Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-01.txt
Sergey Beryozkin <sberyozkin@gmail.com> Thu, 27 November 2014 21:04 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76D4D1A0137 for <oauth@ietfa.amsl.com>; Thu, 27 Nov 2014 13:04:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_47=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d6cxLTM8fkkK for <oauth@ietfa.amsl.com>; Thu, 27 Nov 2014 13:04:25 -0800 (PST)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 842D81A0111 for <oauth@ietf.org>; Thu, 27 Nov 2014 13:04:25 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id h11so16817615wiw.13 for <oauth@ietf.org>; Thu, 27 Nov 2014 13:04:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=DO/mt96RkJRari5nTP5qtZHDRNHr7kD9gySad4i55t8=; b=uywLz2Ij+K4q0KN1+4SulhpvCMuw6hcxzImOjAygjN0p6uFjC3fxRQXsxPUnv8qslp v0HYbAin4DmSyDpzWYwZYSMkqvIAW/yN7swHHoJHcyHtbmZBtaoEcmEbmYsgyN+j4A1X IGW6F211s9CsWIKvVlrsXRFHDoYizQmaHZu90251iyNXygxMEEN2igjBX74QyjIMGhkO 61Ij8ljFgUkPIMyW6hTguUstKDGlYqsyhHAroZWGQKgvbCHWWglyNGCumRvK9Ti8pkIr gpngWoivJ8noJKKZknMDSDBF9tNUdGDWCy9FbudCnLwNye2I+ak7ubGxJVJ2bF6N5mkx r1mw==
X-Received: by 10.181.13.7 with SMTP id eu7mr39900384wid.72.1417122264357; Thu, 27 Nov 2014 13:04:24 -0800 (PST)
Received: from [192.168.2.7] ([109.255.82.67]) by mx.google.com with ESMTPSA id k5sm4922977wjn.1.2014.11.27.13.04.23 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Nov 2014 13:04:23 -0800 (PST)
Message-ID: <547791CA.1070105@gmail.com>
Date: Thu, 27 Nov 2014 21:04:10 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <20141113040729.675.60416.idtracker@ietfa.amsl.com> <5477657D.6040302@gmail.com> <60529BBB-A3E5-45A2-893B-5A71B0D98A7F@ve7jtb.com>
In-Reply-To: <60529BBB-A3E5-45A2-893B-5A71B0D98A7F@ve7jtb.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/q1g_Uu62K9QtzkGBRRxlOY_-xjQ
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 21:04:27 -0000
Hi John On 27/11/14 19:22, John Bradley wrote: > In sec 6 of openID Connect core we have. > > So that the request is a valid OAuth 2.0 Authorization Request, values for the response_type and client_id parameters MUST be included using the OAuth 2.0 request syntax, since they are REQUIRED by OAuth 2.0. The values for these parameters MUST match those in the Request Object, if present. > > So we should add that in to this text to make it clear that it must still be a well formed OAuth 2 request. > Thanks for the clarification, I did assume, while prototyping the client_id was available as a dedicated query parameter too > In Connect we do allow for the possibility that a 3rd party might sign a request object. > > An example was that in some jurisdictions it may be a 3rd party like a privacy commissioner that signs the request object so that the IdP know that the RP is allowed to request those claims. > > The processing by the AS is validate the signature based on the "iss" (typically the client) Compare the client_id to the iss and see if the iss is authoritative for value of the client_id claim (typically one to one). Compare the client_id claim value with the query parameter client_id value and reject if not the same. (you could do that first if you want) > > The idea of the hash is that allows the AS discover if the content of the request file has changed without getting it. > > The example from connect is: > > https://client.example.org/request.jwt#GkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM > > The server needs to remember the full URI of the request object and refetch it when the fragment changes. > > Without the fragment the AS would need to rely on http:caching and at-least to a HEAD each time. > > That section can be expanded. > Very nice explanation above, thanks, sorry I did not do my home work and reviewed the connect text :-). Thanks, Sergey > John B. > > > >> On Nov 27, 2014, at 2:55 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: >> >> Hi >> >> Should the text require that a "client_id" parameter is always included as a query parameter too ? >> >> If it is only inside a 'request' parameter then how the server would identify a client specific key that can be used to validate the signature ? >> >> Or is the idea that if it is JWS and no client_id query parameter is available then a client id is extracted first, the key is identified and then the signature is validated ? >> >> Also, a simple example how an optional file hash is specified when a request_uri is used would be useful >> >> Many thanks, Sergey >> On 13/11/14 04:07, internet-drafts@ietf.org wrote: >>> >>> A New Internet-Draft is available from the on-line Internet-Drafts directories. >>> This draft is a work item of the Web Authorization Protocol Working Group of the IETF. >>> >>> Title : Request by JWS ver.1.0 for OAuth 2.0 >>> Authors : Nat Sakimura >>> John Bradley >>> Filename : draft-ietf-oauth-jwsreq-01.txt >>> Pages : 9 >>> Date : 2014-11-12 >>> >>> Abstract: >>> The authorization request in OAuth 2.0 utilizes query parameter >>> serialization. This specification defines the authorization request >>> using JWT serialization. The request is sent through "request" >>> parameter or by reference through "request_uri" parameter that points >>> to the JWT, allowing the request to be optionally signed and >>> encrypted. >>> >>> >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ >>> >>> There's also a htmlized version available at: >>> http://tools.ietf.org/html/draft-ietf-oauth-jwsreq-01 >>> >>> A diff from the previous version is available at: >>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-01 >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-01… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Nat Sakimura
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Sergey Beryozkin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Sergey Beryozkin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… John Bradley
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Sergey Beryozkin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… John Bradley