Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
Brian Campbell <bcampbell@pingidentity.com> Wed, 17 July 2019 22:31 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67F031205D2 for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2019 15:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4pblOYSfA-wR for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2019 15:31:29 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78DB1205CC for <oauth@ietf.org>; Wed, 17 Jul 2019 15:31:28 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id d17so25062476qtj.8 for <oauth@ietf.org>; Wed, 17 Jul 2019 15:31:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ey0ZaUWLgh3/5HgKpf3yYykW6mhRteiI9byKTPxKc3M=; b=LF138w2lwQB+vpxDq2YxUshtEGAW6Ukm3YCb+d7dG/tmUC7FvKgVdlm810HBGClcqH f2yi3wqti+F7Xfz5wuYQB1FzfFOJ2cPe4XqcgMRYOmAhLhsQA8GMj9m9fAJJ0JDKRbfJ 8Y9fjUfIkfb/agbji7DtKKO7jJyQzZqjs9+QI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ey0ZaUWLgh3/5HgKpf3yYykW6mhRteiI9byKTPxKc3M=; b=SPTUz+TI2VUDhjVL14eS2I4W+dAJGgKt9pKjHT5BwYYYRdpLofPazq7hfZsXnkllVW /qKd6nLConK0zHfM2cyvDAKvkV710yqh/M0wdk/31+8LIkvk0UqGMQMsL1ef1Is5ZVtr y2wMJ8vZKEzKw4jyYbK0MTd9UYe1nESyfNgrNdGEuSrQkVG2xwRvgK8gJfJwPoCsQMZM 3KLyLyzdqFKIwir/TWIJJeUk3LAnwM6neL4XIzfPI25Oqh8hM6j1JuI8FMi9ZBunNPg0 L44cvHrQM7ggbyo5pVBzyA2Py//ma5SHD/0kHXnHWys6a4UC5ApstIZF1Zzv4Su3gclr 58Ow==
X-Gm-Message-State: APjAAAXDSNvbsU7CQ7LgB7w/WkaS4iC4GJxDCURSUE4bYCheedZ6oHix vyplo0y3y3wwgFCcgNfLGwvVOTxMk8GAjdreNJFGPanylta4PX6XUXhFB/PacTkG8NlnuOEqRae XLFTa7yexPWbxgA==
X-Google-Smtp-Source: APXvYqzt0zs45/p7PlKDgt1BzsDHUbrGJ95TUJGN39uC/UrI3epddfNMdr7UwDarwiUElsOkT9w8dher5d2Z0CAaN2o=
X-Received: by 2002:ac8:c0e:: with SMTP id k14mr29404995qti.72.1563402687881; Wed, 17 Jul 2019 15:31:27 -0700 (PDT)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC01B33D6046@marchand> <359EC4B99E040048A7131E0F4E113AFC01B33D76EF@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33D76EF@marchand>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 17 Jul 2019 16:31:01 -0600
Message-ID: <CA+k3eCTKX8R9k3bZ5YO_aJ5F9-s-bS+Ov+LYs2yM0itgqNdf2g@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000da3fbf058de80d22"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/srmbnE6gE3DtvMeAl1eq7J0Hvww>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2019 22:31:37 -0000
Yeah, as you surmised, there is some history behind this. Basically draft-ietf-oauth-token-exchange predates draft-ietf-oauth-resource-indicators by a good long time (years) and with the hope and expectation that draft-ietf-oauth-token-exchange would move to RFC, I've avoided having a reference in it to a draft much earlier along in the whole process. draft-ietf-oauth-resource-indicators has a bit of an odd history too in that an initial call for adoption around the Buenos Aires meeting kinda fizzled out and it was left for dead until being unexpected resurrected around Montreal last year due to renewed interest and other factors I'm still not sure I understand. You are correct that draft-ietf-oauth-token-exchange defines "resource" for token exchange. However the registry itself doesn't have that level of granularity. It has authorization request, authorization response, token request, and token response as the possible locations for parameter usage. A token exchange request is a particular kind of token request so draft-ietf-oauth-token-exchange registers "resource" for the token request location. The IANA section was written before draft-ietf-oauth-resource-indicators even existed. And leaving the registration in draft-ietf-oauth-token-exchange seemed like the right thing to do to even after draft-ietf-oauth-resource-indicators came along. But I'm not sure, to be honest. Also FWIW a temporary registration entry for it is already in https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters draft-ietf-oauth-resource-indicators defines "resource" for use at the authorization endpoint (which token exchange does not) so that's the impetus behind having the registration request there include authorization request in the location. draft-ietf-oauth-resource-indicators also has "resource" for use at the token endpoint using the same semantics as in draft-ietf-oauth-token-exchange but in a way that is applicable to all types of token requests to the the token endpoint and not only token exchange requests. That's where the idea of updating the registry came from - it's not a name collision and it's not a different definition - it's just a more generalized usage. I hope this makes some sense and hasn't muddied the waters more. On Wed, Jul 17, 2019 at 3:13 PM Roman Danyliw <rdd@cert.org> wrote: > Hi! > > I forgot one more thing about this draft after re-reading > draft-ietf-oauth-token-exchange. > > Per the IANA action in Section 4.1, I need help understanding on the > thinking to resolve this TODO: > > o Parameter usage location: authorization request, token request > [[TODO: draft-ietf-oauth-token-exchange will have already > registered this for 'token request' and this draft has a more > generalized usage and needs to somehow either update that > registration or do a partial registration and reference]] > o Change controller: IESG > o Specification document(s): [[ this specification ]] > > My read of draft-ietf-oauth-token-exchange it that it defines 'resource' > for 'token exchange'. This draft (draft-ietf-oauth-resource-indicators) > has guidance on 'resource' for 'authorization request' but also additional > guidance for 'token request'. Is the token guidance request stated here > applicable to draft-ietf-oauth-token-exchange too (i.e., is the text > effectively saying oauth-resource-indicators updates oauth-token-exhange)? > I ask because these drafts don't reference each other. > > Correct me because there is likely a history, but it seems the TODO is > that there is a dependency to resolve and a need to coming up with a way to > signal in the registry which draft should be read for what usage location. > Could draft-ietf-oauth-resource-indicators officially register 'resource'; > and instead of draft-ietf-oauth-token-exchange including the text defining > 'resource' in Section 2.1, it would make a normative reference to Section 2 > of draft-ietf-oauth-resource-indicators? > > Roman > > > -----Original Message----- > > From: Roman Danyliw > > Sent: Tuesday, July 16, 2019 7:23 PM > > To: oauth@ietf.org > > Subject: AD Review: draft-ietf-oauth-resource-indicators-02 > > > > Hi! > > > > The following is my AD review of draft-ietf-oauth-resource-indicators-02. > > The document is in good shape. > > > > (1) Section 2. Per "The parameter can carry the location of a protected > > resource, typically as an https URL, or a more abstract identifier", is > this > > "abstract identifier" still an absolute URI per Section 4.3 of RFC3986? > > > > (2) Section 2.2. in the sentence "To the extent possible, when issuing > access > > tokens, the authorization server should adapt the scope value associated > > with an access token to the value the respective resource is able to > process > > and needs to know": > > > > -- is this language suggesting that the authorization server is > modifying the > > scope value based on the resource it sees? I'm trying to understand what > > "adapt" means, especially in relation to the improved security and > privacy the > > subsequent sentence suggests. > > > > -- (Depending on the above) Is there a security consideration here for > the > > server relative to confidential scope values and how they might be > modified? > > > > (3) Editorial > > ** Section 1 and 2.1. Multiple Typo. s/the the/the/g > > > > ** Section 2. Editorial. s/resource at which/resource to which/ > > > > ** Section 2. Editorial. > > s/ And can also be used to inform the client that it has requested an > invalid > > combination of resource and scope./ It can also be used to inform the > client > > that it has requested an invalid combination of resource and scope./ > > > > ** Section 2.1. Multiple Typo. s/an an/an/g > > > > ** Section 2.2. Editorial. s/token request and response/token request > > (Figure 3) and response (Figure 4)/ > > > > ** Section 3. Typo. s/a invalid/an invalid/ > > > > ** Section 3. Missing words. "A bearer token that has multiple intended > > recipients (audiences) can be used by any one of those recipients at any > > other." Is it protected resource? > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] AD Review: draft-ietf-oauth-resource-i… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Brian Campbell
- Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resour… Roman Danyliw