IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!

Anthony Nadalin <tonynad@microsoft.com> Thu, 06 February 2014 18:41 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C13981A01E3 for <oauth@ietfa.amsl.com>; Thu, 6 Feb 2014 10:41:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URI_NOVOWEL=0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sl8gKli48ZMh for <oauth@ietfa.amsl.com>; Thu, 6 Feb 2014 10:41:37 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id E8FEF1A0455 for <oauth@ietf.org>; Thu, 6 Feb 2014 10:41:34 -0800 (PST)
Received: from BLUPR03MB309.namprd03.prod.outlook.com (10.141.48.22) by BLUPR03MB311.namprd03.prod.outlook.com (10.141.48.26) with Microsoft SMTP Server (TLS) id 15.0.873.10; Thu, 6 Feb 2014 18:41:22 +0000
Received: from BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) by BLUPR03MB309.namprd03.prod.outlook.com ([10.141.48.22]) with mapi id 15.00.0873.009; Thu, 6 Feb 2014 18:41:22 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!
Thread-Index: AQHPHZrcj5aIvhL6QUWwHABRilQciJqeLykAgAXPnoCAA4aOgIAAAPCAgAESfwCAAAFlAIAAAEWQ
Date: Thu, 06 Feb 2014 18:41:21 +0000
Message-ID: <356ded516f534bb18f33be2d50736dc4@BLUPR03MB309.namprd03.prod.outlook.com>
References: <52E87DE4.1070000@gmx.net> <7C4FBCAA-9B5E-4EFD-A2DD-D68F1F75EA7C@xmlgrrl.com> <E3D2A269-4BC4-4755-B28E-C40185D23388@oracle.com> <4E1F6AAD24975D4BA5B16804296739438B157B13@TK5EX14MBXC288.redmond.corp.microsoft.com> <4E1F6AAD24975D4BA5B16804296739438B157B4E@TK5EX14MBXC288.redmond.corp.microsoft.com> <00622740-EA6B-4C4B-9FAB-653B197BE028@oracle.com> <D756B771-393D-4569-9742-7A32AE4AE683@ve7jtb.com>
In-Reply-To: <D756B771-393D-4569-9742-7A32AE4AE683@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::3]
x-forefront-prvs: 0114FF88F6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(377454003)(53754006)(51704005)(377424004)(13464003)(24454002)(50854003)(51444003)(189002)(199002)(74706001)(53806001)(85306002)(31966008)(54356001)(76482001)(51856001)(74502001)(90146001)(50986001)(74662001)(47976001)(87936001)(80022001)(87266001)(2656002)(33646001)(49866001)(94946001)(15975445006)(59766001)(81816001)(74876001)(81686001)(54316002)(92566001)(79102001)(77982001)(74366001)(95416001)(47446002)(56776001)(86612001)(65816001)(63696002)(19580405001)(85852003)(83322001)(80976001)(46102001)(94316002)(47736001)(15974865002)(76576001)(15202345003)(83072002)(76796001)(76786001)(93136001)(81342001)(74316001)(93516002)(19580395003)(56816005)(81542001)(86362001)(69226001)(4396001)(42262001)(3826001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR03MB311; H:BLUPR03MB309.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::3; FPR:E6FAD1CC.ACF26288.31D3F10B.8264F941.20715; InfoNoRecordsMX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "oauth@ietf.org list" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 18:41:42 -0000

I would agree with Phil, the server makes right in this case, specific statement may be sent but the processed statement is returned which may be different

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Thursday, February 6, 2014 10:39 AM
To: Phil Hunt
Cc: oauth@ietf.org list
Subject: Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!

I think it would be echoing back the software statement  that was processed as part of the request for consistency.   Replying with a different software statement is going to be too confusing.   
The entirety of the reply represents the configured state for the client.

John B.

