IETF Logo Mail Archive

Re: [OAUTH-WG] Question regarding RFC 7592

Dick Hardt <dick.hardt@gmail.com> Wed, 18 September 2019 14:24 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D38F120099 for <oauth@ietfa.amsl.com>; Wed, 18 Sep 2019 07:24:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnH-K4ec7Oq2 for <oauth@ietfa.amsl.com>; Wed, 18 Sep 2019 07:24:29 -0700 (PDT)
Received: from mail-lj1-x241.google.com (mail-lj1-x241.google.com [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB1DB12006B for <oauth@ietf.org>; Wed, 18 Sep 2019 07:24:28 -0700 (PDT)
Received: by mail-lj1-x241.google.com with SMTP id a22so156434ljd.0 for <oauth@ietf.org>; Wed, 18 Sep 2019 07:24:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2xcxIyzPiNYDytanYAoB2F5OmkSofGsF7wp//54DnvM=; b=qJpGuZ2tL8OFoSi6XTr1fHVrfzCAYPReXbfBRYmYcaFd79LIzopbzk4y1Wzr8e5+6S 5aUhaLwM9xJBrlrRnRMKWGD28VT377twF4oDn5v9DTNmW1XT9bVK+UyQHpKvfOX8X/8N BPkcu//HIQaysx4WrN3VAvhkOzn/m9sXdUvypC22Bg9cX6h7HOLkVSo762HhST4IIabX RjscJoRJc19RSbA9BqSVcV5LuPj4ZABTvu89tZ2TPmSyueToSkVvFsex0y1g2av1DMOb dj5fIXPyS0nyo/XOqMqaf5sICSnkE3DjmSC6FQljRg584TFaOOwWugpVMOUrjaBrWR8K 0ekg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2xcxIyzPiNYDytanYAoB2F5OmkSofGsF7wp//54DnvM=; b=HAXJtyDZTyI7aKsXBWqxAxjCv3OG9T00xqaUhoL9/GrZps4nwNTEuKOolf0512vbd8 kU9qO09UGXAbklHQ54xLZjF+EjwgbpyXMMIyQJ2shCvKxHxqOr8rCggn2gHCn3YPn8j/ CMMdzSRMhaO7qFOPAJ15IPO0vxd383FTwjmk5Hz9B2qFbyoh/sQXkrBvW0uTPHtxNJGv 7HMftLbKZSQPSiJN8CmVBykTVOiV/dk2mFgaGrt/6+rnin4qIIprKE9cy9+6TAn8ZBHF dagmO6U7th56VLS026S86+ezb+PWGr/jh2HeagM1qRBVWERxaiqN4AXHLtPM9dUsARwB xs2g==
X-Gm-Message-State: APjAAAVHYXKwU+RlejU/4RV1D7YKbsk7a+NNkaDA9QxG4XvM7zxCO+Ph jiXUIjAXOP98q3wlYIqkaf1q+RqvqPX2GDnYDc4=
X-Google-Smtp-Source: APXvYqz3TMNBm8AP2TYTIUhei/BXuBSozyUxLmqtogAsS33UBj3ZXwZA4wbpeNg6n2uPb8UO1PvhfNtqcJ/jgpzk8tk=
X-Received: by 2002:a2e:3618:: with SMTP id d24mr2378257lja.179.1568816666699; Wed, 18 Sep 2019 07:24:26 -0700 (PDT)
MIME-Version: 1.0
References: <ae35a0f3b9f74618add918d9339be753@STEMES002.steteu.corp> <CAEKOcs3EtjLHRaRmpCa_GrpuXtqVMWHrmH0oPBB-b+2yzhKHaw@mail.gmail.com> <db205bcad6ac495bb558e2b6181ba546@STEMES002.steteu.corp> <827BB5C3-2143-450A-BC3D-72F98CD0B475@mit.edu> <CAD9ie-s-_WgCFF9BrxF2bWjcJEi9rF+gD-P-DMPvbuzKfVXRyw@mail.gmail.com> <1BEA1464-9B31-4FBF-8619-16096F13BBDD@mit.edu> <CAD9ie-uKQPk5GqapT-o80ZocaOk-fawZSzHeJwSeL=Zm2g2Bpg@mail.gmail.com> <ACE2CFA3-0D17-4EB1-BF31-01BEBBB7222C@mit.edu>
In-Reply-To: <ACE2CFA3-0D17-4EB1-BF31-01BEBBB7222C@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 18 Sep 2019 07:24:15 -0700
Message-ID: <CAD9ie-t1W=+HUwpXebMP+zjDSTqd8EeX_tyN15zqQtrdt3e+cg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Robache Hervé <herve.robache@stet.eu>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000022ef870592d498fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u1smZ64KZWYCYKxVHHwf3pRT_Nc>
Subject: Re: [OAUTH-WG] Question regarding RFC 7592
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 14:24:32 -0000

I think of cloud infrastructure having control plane, and data plane.
Control plane APIs are for managing the things that use the data plane. The
data plane is the resource. Not trying to change your mind, just sharing my
thinking.

On related efforts, in FastFed, we are looking at using a JWT to access
other control plane APIs.

I agree on first take, that storing an access token is easier than
working with a key pair. I should have more context, which is managing the
credential life cycle. What happens if the access token is lost or
compromised? Does the app need to be completely re-registered? With a
jwks-uri, the client can rotate their keys and continue to make API calls
if the private key is lost or compromised.

ᐧ

On Tue, Sep 17, 2019 at 8:10 AM Justin Richer <jricher@mit.edu> wrote:

> I think this is where we disagree about the nature of “resource”, as I
> would classify a management API as a resource. Specifically, the client’s
> own records at the AS.
>
> The “IF” in your statement is a big if, and one that is uncommon even
> today. Also, I want to note that if the client can’t "manage an access
> token” very well, then it’s going to have a very hard time being an OAuth
> client once it’s done registering. In other words, the goal was to take a
> piece of universal functionality that all OAuth clients would be guaranteed
> to have.
>
> I’ll agree that it’s a bit weird having an access token issued as part of
> a response, but the alternative was to invent a new flow to force a client
> to go through another round trip to the token endpoint to get its
> management token. If you’re already directly giving the client a temporary
> credential that it can use at the AS, then just give the client the final
> token to do the job directly instead. At least, that was the thinking, and
> I still agree with that line of thought today even with its quirks.
>
> — Justin
>
> On Sep 17, 2019, at 12:40 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> The registration supports the client having a jwks, so if the client
> provides jwks, then using them to sign an authentication request seems
> easier than trying to manage an access token.
>
> The token endpoint is an API as well. We would agree that it is not a
> resource, but a management API. Similarly, I see the client's management of
> its registration to not be a resource operation, but a management API.
> ᐧ
>
> On Mon, Sep 16, 2019 at 7:36 PM Justin Richer <jricher@mit.edu> wrote:
>
>> I don’t see a reason to use an assertion here. JWT authentication would
>> require at least a secret if not a key of some type for authentication for
>> all clients, and it was determined that dynamic registration shouldn’t
>> require the clients (even public clients) to support things they weren’t
>> already capable of doing. Besides, the management endpoint isn’t a token
>> endpoint (though I’m curious to hear why you’d say that) — it’s an API you
>> can call to manage a client’s registration data over time. Sounds like an
>> RS, if you ask me.
>>
>> — Justin
>>
>> On Sep 15, 2019, at 1:05 AM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> Curious why the client management API uses bearer tokens rather than JWTs
>> per RFC 7523 for the client to authenticate. The client management API
>> seems more similar to a token endpoint than a resource.
>> ᐧ
>>
>> On Fri, Sep 13, 2019 at 12:08 PM Justin Richer <jricher@mit.edu> wrote:
>>
>>> Travis has this correct — the “registration access token” is passed to
>>> the client for the express purpose of accessing the client management API,
>>> and is not the same as, or entangled with, any access tokens that the
>>> client requests through the OAuth process after the registration has
>>> occurred. The reasons for this separation are many, but at the core it
>>> comes down to the client always acting on its own behalf when it does
>>> registration, and acting on behalf of some other party (usually a user)
>>> when it’s doing OAuth. Additionally, registration management is a function
>>> of the AS, whereas the protected APIs are a function of the RS — note this
>>> is a logical separation and there’s nothing stopping AS and RS functions
>>> from being deployed in any number of patterns.
>>>
>>> A few common questions we got asked when writing this functionality into
>>> the spec:
>>>
>>> *Why use an access token at all*? Because it’s a credential for a
>>> specific API issued by the AS and handed to the client in a programmatic
>>> manner. This is exactly what OAuth tokens were made for.
>>>
>>> *Why not use the client’s credentials*? Because not all clients are set
>>> up to have credentials, plus we’d be spreading the requirement to support
>>> different kinds of client credentials to another endpoint.
>>>
>>> *Why not issue an authorization code*? Because then the client would
>>> need to make yet another round trip, and not all clients are
>>> authorization-code-grant clients to begin with.
>>>
>>> *Why not make a new grant type*? Because then the client would need to
>>> make yet another round trip, and we’d have to invent a whole new grant type
>>> with a new temporary credential when we could just use that temporary
>>> credential directly instead.
>>>
>>> — Justin
>>>
