[OAUTH-WG] Re: OAuth Client ID Metadata Document
Aaron Parecki <aaron@parecki.com> Mon, 08 July 2024 16:06 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37268C23C60C for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 09:06:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id InxozVywW0go for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 09:06:26 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ECC0C06C3DD for <oauth@ietf.org>; Mon, 8 Jul 2024 09:06:26 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id 46e09a7af769-7036e383089so592114a34.2 for <oauth@ietf.org>; Mon, 08 Jul 2024 09:06:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1720454784; x=1721059584; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oKjVqYZOruhogRGsgLt74tqLuNm0fM3T6IcBohZON8I=; b=BgLGAj/BpiwS5C46TIb21mrGgziJvFXXiE77q16+lNCOOGIONVi4QaOxXFGkoI6jbm pExiSmHoRA0d6a0SGXcUYeBjBBdfwvWe4KbMOqLmAArh9bkJnZTx/vYJdJzgiH7T7MUu 0DZ8qRq90Zl5X3gtb/sRtda3aEsrIlQYpDmALopn0CJc1G2Xmh5PO/L7R5Tj7smvnEIq aLhQFP5Gp4UHOMWWK3l4Ezm4VBRltI1MDpLvRi5wvONsfwWu3+PHxpzVOwwFKquUcdjF PDEqL+djr2eZZHo2K5G3iOZIr94YX+0kH889cc3K3C4fH6/CinKeeHfEULw14Rd0pi3t yFKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720454784; x=1721059584; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oKjVqYZOruhogRGsgLt74tqLuNm0fM3T6IcBohZON8I=; b=YLt8Ai8DCg2k0KZsR2oDS/SCH7TlCkjrtsWwDjGd25Z3F3HE2PXipM92UQNEYohGw2 rV/u0Ly5jc1xpdt7kQ7KA6cscprZoMOCZzn1Qhh2iqDNpDmp5dDgpQ/ws/ToGh5WPbpB o3ZqqiZQ2nQdJGGW+jn+Iaf42Y8+23p4Cxzh+vjBl+3psROuVHHBEnR1FbMLPjF2g0WN It8fEG85dkJlCFcmnTAMaJEtAGtx62DiSk6bIVoLjo5gK0Bd8EqcuxUNE/EPGkp75ZC5 2lIJByNHpr7rWjVzRgmwCdrA8psstpukkEtso4sgqf1fe3RtrBsKkwc+l9ogzu466vLX BN9w==
X-Forwarded-Encrypted: i=1; AJvYcCX7iwBLgWRbkF5cArTPG6NO2Zxsax/F2DPnJ7RdAVb4Zqk1Jv8Cvc1JMLXSag30Jsmc1XFvgO2SQNaduU83tA==
X-Gm-Message-State: AOJu0YzLLOSLAMkLLHeOVfSz2lU0HtzEo2O6ftld24YzCRydGC/Q0M5i IQ/zyOtIe7gTSEqRLkiWN3dDnKRClCNPrTONaYNUPVmXju9jwgQjBz2Rick/AZ43nqi3e15znpM =
X-Google-Smtp-Source: AGHT+IHqDz1xHlbHlCmmPAw9PXsGE7rlCO5yzk2fsL9zofIDMf3ICu7tAI2FjkQwx25YmWnmtjDAEA==
X-Received: by 2002:a05:6871:24ca:b0:254:c16b:10ad with SMTP id 586e51a60fabf-25e2b8a1204mr9885707fac.9.1720454784020; Mon, 08 Jul 2024 09:06:24 -0700 (PDT)
Received: from mail-oa1-f43.google.com (mail-oa1-f43.google.com. [209.85.160.43]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-25eaa225967sm48326fac.43.2024.07.08.09.06.23 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jul 2024 09:06:23 -0700 (PDT)
Received: by mail-oa1-f43.google.com with SMTP id 586e51a60fabf-25e3d8db819so1840416fac.0 for <oauth@ietf.org>; Mon, 08 Jul 2024 09:06:23 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCUKaf1jww6C6peqHse/ZxSX4RwOg6gtkq4Dx45tRqpfcpoER3mDpqKSnKbtAu0mzOD4HK1uaIFyr6YJd0JzyQ==
X-Received: by 2002:a05:6870:d8c8:b0:24f:c7cf:17fb with SMTP id 586e51a60fabf-25e2ba0c6b2mr10549210fac.22.1720454783220; Mon, 08 Jul 2024 09:06:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uNbO-fJA9XObCQm5+HWiLVxbKVPbL77fVfDSOHqOJfCQ@mail.gmail.com>
In-Reply-To: <CAD9ie-uNbO-fJA9XObCQm5+HWiLVxbKVPbL77fVfDSOHqOJfCQ@mail.gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 08 Jul 2024 09:06:11 -0700
X-Gmail-Original-Message-ID: <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com>
Message-ID: <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com>
To: Dick.Hardt@gmail.com
Content-Type: multipart/alternative; boundary="00000000000034c875061cbe98eb"
Message-ID-Hash: 56DJJLXERNYQCZ6WGIPI3AHYCJRMFKMR
X-Message-ID-Hash: 56DJJLXERNYQCZ6WGIPI3AHYCJRMFKMR
X-MailFrom: aaron@parecki.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: emelia@brandedcode.com, oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Client ID Metadata Document
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u18cYwoRpt6Gca4upp06WC9hGQ0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Thanks Dick, I hadn't gotten to post this to the list yet, but thanks for kicking off the discussion! FYI there are already a few live implementations of this, and some additional in-progress implementations. There is also some overlap between this and an application of FedCM, which is where some of the initial implementation work has begun. I'll share more details on this and the FedCM work at IETF 120. > 1. If an AS supports both registered, and unregistered clients, is there any guidance or requirements on differentiating between them such as NOT issuing other identifiers that start with 'https"? This is probably a good call-out. I am unsure about how many AS's would actually support both types of clients in practice though. > 2. From a security perspective, I worry about the redirect URIs being any arbitrary URL -- perhaps that they need to start with the client_id? Is localhost supported as a redirect URI. There will likely be some special handling for localhost client IDs