Re: [OAUTH-WG] Dynamic Client Registration

Igor Faynberg <igor.faynberg@alcatel-lucent.com> Wed, 18 April 2012 20:17 UTC

Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83A7521F8433 for <oauth@ietfa.amsl.com>; Wed, 18 Apr 2012 13:17:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.339
X-Spam-Level:
X-Spam-Status: No, score=-9.339 tagged_above=-999 required=5 tests=[AWL=1.260, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBfDWtMSJdW7 for <oauth@ietfa.amsl.com>; Wed, 18 Apr 2012 13:17:05 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id 8C10F11E8085 for <oauth@ietf.org>; Wed, 18 Apr 2012 13:17:04 -0700 (PDT)
Received: from usnavsmail4.ndc.alcatel-lucent.com (usnavsmail4.ndc.alcatel-lucent.com [135.3.39.12]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id q3IKH3Ln016301 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Wed, 18 Apr 2012 15:17:03 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail4.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q3IKH3IJ004281 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <oauth@ietf.org>; Wed, 18 Apr 2012 15:17:03 -0500
Received: from [135.222.232.147] (USMUYN0L055118.mh.lucent.com [135.222.232.147]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q3IKH2R2020475; Wed, 18 Apr 2012 15:17:03 -0500 (CDT)
Message-ID: <4F8F213E.40003@alcatel-lucent.com>
Date: Wed, 18 Apr 2012 16:17:02 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: oauth@ietf.org
References: <5F51A14F-D548-4D29-B20F-5C3DCB3CB705@gmx.net> <0CBAEB56DDB3A140BA8E8C124C04ECA2FE7F47@P3PWEX2MB008.ex2.secureserver.net> <6760C38E-7C0C-412F-A285-8F4CB2858F30@gmx.net> <0CBAEB56DDB3A140BA8E8C124C04ECA2FE92E4@P3PWEX2MB008.ex2.secureserver.net> <4F8F1ACE.4030407@lodderstedt.net> <0CBAEB56DDB3A140BA8E8C124C04ECA2FEFCD2@P3PWEX2MB008.ex2.secureserver.net> <4F8F1C83.2000107@lodderstedt.net>
In-Reply-To: <4F8F1C83.2000107@lodderstedt.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.12
Subject: Re: [OAUTH-WG] Dynamic Client Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 20:17:08 -0000

+1 for keeping registration and discovery separate.

(As is typical, Torsten had beaten me to saying just what I was thinking 
about and preparing to to say.  The only consolation is that he 
expressed it better than I would have.)