>>> On Sep 13, 2019, at 8:23 AM, Robache Hervé <herve.robache@stet.eu>
>>> wrote:
>>>
>>> Thanks Travis
>>>
>>> I understand that, once the client has retrieved its [client_id] through
>>> RFC7591 initial registration, it is then able to ask for an access token
>>> that will be used for accessing the RFC7592 entry-points. Am I right?
>>>
>>> Best regards
>>>
>>> Hervé
>>>
>>> *De :* Travis Spencer [mailto:travis.spencer@curity.io
>>> <travis.spencer@curity.io>]
>>> *Envoyé :* ven. 13 13:30
>>> *À :* Robache Hervé
>>> *Cc :* oauth@ietf.org
>>> *Objet :* Re: [OAUTH-WG] Question regarding RFC 7592
>>>
>>> No. The initial access token is issued by the AS when registration is
>>> protected (appendix 1.2 in RFC 7591). As stated in section 1.2, the method
>>> and means by which this is obtained can vary. The registration access token
>>> in RFC 7592 is used to protect the registration management API and allow
>>> updates to the client after it is registered. You might have one (the
>>> registration access token) but not the other (initial access token) when
>>> open registration is allowed (appendix 1.1 in RFC 7591).
>>>
>>> HTH!
>>>
>>> On Fri, Sep 13, 2019 at 7:37 AM Robache Hervé <herve.robache@stet.eu>
>>> wrote:
>>>
>>> Hi
>>>
>>> RFC 7592 introduces a « Registration Access Token ». Are this token and
>>> the way to get it similar to what is specified as “Initial Access Token” in
>>> RFC 7591/Appendix A ?
>>>
>>> If so, can the Open Dynamic Client Registration (RFC7591/A.1.1) be
>>> extrapolated to RFC7592 as the same way?
>>>
>>> Thanks in advance for your clarification.
>>>
>>> Hervé ROBACHE
>>> Direction Marketing et Développement
>>>
>>> LIGNE DIRECTE
>>> T. +33(0)1 55 23 55 45
>>> herve.robache@stet.eu
>>>
>>> <image001.png>
>>>
>>>
>>>
>>> <image002.png>
>>>
>>> STET (SIEGE SOCIAL)
>>> 100, Esplanade du Général de Gaulle
>>> Cœur Défense – Tour B
>>> 92932 La Défense cedex
>>>
>>> www.stet.eu
>>>
>>>
>>>
>>> Ce message et toutes les pièces jointes sont établis à l'intention
>>> exclusive de ses destinataires et sont confidentiels.
>>> Si vous recevez ce message par erreur ou s'il ne vous est pas destiné,
>>> merci de le détruire ainsi que toute copie de votre système et d'en avertir
>>> immédiatement l'expéditeur.
>>> Toute lecture non autorisée, toute utilisation de ce message qui n'est
>>> pas conforme à sa destination, toute diffusion ou toute publication, totale
>>> ou partielle, est interdite.
>>> L'Internet ne permettant pas d'assurer l'intégrité de ce message
>>> électronique susceptible d'altération, STET décline toute responsabilité au
>>> titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou
>>> falsifié.
>>> N'imprimez ce message que si nécessaire, pensez à l'environnement.
>>>
>>> This message and any attachments is intended solely for the intended
>>> addressees and is confidential.
>>> If you receive this message in error, or are not the intended
>>> recipient(s), please delete it and any copies from your systems and
>>> immediately notify the sender.
>>> Any unauthorized view, use that does not comply with its purpose,
>>> dissemination or disclosure, either whole or partial, is prohibited.
>>> Since the internet cannot guarantee the integrity of this message which
>>> may not be reliable, STET shall not be liable for the message if modified,
>>> changed or falsified.
>>> Do not print this message unless it is necessary, please consider the
>>> environment.
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> Ce message et toutes les pièces jointes sont établis à l'intention
>>> exclusive de ses destinataires et sont confidentiels.
>>> Si vous recevez ce message par erreur ou s'il ne vous est pas destiné,
>>> merci de le détruire ainsi que toute copie de votre système et d'en avertir
>>> immédiatement l'expéditeur.
>>> Toute lecture non autorisée, toute utilisation de ce message qui n'est
>>> pas conforme à sa destination, toute diffusion ou toute publication, totale
>>> ou partielle, est interdite.
>>> L'Internet ne permettant pas d'assurer l'intégrité de ce message
>>> électronique susceptible d'altération, STET décline toute responsabilité au
>>> titre de ce message dans l'hypothèse où il aurait été modifié, déformé ou
>>> falsifié.
>>> N'imprimez ce message que si nécessaire, pensez à l'environnement.
>>>
>>> This message and any attachments is intended solely for the intended
>>> addressees and is confidential.
>>> If you receive this message in error, or are not the intended
>>> recipient(s), please delete it and any copies from your systems and
>>> immediately notify the sender.
>>> Any unauthorized view, use that does not comply with its purpose,
>>> dissemination or disclosure, either whole or partial, is prohibited.
>>> Since the internet cannot guarantee the integrity of this message which
>>> may not be reliable, STET shall not be liable for the message if modified,
>>> changed or falsified.
>>> Do not print this message unless it is necessary, please consider the
>>> environment.
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email