and redirect URIs, particularly for development clients. There is some discussion about this happening on GitHub here: https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/issues/12 For the non-development use cases, I think we should further discuss whether the limitation of the redirect URI starting with the client ID is helpful or not. Another set of use cases is native apps using custom URI schemes or even app-claimed HTTPS URLs which might have some more edge cases to consider. > 3. A number of the parameters in dynamic client registration are a negotiation between the client and the AS. Correct, this is not a negotiation anymore, this is a statement from the client about its properties, which the AS can either accept or reject during an authorization. > 4. Along those lines, why are you pointing at 7591 rather than the list in IANA? Good call, we should update this to point to the IANA registry. > 5. Along those lines, it may be useful to recommend which of those properties are useful and why. ... The one bit of client_id_metadata_document_supported will unlikely not be enough to have a successful flow unless there is a MTI. I think it would be a good exercise to see if there is a MTI subset for interoperability. I'll track this on GitHub for further discussion: https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/issues/15 > 6. Did you consider signing the metadata as a JWT as being one of the content types that could be returned? It occurred to me, but I am not sure how valuable that actually is. The metadata is fetched over HTTPS, so signing it doesn't provide any additional integrity there. It could provide non-repudiation of the metadata, except that in order to do so it would have to be signed with a key that could later be proven to be from the client as well. Since this is primarily designed to be used by clients with no prior relationship with the AS, it is unclear how the provenance of the public key would be proven. I think this would require PIKA to be useful: https://www.ietf.org/archive/id/draft-barnes-oauth-pika-00.html Aaron On Sat, Jul 6, 2024 at 4:09 PM Dick Hardt <dick.hardt@gmail.com> wrote: > Hey Aaron / Emelia > > I stumbled across > https://www.ietf.org/id/draft-parecki-oauth-client-id-metadata-document-00.html > > (was any info posted to the list?) > > I like the general concept. Questions: > > 1. If an AS supports both registered, and unregistered clients, is there > any guidance or requirements on differentiating between them such as NOT > issuing other identifiers that start with 'https"? > > 2. From a security perspective, I worry about the redirect URIs being any > arbitrary URL -- perhaps that they need to start with the client_id? Is > localhost supported as a redirect URI. What is the use case for an array of > redirect URIs? Why not just have each of those be a different client_id? > Perhaps you could just have a redirect_path that is appended to the > client_id URL? > > 3. A number of the parameters in dynamic client registration are a > negotiation between the client and the AS. For example from 7591 > token_endpoint_auth_method, grant_types, response_types.scope. while > including token_endpoint_auth_method = private_key_jwt is useful, the > client is not getting a direct response back from the AS. How are you > envisioning a mismatch between what is in these values and the response > from the AS? In dynamic client registration the AS is returning what it > will support. The only mechanism I can think of currently if the request is > not supported is to return an invalid client error to the authorization > request. > > 4. Along those lines, why are you pointing at 7591 rather than the list in > IANA? > > https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata > > A useful property there to call out would be initiate_login_uri. > > 5. Along those lines, it may be useful to recommend which of those > properties are useful and why. For example, should I have a contact > property? I think there should be a minimum to implement so there is > interoperability -- otherwise it is hit or miss if it will work. The one > bit of client_id_metadata_document_supported will unlikely not be enough > to have a successful flow unless there is a MTI. > > 6. Did you consider signing the metadata as a JWT as being one of the > content types that could be returned? > > That's all for now! Thanks for writing this up! > > /Dick > >
- [OAUTH-WG] OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Aaron Parecki
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia Smith
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia S.
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Emelia Smith
- [OAUTH-WG] Re: OAuth Client ID Metadata Document Dick Hardt
- [OAUTH-WG] Re: OAuth Client ID Metadata Document David Waite