On Feb 6, 2014, at 3:33 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> My thought was the original statement shouldn't be returned because the server would return the "processed" information.  IOW reflecting what it took from the certificate vs. from the registration request.
> 
> If you just echo back the certificate you aren't necessarily reflecting the final state of the registration.
> 
> I'm pretty open on this. Just want to make clear on what state we are returning (if any).
> 
> Phil
> 
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> 
> On 2014-02-05, at 6:11 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
>> Oh, I should add that I disagree that it's not necessary to return the software statement.  It's a key part of the client registration information, and so should be returned like the other client registration information actually used.
>> 
>> 				-- Mike
>> 
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Mike Jones
>> Sent: Wednesday, February 05, 2014 6:08 PM
>> To: Phil Hunt; Eve Maler
>> Cc: oauth@ietf.org list
>> Subject: Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!
>> 
>> Thanks for your comments, Phil.  I'm working on addressing them at present.
>> 
>> One comment confuses me.  You wrote "Section 4.1 - It would be good to have an example with a software statement and no initial access token (or both)."  Yet the last example in Section 4.1 already is such as an example (taken from draft-hunt-oauth-client-association, actually).  Was there something else that you were thinking of?
>> 
>> Also, the "Deployment Organization" definition *does* describe when it and the deployment organization are different.  Where I think that the text describing the choices for the two cases belongs is a subsection of the Use Cases appendix.  Do you want to write text about the two cases, Phi?
>> 
>> 				-- Mike
>> 
>> -----Original Message-----
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt
>> Sent: Monday, February 03, 2014 12:18 PM
>> To: Eve Maler
>> Cc: oauth@ietf.org list
>> Subject: Re: [OAUTH-WG] Dynamic Registration Plan: Your Feedback Needed!
>> 
>> I am generally in agreement on the new drafts.  Thanks Mike!
>> 
>> Here are some comments:
>> 
>> In the software statement section 3:
>>> If the authorization server determines that the claims in a software  
>>> statement uniquely identify a piece of software, the same Client ID  
>>> value MAY be returned for all dynamic registrations using that  
>>> software statement.
>>> 
>>>  In some cases, authorization servers MAY choose to accept a 
>>> software  statement value directly as a Client ID in an 
>>> authorization request,  without a prior dynamic client registration having been performed.
>>>  The circumstances under which an authorization server would do so,  
>>> and the specific software statement characteristics required in this  
>>> case, are beyond the scope of this specification.
>>> 
>> 
>> We should call out that the server MAY also issue per instance client_id's (the opposite of the first quoted paragraph above) if it chooses to use client_id as an instance identifier (the software_id identifies what clients are based on the same software).  I think this will be the typical use case. Not sure whether the first paragraph should be re-written, or a new one added.
>> 
>> Section 4.1
>> It would be good to have an example with a software statement and no initial access token (or both).
>> 
>> Section 5.1
>> Should we also say that is not necessary to return the software statement.  Note: the server should return the meta data that was obtained from the statement.
>> 
>> Dyn-Reg-Metadata
>> The metadata document looks fine.  I would prefer it being included in dyn reg, but can live with it as is.
>> 
>> Dyn-Reg-Management
>> I'd like to discuss this more in London.  I think a SCIM based management API may be simpler to write up and can leverage the features of SCIM without having to redefine them in a new API.  Still, SCIM is a way off from approval -- so I understand the need to move forward now. Is experimental the right way to go?  I am not sure.
>> 
>> Glossary
>> The terms Software API Publisher and Software API Deployer are defined but never used, Specifically the text describing the issue of when these are two distinct entities is missing. When publisher and deployer are the same (eg. as with Facebook), the dynamic registration need is minimal since a client_id can be issued from a single domain.  When publisher and deployer are different, such as with OpenID Connect, SCIM, then the client developer cannot pre-register for a client_id at development time.  
>> 
>> The software statement is an optional mechanism that enables 
>> developers to pre-registrater to obtain a signed statement (instead 
>> of a client_id) so that API deployers can recognize the 
>> pre-registration relationship with the publisher.  Of course, 
>> software statements are optional if you don't need to be able to 
>> recognize what the client is.  (apologies if I have not phrased the 
>> issue optimally)
>> 
>> Maybe if we can put in a couple of paragraphs explaining this distinction?  
>> 
>> Phil
>> 
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>> 
>> On 2014-01-30, at 7:33 PM, Eve Maler <eve@xmlgrrl.com> wrote:
>> 
>>> Hi Hannes-- The UMA Core spec currently points directly to the basic dynamic client reg doc with MAY statements, and is agnostic as to usage of the higher-order functions. (These turn into optional interop feature tests.) So I think it's fair to say that the split has no structural problems from an UMA perspective.
>>> 
>>> 	Eve
>>> 
>>> On 28 Jan 2014, at 8:04 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> 
>>>> Hi all,
>>>> 
>>>> as you have seen from the meeting minutes of our recent status chat 
>>>> it is time to proceed with the dynamic client registration work.
>>>> 
>>>> The earlier version of the dynamic client registration document was 
>>>> split into three parts, namely
>>>> (1) the current working group draft containing only minimal 
>>>> functionality,
>>>> (2) a document describing meta-data, and
>>>> (3) a document containing management functionality.
>>>> 
>>>> This change was made as outcome of the discussions we had more or 
>>>> less over the last 9 months.
>>>> 
>>>> The latter two documents are individual submissions at this point. 
>>>> New content is not available with the recent changes. So, it is one 
>>>> of those document management issues.
>>>> 
>>>> I had a chat with Stephen about WG adoption of the two individual 
>>>> submissions as WG items. It was OK for him given that it is a 
>>>> purely document management action. However, before we turn the 
>>>> documents into WG items we need your feedback on a number of issues:
>>>> 
>>>> 1) Do you have concerns with the document split? Do you object or 
>>>> approve it?
>>>> 2) Is the separation of the functionality into these three 
>>>> documents correct? Should the line be drawn differently?
>>>> 3) Do you have comments on the documents overall?
>>>> 
>>>> We would like to receive high-level feedback within a week. We are 
>>>> also eager to hear from implementers and other projects using the 
>>>> dynamic client registration work (such as OpenID Connect, UMA, the 
>>>> BlueButton/GreenButton Initiative, etc.)
>>>> 
>>>> For more detailed reviews please wait till we re-do the WGLC (which 
>>>> we plan to do soon). We have to restart the WGLC due to discussions 
>>>> last years and the resulting changes to these documents.
>>>> 
>>>> Ciao
>>>> Hannes & Derek
>>>> 
>>>> PS: Derek and I also think that Phil should become co-auhor of 
>>>> these documents for his contributions.
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> 
>>> Eve Maler                                  http://www.xmlgrrl.com/blog
>>> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email