Igor

On 4/18/2012 3:56 PM, Torsten Lodderstedt wrote:
> Hi Eran,
>
> thanks for pointing this out. I took a quick look on the document. 
> Seems the I-D combines registration and discovery. I think both should 
> be kept separat. So I would suggest to remove section 5 and the 
> dependency is gone.
>
> regards,
> Torsten.
>
> Am 18.04.2012 21:51, schrieb Eran Hammer:
>> Because it is in the draft the WG is suppose to consider. It's a 
>> stated dependency.
>>
>> EH
>>
>>> -----Original Message-----
>>> From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
>>> Sent: Wednesday, April 18, 2012 12:50 PM
>>> To: Eran Hammer
>>> Cc: Hannes Tschofenig; oauth@ietf.org WG
>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration
>>>
>>> Hi Eran,
>>>
>>> why do you see a relationship between dynamic client registration and
>>> discovery? Basically, we don't care so far how a client finds tokens 
>>> and end-
>>> user authorization point. Why is this any different for the client 
>>> registration
>>> endpoint (or the revocation endpoint)? Or do you have a bigger 
>>> picture in
>>> mind?
>>>
>>> regards,
>>> Torsten.
>>>
>>> Am 15.04.2012 22:36, schrieb Eran Hammer:
>>>> Where did I say I'm not interested in this work?!
>>>>
>>>> All I was saying is that it would be better to postpone it until 
>>>> the discovery
>>> layer, which this draft clearly relies upon, is a bit clearer. I 
>>> would be satisfied
>>> with a simple note stating that if the discovery work at the APP 
>>> area isn't
>>> complete, the WG may choose to delay work on this document until ready.
>>>> EH
>>>>
>>>>> -----Original Message-----
>>>>> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
>>>>> Sent: Sunday, April 15, 2012 9:01 AM
>>>>> To: Eran Hammer
>>>>> Cc: Hannes Tschofenig; oauth@ietf.org WG
>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration
>>>>>
>>>>> Hi Eran,
>>>>>
>>>>> you are saying that you are not interested in the dynamic client
>>>>> registration work and that's OK. There are, however, a couple of
>>>>> other folks in the group who had expressed interest to work on it, to
>>> review and to implement it.
>>>>> Note also that the discovery and the dynamic client registration is
>>>>> different from each other; there is a relationship but they are
>>> nevertheless different.
>>>>> Ciao
>>>>> Hannes
>>>>>
>>>>> PS: Moving the Simple Web Discovery to the Apps area working group
>>>>> does not mean that it will not be done. On the contrary there will be
>>>>> work happing and we are just trying to figure out what the difference
>>>>> between SWD and WebFinger is.
>>>>>
>>>>> On Apr 15, 2012, at 9:14 AM, Eran Hammer wrote:
>>>>>
>>>>>> I'd like to see 'Dynamic Client Registration' removed from the
>>>>>> charter along
>>>>> with SWD for the sole reason that figuring out a generic discovery
>>>>> mechanism is going to take some time and this WG has enough other
>>>>> work to focus on while that happens elsewhere. I expect this to come
>>>>> back in the next round with much more deployment experience and
>>> discovery clarity.
>>>>>> EH
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>>>> Behalf Of Hannes Tschofenig
>>>>>>> Sent: Friday, April 13, 2012 7:36 AM
>>>>>>> To: oauth@ietf.org WG
>>>>>>> Subject: [OAUTH-WG] Dynamic Client Registration
>>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> at the IETF#83 OAuth working group meeting we had some confusion
>>>>>>> about the Dynamic Client Registration and the Simple Web Discovery
>>>>>>> item. I just listened to the audio recording again.
>>>>>>>
>>>>>>> With the ongoing mailing list discussion regarding WebFinger vs.
>>>>>>> Simple Web Discovery I hope that folks had a chance to look at the
>>>>>>> documents again and so the confusion of some got resolved.
>>>>>>>
>>>>>>> I believe the proposed new charter item is sufficiently clear with
>>>>>>> regard to the scope of the work. Right?
>>>>>>> Here is the item again:
>>>>>>> "
>>>>>>> Jul. 2013  Submit 'OAuth Dynamic Client Registration Protocol' to
>>>>>>> the IESG for consideration as a Proposed Standard
>>>>>>>
>>>>>>> [Starting point for the work will be
>>>>>>> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg
>>>>>>> ]
>>>>>>> "
>>>>>>>
>>>>>>> Of course there there is a relationship between Simple Web
>>>>>>> Discovery (or
>>>>>>> WebFinger) and the dynamic client registration since the client
>>>>>>> first needs to discover the client registration endpoint at the
>>>>>>> authorization server before interacting with it.
>>>>>>>
>>>>>>> Now, one thing that just came to my mind when looking again at
>>>>>>> draft- hardjono-oauth-dynreq was the following: Could the Client
>>>>>>> Registration Request and Response protocol exchange could become a
>>>>>>> profile of the SCIM protocol? In some sense this exchange is
>>>>>>> nothing else than provisioning an account at the Authorization
>>>>>>> Server (along with
>>>>> some meta-data).
>>>>>>> Is this too far fetched?
>>>>>>>
>>>>>>> Ciao
>>>>>>> Hannes
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth