IETF Logo Mail Archive

Re: [OAUTH-WG] [kitten] OAuth Discovery and what the relying partyneeds to know

John Bradley <ve7jtb@ve7jtb.com> Thu, 10 May 2012 16:25 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C2A721F86F7 for <oauth@ietfa.amsl.com>; Thu, 10 May 2012 09:25:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.539
X-Spam-Level:
X-Spam-Status: No, score=-3.539 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmDIn3gez3fK for <oauth@ietfa.amsl.com>; Thu, 10 May 2012 09:25:53 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id B345321F859B for <oauth@ietf.org>; Thu, 10 May 2012 09:25:52 -0700 (PDT)
Received: by yenq13 with SMTP id q13so2017784yen.31 for <oauth@ietf.org>; Thu, 10 May 2012 09:25:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=TCEXhcsOJAyizsbEI3Jqzfp4DIQAtuet+cc0cJBwj5c=; b=Ysirit4nKmhzyMGgwZLAKgHBH2Wt08QB/ULxSobeC5+ZmJDZ6sOeyQy5FLcgXZwKmn cRl59OLQuP3lBioX7Fyj5vZT2B7RIYAlI8mJP1v8i4Hg/3ocjmEmkeqWKnHspxYaA5L8 aYYuWpf4LED4OJL9tlvSZYo+6pcy6ClZm3i1YOolbUC/DFTJ+gJLTUH8s+nazW8NQq/m p/9+o9jQo7rAHU9xAw9W5pbJHRUarBUC6sXt63yjhSYNf4j/5fJZhuO+P6YgKqrYsV3z OE93vCLc6AdqtaoOt4evcdWSe/Lfbv3I+eKbwT0kw3duYHjyiHqB11aI5dD+W375L/J9 WiEg==
Received: by 10.236.79.234 with SMTP id i70mr5882999yhe.88.1336667151993; Thu, 10 May 2012 09:25:51 -0700 (PDT)
Received: from [192.168.1.213] (190-20-35-188.baf.movistar.cl. [190.20.35.188]) by mx.google.com with ESMTPS id p29sm22743290yhl.19.2012.05.10.09.25.48 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 May 2012 09:25:50 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_941D81E7-8CC1-49DF-BEC8-6BDD4CE267BF"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4FABDBA2.20908@mitre.org>
Date: Thu, 10 May 2012 12:25:42 -0400
Message-Id: <BC1CD864-E160-4E48-8059-08CBA5DB27B7@ve7jtb.com>
References: <40FC97F0-B72C-47F4-8206-590BA365997A@gmx.net> <5ECED997-49B8-4550-B79A-CF121FCD1AF9@ve7jtb.com> <9F541ABD-23C0-4592-BC8C-7B7E7CC620CB@gmx.net> <81091A66-03C3-4085-A840-BEC1BBF48161@ve7jtb.com> <A5BFAE4A-5FF2-4E0C-BE49-A04AA9AC9A98@cisco.com> <6E2A5AF6-F4D8-4FCA-A45F-7AE5032A82BE@ve7jtb.com> <4FABDBA2.20908@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQkueBEtDX2aJk/x6Xl5zxThc0iug1aWyeEZfqUFmuGaoiVKERA/8fbUX6UActE9xogQ4hnU
Cc: kitten@ietf.org, "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] [kitten] OAuth Discovery and what the relying partyneeds to know
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2012 16:25:54 -0000

Allowing user based discovery is not mutually exclusive with things that provide browser based help for selecting a IdP.
Forcing a user to type a email address for twitter may also prove unnatural.  

More help for the user by their trusted user agent is probably the better way to go in the long term.  
In the short therm almost anything is better than users current practice of entering there email and password directly into random sites.  

It is reasonable in the IMAP case where the client already has the email to use that to start discovery for the Authorization server for that identifier.

John B.
On 2012-05-10, at 11:15 AM, Justin Richer wrote:

