IETF Logo Mail Archive

Re: [OAUTH-WG] Concerning OAuth introspection

Mike Jones <Michael.Jones@microsoft.com> Wed, 23 January 2013 17:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D11921F8960 for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 09:35:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.792
X-Spam-Level:
X-Spam-Status: No, score=-1.792 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2uWhCS0n9wY for <oauth@ietfa.amsl.com>; Wed, 23 Jan 2013 09:35:53 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (na01-by2-obe.ptr.protection.outlook.com [207.46.100.23]) by ietfa.amsl.com (Postfix) with ESMTP id BEE6E21F8455 for <oauth@ietf.org>; Wed, 23 Jan 2013 09:35:52 -0800 (PST)
Received: from BL2FFO11FD002.protection.gbl (10.173.161.203) by BL2FFO11HUB038.protection.gbl (10.173.160.242) with Microsoft SMTP Server (TLS) id 15.0.596.13; Wed, 23 Jan 2013 17:35:49 +0000
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD002.mail.protection.outlook.com (10.173.160.102) with Microsoft SMTP Server (TLS) id 15.0.596.13 via Frontend Transport; Wed, 23 Jan 2013 17:35:49 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.245]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.02.0318.003; Wed, 23 Jan 2013 17:33:08 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Justin Richer <jricher@mitre.org>, Eve Maler <eve@xmlgrrl.com>
Thread-Topic: [OAUTH-WG] Concerning OAuth introspection
Thread-Index: AQHN+NLaih7lXcajhEyfjdYsUHHYWJhWGdYAgAD2SICAABiJAIAAAPsAgAAA0gCAAAHxgIAAAMAAgAAAnzg=
Date: Wed, 23 Jan 2013 17:33:07 +0000
Message-ID: <4E1F6AAD24975D4BA5B168042967394366A76440@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <CAHA4TYtCG+o0AZzh9e-3nb6gKLaWFeJuQfBxHVmUDH5Aj+TdpQ@mail.gmail.com> <50FEE1BF.5050200@mitre.org> <-6134323107835063788@unknownmsgid> <510005F5.6000004@mitre.org> <4a060479b5374e8ba58d3c9e1b15d917@BY2PR03MB041.namprd03.prod.outlook.com> <51001B5C.80407@mitre.org> <9a1d3f9d095e4f14b55ff99c9cf1799e@BY2PR03MB041.namprd03.prod.outlook.com> <C6F13E85-C7F9-49DE-9CC3-C045DEC22003@xmlgrrl.com>, <51001E4E.6000201@mitre.org>
In-Reply-To: <51001E4E.6000201@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B168042967394366A76440TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(24454001)(479174001)(199002)(189002)(51704002)(13464002)(56776001)(31966008)(76482001)(54316002)(5343635001)(56816002)(44976002)(15202345001)(74502001)(512904001)(5343655001)(16406001)(54356001)(74662001)(47446002)(53806001)(49866001)(4396001)(33656001)(47736001)(51856001)(50986001)(47976001)(79102001)(16236675001)(46102001)(16297215001)(59766001)(77982001)(55846006)(6816006); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB038; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 073515755F
Cc: Shiu Fun Poon <shiufunpoon@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Concerning OAuth introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2013 17:35:54 -0000

No, we want one endpoint.  Keep it simple.

________________________________
From: Justin Richer
Sent: 1/23/2013 9:31 AM
To: Eve Maler
Cc: Shiu Fun Poon; oauth@ietf.org
Subject: Re: [OAUTH-WG] Concerning OAuth introspection

But it's already not a fully RESTful setup, and it's not really meant to
be as it stands. I realize that's how the original UMA registration spec
did things, but the rest of OAuth doesn't work that way. I would rather
it be parallel with the rest of the framework, all ideals aside.

Which brings us back to my original point: OAuth2 does a pretty good job
at splitting up different endpoints for different functions. That's what
I'm asking here, more than anything else. Do we want to define three
endpoints:

- client registration endpoint
- client update endpoint
- client secret rotation endpoint

As opposed to a single registration endpoint with a switch?

-- Justin

On 01/23/2013 12:28 PM, Eve Maler wrote:
> Tony took the words right out of my mouth. :-) Or, at least, the moment someone expresses an actual need for the next piece of flexibility (beyond "Wouldn't it be cool if..."* to "I have a customer that needs..."), you're on the slope towards maybe benefiting from enabling more and more of the HTTP verbs where only one or two made sense before. One way to do this is to work within a pure-REST framework but say that only POST and GET are supported, with all others producing an error. Over time, if DELETE is needed, it's easier to turn it on.
>
>        Eve
>
> * "The only thing worse than generalizing from one example is generalizing from no examples at all." Not sure if Tony is expressing an actual need or not.
>
> On 23 Jan 2013, at 9:21 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>
>> Registration has to work in a multi-tenant environment  so flexibility is needed
>>
>> -----Original Message-----
>> From: Justin Richer [mailto:jricher@mitre.org]
>> Sent: Wednesday, January 23, 2013 9:18 AM
>> To: Anthony Nadalin
>> Cc: Nat Sakimura; Shiu Fun Poon; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] Concerning OAuth introspection
>>
>> Because then nobody would know how to actually use the thing.
>>
>> In my opinion, this is a key place where this kind of flexibility is a very bad thing. Registration needs to work one fairly predictable way.
>>
>> -- Justin
>>
>> On 01/23/2013 12:14 PM, Anthony Nadalin wrote:
>>> Why not just have a physical and logical endpoint options
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>> Of Justin Richer
>>> Sent: Wednesday, January 23, 2013 7:47 AM
>>> To: Nat Sakimura
>>> Cc: Shiu Fun Poon; oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] Concerning OAuth introspection
>>>
>>> Which brings up an interesting question for the Registration doc: right now, it's set up as a single endpoint with three operations. We could instead define three endpoints for the different operations.
>>>
>>> I've not been keen to make that deep of a cutting change to it, but it would certainly be cleaner and more RESTful API design. What do others think?
>>>
>>> -- Justin
>>>
>>>
>>> On 01/22/2013 08:05 PM, Nat Sakimura wrote:
>>>> "Action" goes against REST principle.
>>>> I do not think it is a good idea.
>>>>
>>>> =nat via iPhone
>>>>
>>>> Jan 23, 2013 4:00、Justin Richer <jricher@mitre.org> のメッセージ:
>>>>
>>>>> (CC'ing the working group)
>>>>>
>>>>> I'm not sure what the "action/operation" flag would accomplish. The idea behind having different endpoints in OAuth is that they each do different kinds of things. The only "action/operation" that I had envisioned for the introspection endpoint is introspection itself: "I have a token, what does it mean?"
>>>>>
>>>>> Note that client_id and client_secret *can* already be used at this endpoint if the server supports that as part of their client credentials setup. The examples use HTTP Basic with client id and secret right now. Basically, the client can authenticate however it wants, including any of the methods that OAuth2 allows on the token endpoint. It could also authenticate with an access token. At least, that's the intent of the introspection draft -- if that's unclear, I'd be happy to accept suggested changes to clarify this text.
>>>>>
>>>>> -- Justin
>>>>>
>>>>> On 01/22/2013 01:00 PM, Shiu Fun Poon wrote:
>>>>>> Justin,
>>>>>>
>>>>>> This spec is looking good..
>>>>>>
>>>>>> One thing I would like to recommend is to add "action"/"operation"
>>>>>> to the request.  (and potentially add client_id and client_secret)
>>>>>>
>>>>>> So the request will be like :
>>>>>> token                                             REQUIRED
>>>>>> operation (wording to be determine)  OPTIONAL inquire (default) | revoke ...
>>>>>> resource_id                                    OPTIONAL
>>>>>> client_id                                         OPTIONAL
>>>>>> client_secret                                   OPTIONAL
>>>>>>
>>>>>> And for the OAuth client information, it should be an optional parameter (in case it is a public client or client is authenticated with SSL mutual authentication).
>>>>>>
>>>>>> Please consider.
>>>>>>
>>>>>> ShiuFun
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email