IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata

Brian Campbell <bcampbell@pingidentity.com> Tue, 02 April 2024 21:37 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E369CC14CF12 for <oauth@ietfa.amsl.com>; Tue, 2 Apr 2024 14:37:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FFIO_YL3jMpG for <oauth@ietfa.amsl.com>; Tue, 2 Apr 2024 14:37:40 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2D5DC151083 for <oauth@ietf.org>; Tue, 2 Apr 2024 14:37:22 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id e9e14a558f8ab-368cd5ddb65so18667205ab.0 for <oauth@ietf.org>; Tue, 02 Apr 2024 14:37:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1712093842; x=1712698642; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7vI0ygAJn0Aw+0higx80VoiILdfBqTe2ev4h/7HayIw=; b=IZgbKp8kv1EzFjG1AirdB9/X8AknIbJCgH+ip4t2KdXZvSnfeEIP1tkdEuYds3qxvc JfjqnFIKNIaCOuj+Cl2IjkiPOkJj3+2s7eLfH48W/l2yNR3c7xv+0V4LN/re8qcWRBBV mBbmyO7OI0hta+rcASXM/5dAJfzDKELTxz9Jx0Gv8dp19cBPyAtDij0CvvNWkO7hfo6K RaTTCjfT28sPqldWxrfwj3bkHkrPNin+KOb9t/k3gDrWenKjOrUgFlGCGopNG58SRI7+ bvIMMc26nSATHcik5uUQBUfT8Xpj8OauhXDfEfl+EStvjJZV6TKlZVAVUCbqth58XxcN CJfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712093842; x=1712698642; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7vI0ygAJn0Aw+0higx80VoiILdfBqTe2ev4h/7HayIw=; b=OJch03jVh/Gfgw1uDoy+h9P+tZgFwAuuG0wTy6m/NPWyNMNmNE61oT/nxUlGJk/0wl nk5gc7srNU+z3ye3wdUSPScNPNX8e0fTr9y37lYjxIWMHowc9MOiDTRsc6uDiWM95u/s rwv6IxByvhQi7thU97HEixBCAbEHmdtT/5TKwGaFYZDa/pwkXCkxjSX/RjhK+7SUb9Sk et/vPh1yjdMg4K1U02SJwc7bjTOR/Xv69X6dgTwejPDp/s0Wuk44mB7EttzI28MOwsfG Y0et0Z2QcSlq/VQs2UYzQAHJD4i2V1lbpNwLRUZrXbUEfvQJoxfY9Lm50dg9VqLS53zO JWOQ==
X-Forwarded-Encrypted: i=1; AJvYcCVj+CtbccQWhhG46MtrdBIy7YV5dCh/FVtJDoRZ1r1zwufZFT+Lm8VITGvML3/l1DyLfsFDcxNECDxLHe7AZw==
X-Gm-Message-State: AOJu0Yw1uHshFMgzQ0YaiOL6pkTBYl9GMjFDcjAl6BKfFU2vB+qPtGCy ZlCFVPIP0oGD/kaUo34h9UBH4AcQi7ex+n+gbDUoGMt5XKaz7rft4rymJwFxrnZdWq18O24Rqfx IVS9Mr9tTLfTfMXrZ3rU9HUWwj7zdRF4sO3K4Tg1ODWKb6eHuUOpncc3UX/knejqHF14LIBg/9k nKV6eCyfFgFkYQKQKJSFUqjdYUGA==
X-Google-Smtp-Source: AGHT+IF9ZaL0iGO05P177fSxlboBppqFQSmWyWKnfseHDZ9YfL7rvUyZCeLrH+jeMt2GP5Av0lOS4T8p8s5JbkNZmLQ=
X-Received: by 2002:a05:6e02:216a:b0:368:85c6:6bd1 with SMTP id s10-20020a056e02216a00b0036885c66bd1mr1384956ilv.10.1712093841850; Tue, 02 Apr 2024 14:37:21 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9QRjmgs5Si4Fj+hSmScwx+4ihQmxfznCCVE4+8F2UFkw@mail.gmail.com> <CANtBS9cNXEsiv8UqPSSeRf8pfUXZea5_bftwwFb5PnfG9YSfoA@mail.gmail.com> <CANtBS9fEXz99jNBQQMjCwM6SRehcb=2HZ5Nq5z0OCba08e_OzA@mail.gmail.com> <PH0PR02MB7430311B67EE84C6D3AD3F25B7392@PH0PR02MB7430.namprd02.prod.outlook.com>
In-Reply-To: <PH0PR02MB7430311B67EE84C6D3AD3F25B7392@PH0PR02MB7430.namprd02.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 02 Apr 2024 15:36:55 -0600
Message-ID: <CA+k3eCRz2dK9kAEwxXML3CbZ-VrGCe5a9r2yMdPHWg0GBVqH2A@mail.gmail.com>
To: Michael Jones <michael_b_jones@hotmail.com>
Cc: Atul Tulshibagwale <atul@sgnl.ai>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000442538061523e9a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wvyvhjLNiVbyDn9Di0cD3jEVOYg>
Subject: Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 21:37:45 -0000

On Fri, Mar 29, 2024 at 10:46 PM Michael Jones <michael_b_jones@hotmail.com>
wrote:

> Thanks again for the detailed review, Atul!  I’ve updated the PR
> accordingly.  Responses are inline below…
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Atul Tulshibagwale
> *Sent:* Friday, March 29, 2024 6:31 PM
> *To:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] WGLC for OAuth 2.0 Protected Resource Metadata
>
>
>
>    6. Section 5.1: Does this introduce any IANA consideration? How would
>    we know if some other spec is not using "resource_metadata" in some other
>    way in the WWW-Authenticate response header? (Unlikely, but if there is a
>    way to reserve it, we should)
>
> The IANA registrations will occur once the spec has completed WGLC and
> publication is requested.  That said, I’m not aware of a registry for
> WWW-Authenticate values.  (If anyone is aware of such a registry, please
> let me know and I’ll add a registration.)
>

To my knowledge (having looked into it some during working on RFCs 9449 &
9470) there's no registry for WWW-Authenticate auth-param values. You could
potentially somewhat follow what Step Up did in
https://www.rfc-editor.org/rfc/rfc9470.html#section-3 which was to say that
the auth-param value being introduced is applicable only to OAuth related
authentication schemes.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email