as returning a bearer token, for the client to use as the registration access token.
>  
> OAuth 2 defines a JSON format for conveying an access token [RFC6749 “OAuth 2.0” section 5.1. “Issuing an access token: Successful Response”]. That might be a better syntax for an app to expect when receiving an initial access token and a registration access token, given it needs to understand that format for “real” access tokens anyway.
>  
> > Having a mandatory-to-implement mechanism in place is certainly useful
>  
> Registration supporting the same mechanism an app will use with “real” access tokens (whatever that is for this AS) would be even more useful.
>  
> --
> James Manger
>  
> From: John Bradley [mailto:ve7jtb@ve7jtb.com] 
> Sent: Thursday, 6 June 2013 7:22 PM
> To: Tschofenig, Hannes (NSN - FI/Espoo)
> Cc: ext Tim Bray; Manger, James H; oauth@ietf.org
> Subject: Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
>  
> On the face of it I think adding proof of possession aught to be possible.   The hard part will be that those mechanisms assume a registered client.
>  
> I think the trick will be not crating a circular registration problem.    Adding the other token types to the RS will be simple in comparison.
>  
> John B.
>  
> On 2013-06-06, at 10:57 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
> 
> 
> That’s fair, John.
>  
> Having a mandatory-to-implement mechanism in place is certainly useful. Pushing stronger security mechanisms to other specifications is also fine. It would be good to re-read the document to see whether we can actually fit the currently worked on security mechanisms into the spec at a later stage or whether there are some problems with the extensibility story.
>  
> Ciao
> Hannes
>  
> From: ext John Bradley [mailto:ve7jtb@ve7jtb.com] 
> Sent: Thursday, June 06, 2013 11:54 AM
> To: Tschofenig, Hannes (NSN - FI/Espoo)
> Cc: ext Tim Bray; Manger, James H; oauth@ietf.org
> Subject: Re: [OAUTH-WG] draft-ietf-oauth-dyn-reg and bearer tokens
>  
> There are a couple of reasons.    
>  
> One criticism Hannes and others make of OAuth specs is they are not tightly profiled enough to be interoperable without further out of band configuration and profiling.
>  
> Making registration work with minimal ambiguity was a priority for Connect and that has carried over.
>  
> I am not opposed to having this extended at some point in the future, once we have a second token type.   The new token type should be available to do updates as well.
>  
> The problem is that starting down the HoK route potentially requires a registered client that may need to be registered to do the registration.   
> I think that is best left to another spec to sort out the possible turtles.
>  
> So the default needs to be bearer tokens unless registration is extended by another profile.
>  
> John B.
> On 2013-06-06, at 10:15 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
> 
> 
> 
> Because bearer tokens have a stable RFC-numbered spec and are widely implemented and the registration flow as documented seems like it should work?  -T
>  
> That’s the answer for why there is support for bearer tokens but it is not the answer to why that’s the only supported mechanism.
> If we want to support stronger security mechanisms (which the group has decided to work on already) then we need to have a story on how to support the other mechanisms as well .

v2.23.0 | Report a Bug | By Email