> It's important to remember that these identifiers need to be handled, seen, and remembered by people. Especially in the long-tail case (which is to say, IdPs who aren't big enough to get a log in button), users will need to enter a piece of text into a website to tell the website who they are. There's the longstanding usability issue of how users self-identify. We have taught people over the last 30 years or so that a format of "user@domain" represents a person. SMTP, XMPP, SIP, and other protocols have used this format successfully. OpenID made the mistake of trying to teach people that "http://domain/user"  could also stand for them, but people just don't think of themselves in terms of HTTP URLs. Webfinger came about to address this, and SWD adopted the same pattern. Account Chooser is a great UI for public, internet-facing websites, but it's far from universally applicable.
> 
> Whether it's good privacy practice or not, the natural pattern for people to log into a website is to type something that looks like an email address. Also note that while in many peoples' cases, the acct:user@domain will match their mailto:user@domain address, but that's not necessarily true universally. This adds flexibility for allowing a domain-style identifier to use the same discovery process as a user@domain-style identifier and privacy-conscious users can use the former.
> 
>  -- Justin
> 
> On 05/10/2012 10:58 AM, John Bradley wrote:
>> 
>> openID Connect dosen't require a user portion of the identifier to be discovered and supports a opaque or pseudonymous user_id.    
>> email is an optional attribute that can be returned by user consent.
>> 
>> OpenID 2.0 actively discouraged using email addresses for privacy reasons.  Teaching people to enter there email addresses into unknown sites was seen as a bad thing by many.
>> 
>> WF was started partially as an alternative discovery mechanism for openID to allow people to enter email addresses to discover there IdP, given a belief that users could only be asked to enter email and 
>> NASCAR UI was not scalable.
>> 
>> openID is attempting to separately address the NASCAR problem with it's Account Chooser project to allow the user to configure and control their selection of IdP without entering info directly into the RP.
>> 
>> For WF/SWD the decision is to enforce discovery by host only or support a user component so that a email or other service provider could allow per user choice.
>> 
>> I do happen to personally agree that teaching users to give up there email to random websites is not a good idea, however not allowing a user component in discovery won't stop RP from asking and removes otherwise useful functionality and choice fro the user.
>> 
>> John B.
>> 
>> On 2012-05-10, at 1:43 AM, Klaas Wierenga (kwiereng) wrote:
>> 
>>> Hmmm, I see your point but I think that from a privacy PoV revealing the username to the RP is not good practice, especially not prior to trust being established between RP and IdP. If the IdP wants to send the assertion in the authentication statement that is another matter. But you don't want rogue RPs harvesting user names. So instead i have assumed that the domain could be more specific if needed, i.e. for 99% of the cases example.com would suffice but for the corner cases I imagine using idp1.example.com and idp2.example.com. But I understand that in an oauth scenario that may be less pretty.
>>> 
>>> Klaas
>>> 
>>> Sent from my iPad
>>> 
>>> On 9 mei 2012, at 21:31, "John Bradley" <ve7jtb@ve7jtb.com> wrote:
>>> 
>>>> The lookup is based on the identifier provided by the user.  It can have a user portion in the format of a URI https://john@example.com , https://example.com/john or anything else where you can extract the domain.
>>>> 
>>>> The user portion is necessary to allow for per user IdP delegation.   Otherwise only one IdP per host could be supported.
>>>> 
>>>> John B.
>>>> 
>>>> 
>>>> On 2012-05-09, at 2:42 PM, Hannes Tschofenig wrote:
>>>> 
>>>>> Hi John, 
>>>>> 
>>>>> does the "identifier" contain of a domain part AND a username part or only the domain part? 
>>>>> That's the crucial question here. 
>>>>> 
>>>>> Ciao
>>>>> Hannes
>>>>> 
>>>>> On May 9, 2012, at 9:20 PM, John Bradley wrote:
>>>>> 
>>>>>> For openID Connect we are using the identifier to discover the AS.   We refer to that as an issuer,  and perform a second discovery step to get the configuration (Auth endpoint, token endpoint, user_info endpoint and other config) for that issuer.
>>>>>> 
>>>>>> SWD/WF may be used for other things by other protocols, but our use is quite simple.
>>>>>> 
>>>>>> I think that is probably the same thing for SASL,  but others may think differently.
>>>>>> 
>>>>>> John B.
>>>>>> 
>>>>>> 
>>>>>> On 2012-05-09, at 1:50 PM, Hannes Tschofenig wrote:
>>>>>> 
>>>>>>> Hi guys, 
>>>>>>> 
>>>>>>> at the last IIW we had a discussion about SASL-OAuth and what the SASL server needs to know for discovery. 
>>>>>>> The discovery discussions around WebFinger go in the same directions. 
>>>>>>> 
>>>>>>> So, I have been wondering whether we have made an informed decision about how the discovery procedure is actually supposed to look like. 
>>>>>>> 
>>>>>>> In my view, the relying party (the client) only needs to know who the identity provider (the AS/RS) is. 
>>>>>>> 
>>>>>>> Any other views? 
>>>>>>> 
>>>>>>> Ciao
>>>>>>> Hannes
>>>>>>> 
>>>>>>> PS: Please let me know if I should provide more background about the issue. 
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> Kitten mailing list
>>>> Kitten@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/kitten
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email