Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-03.txt
Justin Richer <jricher@mit.edu> Sat, 20 December 2014 00:50 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1681A802F for <oauth@ietfa.amsl.com>; Fri, 19 Dec 2014 16:50:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zL_twdU_cq3z for <oauth@ietfa.amsl.com>; Fri, 19 Dec 2014 16:50:30 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E2081A8032 for <oauth@ietf.org>; Fri, 19 Dec 2014 16:50:30 -0800 (PST)
X-AuditID: 1209190c-f79e46d000000eb2-a8-5494c7d408b2
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 0E.CE.03762.4D7C4945; Fri, 19 Dec 2014 19:50:28 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id sBK0oS7Q032035; Fri, 19 Dec 2014 19:50:28 -0500
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sBK0oQQU001190 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 19 Dec 2014 19:50:27 -0500
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <5494B0FE.4010900@gmail.com>
Date: Fri, 19 Dec 2014 19:50:25 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <AD6A5BF3-0332-4D68-AFBC-8B345D6AC838@mit.edu>
References: <20141207033213.26273.31418.idtracker@ietfa.amsl.com> <1416B7A5-2CCE-4E6F-B9CB-56C606076DD3@mit.edu> <32999E7E-459F-44C1-916C-67318C3968F8@mit.edu> <54871C72.60006@gmail.com> <5494B0FE.4010900@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.1993)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixG6nrnvl+JQQg7mPLC1Ovn3FZvFvqb0D k8fOWXfZPZYs+ckUwBTFZZOSmpNZllqkb5fAldHS/46toEGnYvefm0wNjA+Vuxg5OSQETCSe 7/jFBGGLSVy4t56ti5GLQ0hgMZPExIZDUM5GRomeKZ+YIZyHTBLLT7awg7QwC+hJ7Lj+i7WL kYODF8i+2qkFEhYW8JRoWfeSGcRmE1CVmL6mhQmkhFNAU+LkHnmQMAtQeO6SJ2wQU4QkPlxq YoGwtSWWLXwN1sorYCXx9/hcqLXXGSU+XHvKCpIQASq6+PoWO8TVshL/Lp5hn8AoOAvJRbMQ LpqFZOwCRuZVjLIpuVW6uYmZOcWpybrFyYl5ealFuoZ6uZkleqkppZsYQcHLKcmzg/HNQaVD jAIcjEo8vAUdU0KEWBPLiitzDzFKcjApifL+2AsU4kvKT6nMSCzOiC8qzUktPsQowcGsJMLb sR0ox5uSWFmVWpQPk5LmYFES5930gy9ESCA9sSQ1OzW1ILUIJivDwaEkwXv4GFCjYFFqempF WmZOCUKaiYMTZDgP0PCLIDW8xQWJucWZ6RD5U4yKUuK8vSAJAZBERmkeXC8subxiFAd6RZh3 G0gVDzAxwXW/AhrMBDSY891kkMEliQgpqQbGYFep5W0bG+Tzghz9dzfvMN8sE3fYZX7Y5by0 LY121w/HW9X5vp3ZkxmwcE7Xr7lfTnqLH7+ub9o0PUau7NvJ18yVG0J2XV2YJMrzIu8WMFHG 3wpYtL3s8LXc6dcUmz8nvUp/ddPtTOOqb9ac5nICoh53ZYr55urfazhtZBzK9OdB0rsfVTuU WIozEg21mIuKEwH/RWqgCQMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/tqCgCYRzVWUfJlZYLFeAD7o2pvo
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-introspection-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Dec 2014 00:50:34 -0000
There’s a whole host of client information that “might” be helpful to an RS, but I don’t think it would be helpful for us to try to determine all of that information since, as far as I know, there is no implementation today that is passing that kind of information over. Especially consider that whether the client is public or not has no bearing over how the token is presented to the RS. If in the future someone wants to standardize that kind of information as an extension to introspection, the data model used in Dynamic Registration could be referenced for this purpose. But something like that very much belongs in an extension after there are at least a couple implementations of it. — Justin > On Dec 19, 2014, at 6:13 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > > Hi Justin > > returning a client public/confidential status may be useful in case RS chooses to allow for a more restricted access to public clients in cases where both public & private clients are accepted > > Thanks, Sergey > On 09/12/14 15:59, Sergey Beryozkin wrote: >> Hi Justin >> >> IMHO the section 2.1 [1] requires more work. >> >> First, "resource_id". Having such a parameter does not add anything to >> the interoperability side of the spec. It is a "server specific >> string..." which may be anything and as such a 3rd party AS is unlikely >> to do any work around this parameter unless both RS and AS are from the >> same provider. >> IMHO it either has to be dropped, the text "The endpoint MAY allow other >> parameters to provide further context to the query" covers whatever else >> that server may want to add or attach some more specific meaning to it. >> Besides that, the MUST authentication requirement covers properly a >> possible RS identification requirement. >> I'd rather have a "resource_id" representing an RS base address or >> better, a current request URI, which in combination with an optional >> client_ip can help AS to make a more specific introspection action. >> >> I also suggested to promote a parameter like "client_ip". Just referring >> to a possibility of RS reporting a client IP adress does not help >> improving the interoperability either with respect to RS and AS offered >> by different providers working with a client IP property >> >> Thanks, Sergey >> >> >> >> [1] >> http://tools.ietf.org/html/draft-ietf-oauth-introspection-03#section-2.1 >> >> >> >> On 07/12/14 03:38, Justin Richer wrote: >>> … and I just noticed hanging text at the top of section 2.2 due to the >>> JWT claims edit. My working copy has removed the extraneous text >>> “Several of these”. >>> >>> Also, as always, latest XML is up on GitHub: >>> >>> https://github.com/jricher/oauth-spec >>> >>> — Justin >>> On Dec 6, 2014, at 10:34 PM, Justin Richer <jricher@mit.edu> wrote: >>> >>>> Small update to introspection, now the returned values reference the >>>> JWT claims specifically (as requested). Also updated the HTTP and >>>> HTML references. >>>> >>>> No normative changes. >>>> >>>> — Justin >>>> >>>> On Dec 6, 2014, at 10:32 PM, internet-drafts@ietf.org wrote: >>>> >>>>> >>>>> A New Internet-Draft is available from the on-line Internet-Drafts >>>>> directories. >>>>> This draft is a work item of the Web Authorization Protocol Working >>>>> Group of the IETF. >>>>> >>>>> Title : OAuth 2.0 Token Introspection >>>>> Author : Justin Richer >>>>> Filename : draft-ietf-oauth-introspection-03.txt >>>>> Pages : 12 >>>>> Date : 2014-12-06 >>>>> >>>>> Abstract: >>>>> This specification defines a method for a protected resource to query >>>>> an OAuth 2.0 authorization server to determine the active state of an >>>>> OAuth 2.0 token and to determine meta-information about this token. >>>>> OAuth 2.0 deployments can use this method to convey information about >>>>> the authorization context of the token from the authorization server >>>>> to the protected resource. >>>>> >>>>> >>>>> >>>>> The IETF datatracker status page for this draft is: >>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/ >>>>> >>>>> There's also a htmlized version available at: >>>>> http://tools.ietf.org/html/draft-ietf-oauth-introspection-03 >>>>> >>>>> A diff from the previous version is available at: >>>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-introspection-03 >>>>> >>>>> >>>>> Please note that it may take a couple of minutes from the time of >>>>> submission >>>>> until the htmlized version and diff are available at tools.ietf.org. >>>>> >>>>> Internet-Drafts are also available by anonymous FTP at: >>>>> ftp://ftp.ietf.org/internet-drafts/ >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-introspec… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-intro… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-intro… Justin Richer
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-intro… Sergey Beryozkin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-intro… Sergey Beryozkin
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-intro… Justin Richer