[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-resource-metadata-10: (with DISCUSS and COMMENT)

Orie Steele <orie@transmute.industries> Wed, 02 October 2024 17:39 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 793ACC1840D3 for <oauth@ietfa.amsl.com>; Wed, 2 Oct 2024 10:39:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.585
X-Spam-Level:
X-Spam-Status: No, score=-1.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLACK=0.5, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDiQlg2OXBPr for <oauth@ietfa.amsl.com>; Wed, 2 Oct 2024 10:39:08 -0700 (PDT)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A6D6C14F6E1 for <oauth@ietf.org>; Wed, 2 Oct 2024 10:39:08 -0700 (PDT)
Received: by mail-pg1-x529.google.com with SMTP id 41be03b00d2f7-7db1f0e1641so142a12.1 for <oauth@ietf.org>; Wed, 02 Oct 2024 10:39:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1727890748; x=1728495548; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=IoHjqmC9usBPEQHmUje+ol8XGwes7WzrJB0W1xoBvoE=; b=bEfPiTgYcUruZEGlJU8OjSVCC1v7ElicgAcK7O/PVLeKIZin4n9W00fKrBb9HGRU93 Kh3sNzxFSJ1FgcfO6bnad0K5MXB80PwgL1+Mg1rGF4roNs+vJ/knQcjqCkwVTMglwFS2 87iWgL3UdtKvtBIBH2Ex6j2sxkRD3vz/HtLPqwFsXFUeBxWi6Z7j9Ll79uajT2G6kRO0 w7yzksOvu8jtEaqP71HECa2BaH2xvB+KaYktL7V7S2VyXFpNTN5GoPsUGAlCHQLpqwIM 4Lk6dIXY1MsNVKUKhogmFRrxseEEhF9A9rOHcmUeeYxu4p4mx7mKMf/zCsxpckQy05LM aWrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727890748; x=1728495548; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IoHjqmC9usBPEQHmUje+ol8XGwes7WzrJB0W1xoBvoE=; b=Lz7Bx0E7W3RyBInLtOo/tK2LY+WObwX3iE330kMCfRbP5rgibvh/qEkaa/IGBufM+e Er6hRHy3pYhe2YAGhTM50QDeHxZhetWKF02tpDigT9OpfLfhAnaJUew0ARCsXjdnLP80 5jnRMvRfl+CSiYBQKOKBHgj+JlUaLhnmYr9adxJXVKBo4B1YodMdjqfgOyPTNYiPpCxM GWF8L0htl3FvJr8jqwt0wW/SoQwAuQBlPQqrYXxhHHPXxttDaC5DOKSV5BMNVDMNXkra TPtCKUTVL8OQ2DSi5zQQxLgGgyNCcwLYMcWDlTADYYy2wrZ8DGPHmJPeTfdRdt7jQo7W lM+Q==
X-Forwarded-Encrypted: i=1; AJvYcCUq1VFKDJmiVxK1b89ukggv1Zu6m+OkJNRa949jSLKhboWU+nVikLSZxnmhV2kpYoHROxQqwg==@ietf.org
X-Gm-Message-State: AOJu0YxW8XA0NqV8pRi4Z6BSU4NKpf7SD5Ij7rgBWwLZMfeq/fsv0muK 8z9k63vrxlfVoPO1NgDcHyx54XxVF2Y2LKk/NPFhMRMLkjr8l62vqrQmZBTCZrQJ0ywsYmd8Wqc BeH8HiRtQeOWnwDTWKQjYFmplryM+8OZsAzgNzQ==
X-Google-Smtp-Source: AGHT+IFctGfrkj3WzkdfurmXRFT8x8o0eU80OVMjhZqIlTCUGqZkgJhRpj+jcqjGiS8Q6hQinIFg7vlNDcEJUgeNdGQ=
X-Received: by 2002:a05:6a20:d808:b0:1d5:2f56:9fe5 with SMTP id adf61e73a8af0-1d5e2d9e257mr4632831637.39.1727890747500; Wed, 02 Oct 2024 10:39:07 -0700 (PDT)
MIME-Version: 1.0
References: <172780986106.795146.3754827883737941273@dt-datatracker-7bbd96684-zjf54> <PH0PR02MB7430C2C8DC6289BA1DAA520AB7772@PH0PR02MB7430.namprd02.prod.outlook.com> <PH0PR02MB7430B4D44B362D6EC95BE6B5B7702@PH0PR02MB7430.namprd02.prod.outlook.com>
In-Reply-To: <PH0PR02MB7430B4D44B362D6EC95BE6B5B7702@PH0PR02MB7430.namprd02.prod.outlook.com>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 02 Oct 2024 12:38:56 -0500
Message-ID: <CAN8C-_+Sb0upN1Qq0mKWeAeLj0tiJuqMcnVA10h83RyLquxZYA@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Content-Type: multipart/alternative; boundary="000000000000374be9062381eaf0"
Message-ID-Hash: PHM4NXSKRW4E2ZIOYO4RJSDKFKIMDBAW
X-Message-ID-Hash: PHM4NXSKRW4E2ZIOYO4RJSDKFKIMDBAW
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-resource-metadata@ietf.org" <draft-ietf-oauth-resource-metadata@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-resource-metadata-10: (with DISCUSS and COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/tefbv3nclCwigmhvx2yJ877nU-Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Mike,

Your PR looks good to me.

My objection is limited to defining http based resource identifiers as
"URIs" that do not contain query, because this contradicts the common
interpretation of http resource identifiers which includes:

   The query component contains non-hierarchical data that, along with
   data in the path component (Section 3.3),
*serves to identify a   resource* within the scope of the URI's scheme and
naming authority
   (if any).

https://datatracker.ietf.org/doc/html/rfc3986#section-3.4

I don't believe you need to describe in any detail how query parameters
interact with well known URIs.

That is already covered in
https://datatracker.ietf.org/doc/html/rfc8615#section-3

See webfinger for an example of an RFC that supports well known URIs that
contain queries:

https://www.rfc-editor.org/rfc/rfc7033.html#section-3.1

I suppose this represents another interesting edge case, how do you handle
a https resource identifier which is already a well known URI, such as
webfinger?

I assume:

   GET /.well-known/webfinger?
            resource=acct%3Acarol%40example.com&
            rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
            HTTP/1.1
     Host: example.com

Becomes:

    GET /.well-known/oauth-protected-resource/.well-known/webfinger?
            resource=acct%3Acarol%40example.com&
            rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
            HTTP/1.1
     Host: example.com

Thanks for addressing my comments.

Regards,

OS

On Tue, Oct 1, 2024 at 11:15 PM Michael Jones <michael_b_jones@hotmail.com>
wrote:

> Hi Orie,
>
> Per our discussion, I've created
> https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/59,
> which is intended to satisfy your DISCUSS by allowing resource identifiers
> to contain query parameters.  It also applies the other changes that I
> agreed to below.
>
> My apologies that the PR is also somewhat littered with language changes
> to consistently use the term "metadata parameter" instead of other terms
> that were sometimes used for the same thing.
>
> Please let me know if you'd like any changes before it's merged.
>
>                                 Thanks again,
>                                 -- Mike
>
> -----Original Message-----
> From: Michael Jones
> Sent: Tuesday, October 1, 2024 3:49 PM
> To: Orie Steele <orie@transmute.industries>; The IESG <iesg@ietf.org>
> Cc: draft-ietf-oauth-resource-metadata@ietf.org; oauth-chairs@ietf.org;
> oauth@ietf.org; rifaat.s.ietf@gmail.com
> Subject: RE: Orie Steele's Discuss on
> draft-ietf-oauth-resource-metadata-10: (with DISCUSS and COMMENT)
>
> Hi Orie,
>
> Thanks for your review.  My replies are inline below, prefixed by "Mike>".
>
> -----Original Message-----
> From: Orie Steele via Datatracker <noreply@ietf.org>
> Sent: Tuesday, October 1, 2024 12:11 PM
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-oauth-resource-metadata@ietf.org; oauth-chairs@ietf.org;
> oauth@ietf.org; rifaat.s.ietf@gmail.com; rifaat.s.ietf@gmail.com
> Subject: Orie Steele's Discuss on draft-ietf-oauth-resource-metadata-10:
> (with DISCUSS and COMMENT)
>
> Orie Steele has entered the following ballot position for
> draft-ietf-oauth-resource-metadata-10: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
> Please refer to
> https://datatracker.ietf.org/doc/statement-iesg-handling-ballot-positions-20220121/
> for more information about how to handle DISCUSS and COMMENT positions.
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> ## Discuss
>
> ### Forbidden Query & Fragment
>
> ```
> 175           The Protected resource's resource identifier, which is a URL
> that
> 176           uses the https scheme and has no query or fragment
> components.
> ```
>
> I can understand the decision to keep fragment off, per:
>
> https://url.spec.whatwg.org/#url-equivalence
>
> But I don't understand why query is forbidden, especially considering:
>
> https://datatracker.ietf.org/doc/html/rfc3986#section-3.4
>
> I would expect query to be allowed, and for some comment about canonical
> URI encoding based on query ordering to be made.
>
> I assume query is omitted to make processing rules described in Section 3
> simpler... This also restricts the set of existing resources which this
> specification could apply to... and implies that resource identifiers that
> are URLs do not contain queries.
>
> It seems like a specification should be able to describe transformation
> rules that use query or hostname rewriting, even if the current spec sees
> no need to use query or hostname structures, why should other
> specifications be forbidden from doing so?
>
> For an example:
>
> https://example.com/oauth-protected-resource
> https://example.com/.well-known/oauth-protected-resource
>
> vs
>
> https://oauth-protected.example.com/.well-known/fancy-index?key=value
> https://example.com/.well-known/oauth-protected?key=value...
>
> I searched github and the mailing list to see if there was discussion
> regarding this, please point it out if I somehow missed it.
>
> Mike> I know of no examples of .well-known URIs being combined with query
> parameters in practice.  That seems like a theoretical possibility that's
> best avoided for complexity reasons in the real world.  The same
> restriction in the sister specification RFC 8414 has stood up well in
> practice.  https://www.rfc-editor.org/rfc/rfc8414.html#section-2
> prohibits query parameters in issuer identifier.  I'm reluctant to diverge
> from this OAuth identifier precedent without a compelling reason to do so.
>
> Mike> For completeness, yes,
> https://www.rfc-editor.org/rfc/rfc8615#section-3 does say that
> "Registrations MAY also contain additional information, such as the syntax
> of additional path components, query strings, and/or fragment identifiers
> to be appended to the well-known URI, or protocol- specific details".
> However, the general treatment of query parameters with .well-known URIs
> you're asking about wouldn't result in a registration defining the syntax
> of specific query strings.  Rather, it would require a .well-known
> registration allowing *any* query parameters, which seems beyond the scope
> for what was intended in RFC 8615.
>
> Mike> For these reasons, I'd ask that you please withdraw your DISCUSS on
> this basis.
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> # Orie Steele, ART AD, comments for draft-ietf-oauth-resource-metadata-10
> CC @OR13
>
> * line numbers:
>   -
>
> https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-10.txt&submitcheck=True
>
> * comment syntax:
>   - https://github.com/mnot/ietf-comments/blob/main/format.md
>
> * "Handling Ballot Positions":
>   -
> https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/
>
> ## Comments
>
> Thanks to Arnt Gulbrandsen for the ART ART review.
>
> ### JSON Serialization Forbidden?
>
> ```
> 158        Compact Serialization or the JWE Compact Serialization; the JWS
> JSON
> 159        Serialization and the JWE JSON Serialization are not used.
> ```
>
> This is descriptive, but I wonder if there is an intention to enable
> better interoperability by explicitly forbidding JSON Serialization.
>
> Mike> This is the same language as in
> https://www.rfc-editor.org/rfc/rfc8414.html#section-1.1.  Yes, the intent
> is to facilitate interoperability by making choices.  Let us know if you'd
> like us to say that explicitly, going beyond the parallel RFC 8414 language.
>
> ### signed_metadata in JWT claims
>
> ```
> 346           JWT.  A signed_metadata metadata value SHOULD NOT appear as a
> 347           claim in the JWT.
> ```
>
> When this should is ignored what happens? Raise and error or ignore?
>
> Mike> Roman raised the same question.  Text is added in
> https://github.com/oauth-wg/draft-ietf-oauth-resource-metadata/pull/58 to
> answer it.  The addition recommends rejecting the metadata when this occurs.
>
> ### media type of response
>
> ```
> 425        configuration.  A successful response MUST use the 200 OK HTTP
> status
> 426        code and return a JSON object using the application/json
> content type
> 427        that contains a set of claims as its members that are a subset
> of the
> 428        metadata values defined in Section 2.  Other claims MAY also be
> 429        returned.
> ```
>
> Based on the last sentence, it seems like the metadata resource is
> intended to be extended, should it be possible to negotiate its extended
> representations?
>
> Mike> This is the standard OAuth extensibility mechanism that has stood
> the test of time by enabling non-breaking extensibility.  The pattern is
> that additional parameter values MAY be used and MUST be ignored if not
> understood.  That means that when a new extension is deployed by one party
> it doesn't break deployments of other parties that it interacts with that
> don't understand the extension.  It's just ignored.
>
> Mike> Imagine the opposite behavior where not-understood parameters cause
> an error.  That would mean that any extension using a new parameter would
> break deployments.  That means no OpenID Connect, FAPI, PKCE, or RAR on top
> of OAuth.  Allowing non-breaking extensions is essential.
>
> Mike> https://www.rfc-editor.org/rfc/rfc8414.html#section-3.2 also uses
> exactly the same language.  That said, I'd be glad to expand the exposition
> to say that not-understood metadata parameters MUST be ignored.
>
> Why restrict the media type to "application/json" ?
>
> Mike> This is the same media type as used for other OAuth metadata data
> structures, for instance, it is used in
> https://www.rfc-editor.org/rfc/rfc8414.html#section-3.2 and
> https://www.rfc-editor.org/rfc/rfc7591.html#section-3.2.  It makes sense
> to do the same here.
>
> ### Identical URIs
>
> ```
> 460        metadata.  If these values are not identical, the data
> contained in
> 461        the response MUST NOT be used.
> ```
>
> Consider being more precise regarding what "identical" means here, see the
> URL equivalence section of WHATWG URL spec for example:
>
> https://url.spec.whatwg.org/#url-equivalence
>
> I also wonder if URL patterns are useful here...
>
> https://urlpattern.spec.whatwg.org/
>
> You might also consider calling out Section 6 here.
>
> Mike> This is the same language as used in
> https://www.rfc-editor.org/rfc/rfc8414.html#section-3.3.  I'm truly
> reluctant to introduce the notion of requiring URL canonicalization, as is
> implied by https://url.spec.whatwg.org/#url-equivalence.  No harm is done
> when rejecting values that are not byte-for-byte equivalent.  To me, the
> existing OAuth language is already sufficient.
>
> ## Nits
>
> ### Missing owner?
>
> ```
> 627        At any point, for any reason determined by the protected
> resource,
> 628        the protected resource MAY respond with a new WWW-Authenticate
> ```
>
> Mike> Actually, I think it would be better to change "protected resource"
> to "resource server" rather than "protected resource owner".  The resource
> owner is unlikely to be involved.
>
> Thanks for your useful review!
>
>                                 -- Mike
>
>

-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>