[OAUTH-WG] More draft-ietf-oauth-assertions-03 comments
"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Fri, 25 May 2012 07:22 UTC
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6EAE11E807F for <oauth@ietfa.amsl.com>; Fri, 25 May 2012 00:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.538
X-Spam-Level:
X-Spam-Status: No, score=-106.538 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIscKf78oUnW for <oauth@ietfa.amsl.com>; Fri, 25 May 2012 00:22:30 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id 6B11611E8074 for <oauth@ietf.org>; Fri, 25 May 2012 00:22:29 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q4P7ML3X025839 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Fri, 25 May 2012 09:22:21 +0200
Received: from DEMUEXC047.nsn-intra.net ([10.159.32.93]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q4P7MLEZ022580 for <oauth@ietf.org>; Fri, 25 May 2012 09:22:21 +0200
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by DEMUEXC047.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Fri, 25 May 2012 09:22:17 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CD3A47.1D27E637"
Date: Fri, 25 May 2012 10:22:16 +0300
Message-ID: <999913AB42CC9341B05A99BBF358718D017BA762@FIESEXC035.nsn-intra.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: More draft-ietf-oauth-assertions-03 comments
Thread-Index: Ac06Rxzmbo7WvLDeRhmPea9483hHkg==
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: oauth@ietf.org
X-OriginalArrivalTime: 25 May 2012 07:22:17.0689 (UTC) FILETIME=[1D933C90:01CD3A47]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 25203
X-purgate-ID: 151667::1337930543-00005945-83DCA1B9/0-0/0-0
Subject: [OAUTH-WG] More draft-ietf-oauth-assertions-03 comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2012 07:22:33 -0000
Here a few minor comments:
The specification does not provide a lot of hints for the client when an
error occurs. For example, Section 4.1.1 only says "invalid_client" is
something goes wrong with the assertion processing in case of client
authentication. The same is true for the authorization grant error
response in Section 4.2.1.
What about errors like?
* Assertion was not fresh - replay detected (based on the
assertion ID)
* Issuer unknown or not trusted
* Assertion couldn't be parsed
* The assertion format is unknown
* Signature covering the assertion couldn't be verified
* Audience does not match
* Assertion expired (based on 'expired at' element)
* Missing mandatory elements in the assertion
There are a lot of "SHOULDs" in the specification and I was wondering
why this has to be the case. Typically, there has to be a good reason
why there is a SHOULD rather than a MUST or at least an explanation in
case there are different processing alternatives.
For example, Section 5.2 says:
"When the client is acting on behalf of itself, the
Principal SHOULD be the "client_id".
"
When the client is acting on his own behalf then it would be good to say
in what cases the principal element does not contain the client_id. In
general, it seems that the client_id and the principal are pretty much
the same thing (the fields just appear twice).
The same issue regarding the "SHOULD" shows up in other places as well,
such as with the issuer in the same section: "If an assertion is
self-asserted, the
Issuer SHOULD be the "client_id"."
Again same section: "The Audience SHOULD be the URL of the Authorization
Server's Token Endpoint."
In case it is not an URL what else should it be? When can this other
case happen?
You also write: "The assertion MUST contain an Issuer."
That's great but what is the relationship if the assertion already
contains an issuer as part of the signature that covers the party that
signed the assertion (which is the case in SAML). Do they have to match?
Section 6.3 and Section 6.4 say:
"
o The grant_type HTTP request parameter MUST indicate the assertion
format.
"
Is this correct? Shouldn't it be rather
"
o The "client_assertion_type" HTTP parameter MUST identify the
assertion format.
"
Difference between Section 6.3 and 6.3: anonymous user or not
These two sections are identical with one exception: the content of the
principal element.
Wouldn't it make sense to merge the two cases and then to indicate that
the content of the principal element varies?
In Section 6.2 you write:
When a client is accessing resources on behalf of itself, it SHOULD
do so in a manner analogous to the Client Credentials flow defined in
Section 4.4
<http://tools.ietf.org/html/draft-ietf-oauth-assertions-03> of OAuth
2.0 [I-D.ietf-oauth-v2
<http://tools.ietf.org/html/draft-ietf-oauth-assertions-03> ].
Use "Client Credentials Grant flow" instead of "Client Credentials
flow"
In Section 6.3 you write:
"
When a client is accessing resources on behalf of a user, it SHOULD
be treated as using an assertion as an Authorization Grant according
to Section 4.2
<http://tools.ietf.org/html/draft-ietf-oauth-assertions-03> .
"
This is a confusing sentence. I believe what you are trying to say is
that the description in Section 4.2 MUST be followed.
IANA consideration section: This section is essentially the
communication you have with IANA to request values to be added to
existing registries. It helps them to be specific about what information
you want to get added to what registry.
For example, Section 8.1 registers an additional parameter called
"assertion". It would be useful to just say that this is a new entry to
the "OAuth Parameters Registry" established in Section 11.2 of
[I-D.ietf-oauth-v2
<http://tools.ietf.org/html/draft-ietf-oauth-assertions-03> ].
As a minor nit here The parameter usage location indicates "client
authentication, token request". Client authentication is not a valid
location per Section 11.2.1.
The same comment applies to Section 8.2 and Section 8.3.
Ciao
Hannes
- [OAUTH-WG] More draft-ietf-oauth-assertions-03 co… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] More draft-ietf-oauth-assertions-0… Brian Campbell