Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE

John Bradley <ve7jtb@ve7jtb.com> Fri, 29 January 2016 14:11 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88DC81ACDF1 for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 06:11:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cYKhZ8Vcs-ax for <oauth@ietfa.amsl.com>; Fri, 29 Jan 2016 06:11:23 -0800 (PST)
Received: from mail-qg0-x235.google.com (mail-qg0-x235.google.com [IPv6:2607:f8b0:400d:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D97A61ACDEE for <oauth@ietf.org>; Fri, 29 Jan 2016 06:11:21 -0800 (PST)
Received: by mail-qg0-x235.google.com with SMTP id o11so65770305qge.2 for <oauth@ietf.org>; Fri, 29 Jan 2016 06:11:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=aRVPRwGOSxVaF9AlMslTYF4Uu/sGNumNl3CbxFRyUl4=; b=S05dqDr2Y00fx7u/jUySNfV2cYTfSI4er7aNVVwNaBvsMOm1JEXlyrGidpQq3ACjaC Fjy1qW8op6YGoXe0NuwBQbg/tGGxVBxHnCs1zS26PVZSVqryEDBD/ubeLWZUImFd0Tup yvNtBPXfCIVeaMsz871qK0TUmZPGVlyWjjPaTDlWovYnIZ/Q8JHuhsJByngXiOpz9iG9 8RnIxTbrqwJqfIibVPw6SskvQp09EmYfva677rD1L/YlQmbVHcBs5x2jb7CSANah69B6 +g0WBzVAsqcvrvSesfEDQUHBR0oCrBdIUkfn6p5NQjxRcNI9u3hdMdK7qyao42bn+t4M GEzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=aRVPRwGOSxVaF9AlMslTYF4Uu/sGNumNl3CbxFRyUl4=; b=B9Vbv3hUa9mDeNpB8RIU/mv5D6c7D2jgkzD22xOz5+oPZ09ALVNOvb/et9A8flno2d 5CEhXcquxi6UOrUUL5u96iF9U4oNiutPgT7/cOUauJt0L3aL0r/iT5gWj7HYdXgAz68K jqLdLWLWS7YCniXOv4sD7Ck9jq/Y54noiW4TAQCdaPjij7B1TRcpmc81EMIJJ92Mw0JO pqTVa77ZzRyqkipKLqV0N9l5pWYnBayJP/R9lzx6nCnNBqGQDaE8jjK8Gg+5KmJ6vYPl LuxZmCWE/kd0SEqW+cj50WHD3W0o+fbWt1jfPL8uVZb990xdxr6Yk+anKrH0KU2WrLrs FFSA==
X-Gm-Message-State: AG10YOSm3p49mPVQ8cG4SP74WQJiq0gUk1mfla1jHN5qWloR6U0MI8bPLOPVMlBLWlT1Rw==
X-Received: by 10.140.157.206 with SMTP id d197mr11658847qhd.3.1454076680791; Fri, 29 Jan 2016 06:11:20 -0800 (PST)
Received: from [192.168.8.100] ([181.202.241.211]) by smtp.gmail.com with ESMTPSA id j23sm6996421qge.23.2016.01.29.06.11.18 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 29 Jan 2016 06:11:19 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_8280D163-46A7-4687-9847-02CC6450DDAE"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABzCy2Cq5czDXCGP5P5UWjcG8JQTwiS9dci2xLzpefUJVNFf0g@mail.gmail.com>
Date: Fri, 29 Jan 2016 11:11:16 -0300
Message-Id: <5CDF5150-89C7-4EC7-92C8-EE356C30993F@ve7jtb.com>
References: <BY2PR03MB442C39923E8F9D96F5975B0F5DA0@BY2PR03MB442.namprd03.prod.outlook.com> <56AB59CA.5070408@connect2id.com> <CABzCy2Cq5czDXCGP5P5UWjcG8JQTwiS9dci2xLzpefUJVNFf0g@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/r6JEHmCa5YDxpsWezDFZKMN6qIc>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth Discovery metadata values added for revocation, introspection, and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 14:11:25 -0000

The only problem with that is the client may only require it for some types of clients (public) or response types.

It may need to be finer grained than that, or define it as required for all public clients using the token endpoint.

John B.


> On Jan 29, 2016, at 10:15 AM, Nat Sakimura <sakimura@gmail.com> wrote:
> 
> Good question. 
> 
> It's probably a good idea to be able to advertise this policy in the discovery. 
> 
> Perhaps in the line of 
> 
> pkce_required or rfc7636_required? 
> The value should be Boolean. 
> 
> Nat from iPhone
> 
> 
> 2016年1月29日(金) 21:23 Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>>:
> Thanks Mike, the updated spec looks good!
> 
> I have a question related to PKCE:
> 
> The PKCE spec seems to imply that an AS may require public clients to use a code challenge:
> 
> https://tools.ietf.org/html/rfc7636#section-4.4.1 <https://tools.ietf.org/html/rfc7636#section-4.4.1>
> 
> If an AS has such a policy in place, how is this to be advertised? Or is that supposed to the enforced when the client gets registered (there are no reg params for that at present)?
> 
> 
> On 28/01/16 19:27, Mike Jones wrote:
>> The OAuth Discovery specification has been updated to add metadata values for revocation<http://tools.ietf.org/html/rfc7009> <http://tools.ietf.org/html/rfc7009>, introspection<http://tools.ietf.org/html/rfc7662> <http://tools.ietf.org/html/rfc7662>, and PKCE<http://tools.ietf.org/html/rfc7636> <http://tools.ietf.org/html/rfc7636>.  Changes were:
>> 
>> *       Added "revocation_endpoint_auth_methods_supported" and "revocation_endpoint_auth_signing_alg_values_supported" for the revocation endpoint.
>> 
>> *       Added "introspection_endpoint_auth_methods_supported" and "introspection_endpoint_auth_signing_alg_values_supported" for the introspection endpoint.
>> 
>> *       Added "code_challenge_methods_supported" for PKCE.
>> 
>> The specification is available at:
>> 
>> *       http://tools.ietf.org/html/draft-jones-oauth-discovery-01 <http://tools.ietf.org/html/draft-jones-oauth-discovery-01>
>> 
>> An HTML-formatted version is also available at:
>> 
>> *       http://self-issued.info/docs/draft-jones-oauth-discovery-01.html <http://self-issued.info/docs/draft-jones-oauth-discovery-01.html>
>> 
>>                                                           -- Mike
>> 
>> P.S.  This note was also published at http://self-issued.info/?p=1531 <http://self-issued.info/?p=1531> and as @selfissued<https://twitter.com/selfissued> <https://twitter.com/selfissued>.
>> 
>> 
> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> -- 
> Vladimir Dzhuvinov
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth