Re: [OAUTH-WG] OAuth 2.0 Discovery Location
George Fletcher <gffletch@aol.com> Fri, 26 February 2016 15:28 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E8971A6FBF for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2016 07:28:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 204E4pZGPZ-f for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2016 07:28:10 -0800 (PST)
Received: from omr-a007e.mx.aol.com (omr-a007e.mx.aol.com [204.29.186.58]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08BC41A6FA8 for <oauth@ietf.org>; Fri, 26 Feb 2016 07:28:10 -0800 (PST)
Received: from mtaout-aaf02.mx.aol.com (mtaout-aaf02.mx.aol.com [172.26.127.98]) by omr-a007e.mx.aol.com (Outbound Mail Relay) with ESMTP id B055A3800055; Fri, 26 Feb 2016 10:28:08 -0500 (EST)
Received: from [10.172.102.179] (unknown [10.172.102.179]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aaf02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 650B038000095; Fri, 26 Feb 2016 10:28:08 -0500 (EST)
To: nov matake <matake@gmail.com>, Nat Sakimura <sakimura@gmail.com>
References: <E3BDAD5F-6DE2-4FB9-AEC0-4EE2D2BF8AC8@mit.edu> <CAEayHEMspPw3pu9+ZudkMp9pBPy2YYkiXfPvFpSwqZDVyixWxQ@mail.gmail.com> <CABzCy2CpSB2Nrs-QoaEwpqtG4J8UNeAYNy1rion=mp5PQD2dmg@mail.gmail.com> <FE60D9CC-0457-4BDB-BCF1-461B30BF0CDE@oracle.com> <56CE01B1.7060501@aol.com> <255B9BB34FB7D647A506DC292726F6E13BBB0194A6@WSMSG3153V.srv.dir.telstra.com> <56CEABBD.1040602@connect2id.com> <56CF1CEB.8030603@aol.com> <56CF1D79.1070507@aol.com> <255B9BB34FB7D647A506DC292726F6E13BBB019D97@WSMSG3153V.srv.dir.telstra.com> <CABzCy2CaCM_rS7eU2-WO+kUKXQC6ctYwrAHfytNmHh1C3GpQxQ@mail.gmail.com> <AACE0FB8-FBE2-4E13-A77E-7304C383849F@gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56D06F17.9010603@aol.com>
Date: Fri, 26 Feb 2016 10:28:23 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <AACE0FB8-FBE2-4E13-A77E-7304C383849F@gmail.com>
Content-Type: multipart/alternative; boundary="------------020108070906030108080005"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1456500488; bh=4rUxoEfUIkpW+SjYKi6mlJkkPxbY+FbzfB+E/b4nT4I=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=gMrPUBp9XG6EY2ZuV8uTR8zHunPjjr3fIeQsouqVlr0IcWyQQdFeBf2zptDTI8/Te 9fvhdDYcZsK7jKR/S7jxTFhD7HisQIT+WXP32qGH8fz2iy8U+Canlc7Cbj3c2iNN4c rfyT3/Hia7wHjP3RYiOhq5btjat/wy+1MrNM2oJQ=
x-aol-sid: 3039ac1a7f6256d06f083566
X-AOL-IP: 10.172.102.179
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/wCUYOYSljFzL27D5W1st5x385SA>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 Discovery Location
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2016 15:28:14 -0000
As long as the "aud" value is more akin to a fixed URI from which the client can determine valid endpoints for that "aud", this could work. It does make the client do a lot of discovery. I don't think the "aud" value can be a domain. Thanks, George On 2/26/16 12:52 AM, nov matake wrote: > It sounds like we want to return a list of available access tokens > “aud” values from AS config discovery endpoint (and also via > oauth-meta too?), doesn’t it? > > and RS config discovery endpoint will return acceptable access token > “iss” values, a list of every RS endpoints, required scopes per > endpoint etc. > (it would be another thread though) > > Thanks, > Nov > >> On Feb 26, 2016, at 13:08, Nat Sakimura <sakimura@gmail.com >> <mailto:sakimura@gmail.com>> wrote: >> >> I will include the origin in the next rev. >> >> For http header v.s JSON, shall I bring the JSON back in? >> 2016年2月26日(金) 13:05 Manger, James >> <James.H.Manger@team.telstra.com >> <mailto:James.H.Manger@team.telstra.com>>: >> >> You are right, George, that making the AS track /v2/… or /v3/… in >> RS paths is likely to be brittle — but tracking RS web origins is >> not too onerous. >> >> PoP has some nice security advantages over bearer tokens or >> passwords. However, it should still be possible to use the latter >> fairly safely — but it does require the issuer of credentials to >> indicate where they can be used. >> >> -- >> >> James Manger >> >> *From:*OAuth [mailto:oauth-bounces@ietf.org >> <mailto:oauth-bounces@ietf.org>] *On Behalf Of *George Fletcher >> *Sent:* Friday, 26 February 2016 2:28 AM >> *To:* Vladimir Dzhuvinov <vladimir@connect2id.com >> <mailto:vladimir@connect2id.com>>; oauth@ietf.org >> <mailto:oauth@ietf.org> >> >> >> *Subject:* Re: [OAUTH-WG] OAuth 2.0 Discovery Location >> >> That said, I'm not against the AS informing the client that the >> token can be used at the MailResource, ContactResource and >> MessagingResource to help the client know not to send the token >> to a BlogResource. However, identifying the actual endpoint seems >> overly complex when what is really trying to be protected is a >> token from being used where it shouldn't be (which is solved by Pop) >> >> Thanks, >> George >> >> On 2/25/16 10:25 AM, George Fletcher wrote: >> >> Interesting... this is not at all my current experience:) If >> a RS goes from v2 of it's API to v3 and that RS uses the >> current standard of putting a "v2" or"v3" in it's API path... >> then a token issued for v2 of the API can not be sent to v3 >> of the API, because v3 wasn't wasn't registered/deployed when >> the token was issued. >> >> The constant management of scopes to URI endpoints seems like >> a complexity that will quickly get out of hand. >> >> Thanks, >> George >> >> On 2/25/16 2:22 AM, Vladimir Dzhuvinov wrote: >> >> On 25/02/16 09:02, Manger, James wrote: >> >> I'm concerned that forcing the AS to know about all RS's endpoints that will accept it's tokens creates a very brittle deployment architecture >> >> The AS is issuing temporary credentials (access_tokens) to clients but doesn’t know where those credentials will work? That’s broken. >> >> >> >> An AS should absolutely indicate where an access_token can be used. draft-sakimura-oauth-meta suggests indicating this with 1 or more “ruri” (resource URI) values in an HTTP Link header. A better approach would be including a list of web origins in the token response beside the access_token field. >> >> +1 >> >> This will appear more consistent with the current >> experience, and OAuth does allow the token response JSON >> object to be extended with additional members (as it's >> done in OpenID Connect already). >> >> Cheers, >> Vladimir >> >> >> -- >> >> James Manger >> >> >> >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of George Fletcher >> >> Sent: Thursday, 25 February 2016 6:17 AM >> >> To: Phil Hunt<phil.hunt@oracle.com> <mailto:phil.hunt@oracle.com>; Nat Sakimura<sakimura@gmail.com> <mailto:sakimura@gmail.com> >> >> Cc:<oauth@ietf.org> <mailto:oauth@ietf.org> <oauth@ietf.org> <mailto:oauth@ietf.org> >> >> Subject: Re: [OAUTH-WG] OAuth 2.0 Discovery Location >> >> >> >> I'm concerned that forcing the AS to know about all RS's endpoints that will accept it's tokens creates a very brittle deployment architecture. What if a RS moves to a new endpoint? All clients would be required to get new tokens (if I understand correctly). And the RS move would have to coordinate with the AS to make sure all the timing is perfect in the switch over of endpoints. >> >> >> >> I suspect a common deployment architecture today is that each RS requires one or more scopes to access it's resources. The client then asks the user to authorize a token with a requested list of scopes. The client can then send the token to the appropriate RS endpoint. The RS will not authorize access unless the token has the required scopes. >> >> >> >> If the concern is that the client may accidentally send the token to a "bad" RS which will then replay the token, then I'd rather use a PoP mechanism because the point is that you want to ensure the correct client is presenting the token. Trying to ensure the client doesn't send the token to the wrong endpoint seems fraught with problems. >> >> >> >> Thanks, >> >> George >> >> >> >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> >> >> _______________________________________________ >> >> OAuth mailing list >> >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth 2.0 Discovery Location Justin Richer
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Vladimir Dzhuvinov
- [OAUTH-WG] OAuth 2.0 Discovery Location Samuel Erdtman
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Samuel Erdtman
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Thomas Broyer
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Justin Richer
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Thomas Broyer
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Anthony Nadalin
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Anthony Nadalin
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Manger, James
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Donald F. Coffin
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Donald F. Coffin
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Thomas Broyer
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Donald F. Coffin
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location John Bradley
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Manger, James
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Nat Sakimura
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location nov matake
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location John Bradley
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Justin Richer
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location torsten@lodderstedt.net
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Samuel Erdtman
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Phil Hunt
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Mike Jones
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Brian Campbell
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Brian Campbell
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Roland Hedberg
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Vladimir Dzhuvinov
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location Thomas Broyer
- Re: [OAUTH-WG] OAuth 2.0 Discovery Location George Fletcher