Re: [OAUTH-WG] Next steps on the OAuth Assertion Drafts
Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 28 September 2013 13:36 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C588921F9CE3 for <oauth@ietfa.amsl.com>; Sat, 28 Sep 2013 06:36:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0t59KJlDYsLO for <oauth@ietfa.amsl.com>; Sat, 28 Sep 2013 06:36:44 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.35]) by ietfa.amsl.com (Postfix) with ESMTP id 8182121E80DB for <oauth@ietf.org>; Sat, 28 Sep 2013 06:36:39 -0700 (PDT)
Received: from [91.2.95.180] (helo=[192.168.71.139]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VPuhE-0006yN-VJ; Sat, 28 Sep 2013 15:36:33 +0200
Message-ID: <5246DB60.7080109@lodderstedt.net>
Date: Sat, 28 Sep 2013 15:36:32 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA33964@USCHMBX001.nsn-intra.net>
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA33964@USCHMBX001.nsn-intra.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Next steps on the OAuth Assertion Drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Sep 2013 13:36:48 -0000
Hi all,
here are my comments:
--- Assertion Draft ---
section 4.1.
"Authentication of the client is optional, as described in Section
3.2.1 of OAuth 2.0 [RFC6749] and consequently, the "client_id" is
only needed when a form of client authentication that relies on the
parameter is used."
I'm a bit confused about this statement because RFC6749, Section 3.2.1.
states:
"Confidential clients or other clients issued client credentials MUST
authenticate with the authorization server as described in
Section 2.3 when making requests to the token endpoint."
The client_id is optional but recommended for public clients, only. Same
text can be found in SAML/section 2.1 and JWT/section 2.1
section 5.1.
"the Issuer should identify the STS in a manner recognized by the
Authorization Server."
Shouldn't the "should" be normative language? I would even prefer MUST
instead of should.
"Issuer values SHOULD be compared using the Simple String Comparison" -
better MUST?
"When using assertions for client authentication, the Subject
MUST identify the client to the authorization server, typically
by using the value of the "client_id" of the OAuth client."
Why not just "For client authentication, the subject MUST be the
"client_id" of the OAuth client" as in the JWT Bearer and SAML assertion
drafts?
Audience - "The URL of the Token Endpoint, as defined
in Section 3.2 of OAuth 2.0 [RFC6749], can be used to indicate
that the authorization server as a valid intended audience of the
assertion."
Who uses this approach? We don't use the concrete URL of the tokens
endpoint but the AS's base URL. I would prefer to have _a_ single,
mandated way of identifying the AS instead of a recommendation in order
to facilitate interop.
section 6.2
Please replace "Client Credentials flow" by "Client Credentials _Grant_"
PLEASE NOTE: most comments on the assertion draft hold for JWT and SAML
as well because a lot of text is duplicated/shared among these drafts.
--- JWT bearer token ---
section 4
the example request is missing any client identifier/credentials, please
add BASIC header or client_id
GENERAL NOTE: HTML links referencing to RFC 6749 are generally linked to
the respective drafts itself
regards,
Torsten.
Am 10.09.2013 16:26, schrieb Tschofenig, Hannes (NSN - FI/Espoo):
> Hi all,
>
> I am trying to wrap up the assertion documents and I took a look at the meeting minutes from the Berlin IETF meeting and the actions are as follows:
>
> ** John & Torsten: Please post your document review to the list.
>
> ** Authors of draft-ietf-oauth-saml2-bearer: Please provide the additional SAML related text (as discussed during the meeting) and submit an updated document.
>
> Ciao
> Hannes
>
> ------- copy from the minutes --------
>
> * Assertions (BC)
> https://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/
> https://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/
>
> - WGLC ends by 8/8
> - BL on WGLC comments: talked to MJ about how to achieve interop.
> - BL: describe how you could combine specifications to make at least one interoperable specification
> - MJ: profiles exists for both SAML and OpenIDC. those are not IETF specifications though
> - BL: ok to point to external doc from either of the I-Ds in question
> - MJ: very achievable
> - BL: all should go to the IESG at the same time to establish context
> - PHO: is this for the IESG benefit or for future developers
> - BL: the latter
> - PHO: talk to Heather Flanagan or the IANA - they have talked about having long-term access to external documents
> - BL: ok will consider that - or we can copy text into WG wiki
> - BC: interop does not require external profiles actually
> - TL: same experience at DT with the JSON-based assertion format - no addl profiles are needed
> - MJ: a SAML deployment needs agreement on certain SAML-specific conventions - this is what BL is referring to
> - BC: right
> - TN: so just refer to the SAML specs
> - BL: maybe enough
> - JB and TL volunteered to make a review.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Torsten Lodderstedt
- [OAUTH-WG] Next steps on the OAuth Assertion Draf… Tschofenig, Hannes (NSN - FI/Espoo)
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Brian Campbell
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Mike Jones
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Hannes Tschofenig
- Re: [OAUTH-WG] Next steps on the OAuth Assertion … Brian Campbell