Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents
Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 20 April 2014 10:14 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39F331A010D for <oauth@ietfa.amsl.com>; Sun, 20 Apr 2014 03:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.151
X-Spam-Level:
X-Spam-Status: No, score=-0.151 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XHyJNsZaP2h for <oauth@ietfa.amsl.com>; Sun, 20 Apr 2014 03:14:24 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.103]) by ietfa.amsl.com (Postfix) with ESMTP id 83A7D1A007F for <oauth@ietf.org>; Sun, 20 Apr 2014 03:14:13 -0700 (PDT)
Received: from [79.253.6.217] (helo=[192.168.71.87]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1WbolD-0006mc-B9; Sun, 20 Apr 2014 12:14:07 +0200
Message-ID: <53539DF1.4020103@lodderstedt.net>
Date: Sun, 20 Apr 2014 12:14:09 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" <oauth@ietf.org>
References: <533E77C3.9000509@gmx.net>
In-Reply-To: <533E77C3.9000509@gmx.net>
Content-Type: multipart/alternative; boundary="------------020202000003070804010703"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/sTy8xJNG_WjB8O8yiu5W3LwRmwk
Subject: Re: [OAUTH-WG] Working Group Last Call on Dynamic Client Registration Documents
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Apr 2014 10:14:28 -0000
Hi all, I also believe both documents should be merged. Nevertheless, here are my comments on the current drafts: * OAuth 2.0 Dynamic Client Registration Core Protocol http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 1.2. Terminology " Multiple instances of the same piece of client software MAY use the same Client ID value at an authorization server, provided that the Redirection URI values and potentially other values dictated by authorization server policy are the same for all instances." Which entity determines whether the same client id is used for different instances? Given the current protocol design, I would assume it is at the discretion of the authz server. Other opinions? "Software Statement ... It may also be accepted by some authorization servers directly as a Client ID value, without prior registration." under which circumstances does an authz server accept a software statement as client_id? How does the client know? I think the idea is valuable but needs much more text in order to come up with an interoperable protocol design. 1.3. Protocol Flow Initial Access Token vs. Software Statement: In my opinion, those concepts are two different ways to authorize client registration. Although there are the typical differences between tokens and assertions (such as opaque content vs. defined syntax), I feel software statements could supersede initial access tokens. Thoughts? 2. Client Metadata "redirect_uris ... It is RECOMMENDED that clients using these flows register this parameter, and an authorization server SHOULD require ..." I consider this a rather weak statement - does this foster interop? Why not requiring registration of redirect_uris for all clients using web-based grant types. last paragraph: "If the same client metadata name is present in both locations, the value in the software statement SHOULD take precedence." why not MUST? 3. Software Statement Is there a need to require a certain signature method for JWTs used as software statement (interop)? JWT itself requires "HMAC" and "none", which both are of no or limited value in this context. RSA is just recommended by the JWT spec. 5.1 "If a software statement was used as part of the registration, its value SHOULD be returned in the response and its value MUST be returned if the authorization server supports registration management operations [OAuth.Registration.Management] that would require its presence in subsequent operations." I don't get the connection between software statements and the management API. In the management API spec, I only found a reference to software statements in the introduction. Should this text just be removed? 5.2 error codes - invalid_client_metadata I consider this underspecified. How is the client supposed to react if this error occurs? I would expect the authz server to give more detailed information regarding error conditions, e.g. notify the client if particular requested grant types are not supported. Otherwise, the client cannot handle those error differently. * OAuth 2.0 Dynamic Client Registration Metadata http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 I would suggest to add "jwks" (as defined in http://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) in order to support native clients. regards, Torsten. Am 04.04.2014 11:13, schrieb Hannes Tschofenig: > Hi all, > > This is a Last Call for comments on the dynamic client registration > documents: > > * OAuth 2.0 Dynamic Client Registration Core Protocol > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-16 > > * OAuth 2.0 Dynamic Client Registration Metadata > http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-metadata-00 > > Since we have to do the last call for these two documents together we > are setting the call for **3 weeks**. > > Please have your comments in no later than April 25th. > > Ciao > Hannes & Derek > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Working Group Last Call on Dynamic Cli… Hannes Tschofenig
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Justin Richer
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Bill Mills
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Torsten Lodderstedt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Hannes Tschofenig
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Anthony Nadalin
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Bill Mills
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Torsten Lodderstedt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Phil Hunt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Phil Hunt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Mike Jones
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Torsten Lodderstedt
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… Brian Campbell
- Re: [OAUTH-WG] Working Group Last Call on Dynamic… John Bradley