IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 20 August 2013 05:34 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1069811E80E9 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 22:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.846
X-Spam-Level:
X-Spam-Status: No, score=-1.846 tagged_above=-999 required=5 tests=[AWL=-0.403, BAYES_00=-2.599, HELO_EQ_DE=0.35, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XN2XdZsu1M7P for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 22:34:38 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.102]) by ietfa.amsl.com (Postfix) with ESMTP id 8E32111E80F3 for <oauth@ietf.org>; Mon, 19 Aug 2013 22:34:37 -0700 (PDT)
Received: from [80.187.106.22] (helo=[100.92.43.225]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VBeaM-0005Ti-BR; Tue, 20 Aug 2013 07:34:34 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com> <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Tue, 20 Aug 2013 07:34:21 +0200
To: Phil Hunt <phil.hunt@oracle.com>, Eve Maler <eve@xmlgrrl.com>
Message-ID: <94443a60-6e82-41e4-bce9-1c4411259370@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 05:34:42 -0000

Hi Phil,




>The assumption that client id must be issued by the sp seems wrong to
>me in many cases-- including oidc. 6749 does not make this restriction
>at all. 

What do you mean? Grant type code requires a client_id in order to identify the client at the AS's authz endpoint. Based on this data, the AS chooses the authz policy and validates the redirect_uri.

>
>Given this, a statement approach may be sufficient for many clients. No
>need for long term credential mgmt or records. 

Perhaps for clients using the token endpoint only.

regards,
Torsten.

>
>Phil
>
>On 2013-08-19, at 16:33, Eve Maler <eve@xmlgrrl.com> wrote:
>
>> Hi folks-- Just a reminder that the first draft the UMA group
>submitted on May 1, 2011 contained extensive requirements and use cases
>related to UMA's various needs for dynamic client registration:
>> 
>> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>> 
>> When there was interest to pick up this draft as a WG work item, it
>was recommended that we excise this content so that the doc wouldn't be
>so specific to our particular usage of OAuth.
>> 
>> I point this out just to show that the need for dynamic client
>registration isn't limited to OpenID Connect, and that some specific
>use cases have already been floated here.
>> 
>> FWIW,
>> 
>>    Eve
>> 
>> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>> 
>>> All of this is a good argument to do both, which is what I've been
>saying all along.
>>> 
>>> -- Justin
>>> 
>>> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>>>> I do not recall agreement in charter discussions to solving a
>specific case.
>>>> 
>>>> I recall more than one in the re-chartering discussion said dyn reg
>needed major changes to solve their use cases.
>>>> 
>>>> Phil
>>>> 
>>>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>>> 
>>>>> Tony, I completely disagree. The proposals that I've seen have
>different means and different end states, and they make different
>assumptions about the relationship between entities and the
>capabilities of all players.
>>>>> 
>>>>> -- Justin
>>>>> 
>>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>>>> There are proposals out there that are trying to solve the same
>problem, but in different ways, so I would not say that they are trying
>to solve different use cases. I do think that we need to make sure that
>whatever proposal we select it needs to have a wide range of use cases
>it solves, not just a single use case as the more solutions this group
>produces the more confused folks will be
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>Behalf Of Justin Richer
>>>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>>>> To: Phil Hunt
>>>>>> Cc: oauth mailing list
>>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
>Call: Thu 22 Aug, 2pm PDT
>>>>>> 
>>>>>> I agree that dynamic registration isn't needed to solve *all* of
>the different use cases. It solves its set of specific problems (and
>does so well, if you ask me), but there are and will always be things
>that it won't work for, and that's fine. That's why I've suggested
>under a separate thread that the other drafts go forward separately and
>that DynReg not be hung up on them. We're fundamentally solving
>different use cases, and there is no magic solution that will solve all
>the problems at once.
>>>>>> 
>>>>>>  -- Justin
>>>>>> 
>>>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>>> 
>>>>>>> Then a discussion on any client_id assumptions and actual
>requirements for each client case. Why is registration needed for each
>case?
>>>>>>> 
>>>>>>> The statement can solve some complication but should be put in
>context of use cases.
>>>>>>> 
>>>>>>> Phil
>>>>>>> 
>>>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
><hannes.tschofenig@gmx.net> wrote:
>>>>>>> 
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>> Hash: SHA512
>>>>>>>> 
>>>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>> Hash: SHA512
>>>>>>>> 
>>>>>>>> Based on your feedback via the poll let us start with August
>22nd with the first conference call. I will distribute the conference
>call details on Tuesday.
>>>>>>>> 
>>>>>>>> Let us talk about the agenda. There were several items brought
>up in
>>>>>>>> discussions, namely
>>>>>>>> 
>>>>>>>> * Software assertions / software statements
>>>>>>>> 
>>>>>>>> We briefly discussed this topic at the IETF OAuth session but
>we may need more time to understand the implications for the current
>dynamic client registration document:
>>>>>>>>
>http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>>> 
>>>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>>>> interacting with the client configuration endpoint
>>>>>>>> 
>>>>>>>> In the past we said that it would be fine to have a profile
>defined in SCIM to provide the dynamic client registration for those
>who implement SCIM and want to manage clients also using SCIM. It
>might, however, be useful to compare the two approaches in detail to
>see what the differences are.
>>>>>>>> 
>>>>>>>> * Interactions with the client registration endpoint
>>>>>>>> 
>>>>>>>> Justin added some "life cycle" description to the document to
>motivate some of the design decisions. Maybe we need to discuss those
>in more detail and add further text.
>>>>>>>> Additional text could come from the NIST Blue Button / Green
>Button usage.
>>>>>>>> 
>>>>>>>> * Aspects that allow servers to store less / no state
>>>>>>>> 
>>>>>>>> - - From the discussions on the list it was not clear whether
>this is actually accomplishable with the current version of OAuth. We
>could explore this new requirement and try to get a better
>understanding how much this relates to dynamic client registration and
>to what extend it requires changes to the core spec.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> What would you like to start with? Other topics you would like
>to bring up?
>>>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>>> 
>>>>>>>>
>iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>>>>>>
>AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>>>>>>
>dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>>>>>>
>OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>>>>>>
>IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>>>>>>
>QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>>>>>>>> =tkGT
>>>>>>>> - -----END PGP SIGNATURE-----
>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>>> 
>>>>>>>>
>iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>>>>>>
>RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>>>>>>
>wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>>>>>>
>VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>>>>>>
>p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>>>>>>
>a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>>>>>>>> =3qNI
>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> Eve Maler                                 
>http://www.xmlgrrl.com/blog
>> +1 425 345 6756                        
>http://www.twitter.com/xmlgrrl
>> 
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email