IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

Justin Richer <jricher@mitre.org> Mon, 20 May 2013 18:39 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3804D21F8AEA for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 11:39:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.378
X-Spam-Level:
X-Spam-Status: No, score=-6.378 tagged_above=-999 required=5 tests=[AWL=0.220, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LO3EZfYOnbI3 for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 11:39:39 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id DB9FE21F8A74 for <oauth@ietf.org>; Mon, 20 May 2013 11:39:38 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5C80A1F06F8; Mon, 20 May 2013 14:39:38 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 463891F0437; Mon, 20 May 2013 14:39:38 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 20 May 2013 14:39:38 -0400
Message-ID: <519A6DCD.3050200@mitre.org>
Date: Mon, 20 May 2013 14:39:09 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <519A3C9A.8060305@mitre.org> <9D2C4D6F-EBC0-4313-B3B1-5981A865A604@oracle.com> <519A4607.1030900@mitre.org> <DF861D80-C924-427D-9678-08AF9CCB5A61@oracle.com> <519A5261.1010506@mitre.org> <4E1F6AAD24975D4BA5B168042967394367742D5A@TK5EX14MBXC283.redmond.corp.microsoft.com> <278419A3-8FFE-45F6-81A8-90D5CFFC13CB@oracle.com> <DA490296-52A3-4522-B237-2E2BA69B5FB2@oracle.com>
In-Reply-To: <DA490296-52A3-4522-B237-2E2BA69B5FB2@oracle.com>
Content-Type: multipart/alternative; boundary="------------000005020407090705010008"
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 18:39:44 -0000

Phil, that's not a fair comparison. What I've done is a fundamentally 
different kind of breaking change than the one you're asking for, though.

To explain more concretely: The change I agreed to make here was to 
remove two underspecified values (of five listed) to a parameter that is 
intended to be extensible. The extensions to DynReg that are using these 
values (like OIDC registration) can then define them fully (like they 
already are). That is a good change, and prompted by the good discussion 
and feedback you've given here. That doesn't mean that the parameter 
itself is "broken", and I think it's entirely another thing to remove 
the parameter wholesale when it has proven utility. Getting rid of it 
entirely would make it an OIDC-only parameter, when people are using it 
in non-OIDC contexts.

I acknowledge the concerns that you have with the draft, and I thank you 
for your feedback so far. However, I don't agree with your conclusions 
regarding those concerns. I do look forward to any concrete proposals 
you'll have later this week that will help further this discussion.

  -- Justin


On 05/20/2013 02:27 PM, Phil Hunt wrote:
> Further to my last...
>
> Justin has already committed to breaking changes.  This may have been 
> lost or buried in the long review thread.
>
> Specifically - The client authentication types specified are 
> undocumented (client_secret_jwt and private_key_jwt) as they were all 
> Holder-of-Key authentication methods.  The OAuth drafts currently only 
> have bearer drafts and dyn reg does not support these profiles. 
>  Justin has acknowledged this.
>
> It seems to me, that since the token_endpoint_auth_method is broken, 
> the current implementations are actually implementing the draft 
> correctly or servers are just ignoring it the parameter.
>
> There are concerns with this draft.  I plan to make specific 
> suggestions (some breaking) later this week.
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
> On 2013-05-20, at 10:51 AM, Phil Hunt wrote:
>
>> -1
>>
>> The draft has features that are unclear and will double the 
>> operational cost. The fact that it works doesn't mean it is ready 
>> from the wg perspective.
>>
>> For the production use, has anyone outside of oidc implemented and 
>> placed in production?
>>
>> As a non-oidc implementer, I can't make the same assumptions (like 
>> discovery) that oidc umplementers have.
>>
>> Phil
>>
>> On 2013-05-20, at 9:48, Mike Jones <Michael.Jones@microsoft.com 
>> <mailto:Michael.Jones@microsoft.com>> wrote:
>>
>>> The deployment evidence doesn't support your position, Phil.  There 
>>> are over a dozen interoperable implementations already deployed. 
>>> Those deployments demonstrate that the spec, as written, is already 
>>> doing one thing well -- enabling clients (as defined by RFC 6749) to 
>>> register with Authorization Servers, obtaining client_id and 
>>> optionally client_secret values that enable those clients to use 
>>> those Authorization Servers.  Doing one thing well is exactly what 
>>> we should be striving for, and the evidence says that we've achieved 
>>> that.
>>>
>>> It's time to ship it!
>>>
>>> -- Mike
>>>
>>> *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> 
>>> [mailto:oauth-bounces@ietf.org] *On Behalf Of *Justin Richer
>>> *Sent:* Monday, May 20, 2013 9:42 AM
>>> *To:* Phil Hunt
>>> *Cc:* oauth@ietf.org <mailto:oauth@ietf.org>
>>> *Subject:* Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic 
>>> Registration
>>>
>>> I, of course, disagree. But that's what we're trying to figure out 
>>> as a working group, after all.
>>>
>>>  -- Justin
>>>
>>> On 05/20/2013 12:41 PM, Phil Hunt wrote:
>>>
>>>     This draft isn't ready for LC.
>>>
>>>     Phil
>>>
>>>
>>>     On 2013-05-20, at 8:49, Justin Richer <jricher@mitre.org
>>>     <mailto:jricher@mitre.org>> wrote:
>>>
>>>         But also keep in mind that this is last-call, and that we
>>>         don't really want to encourage avoidable drastic changes at
>>>         this stage.
>>>
>>>          -- Justin
>>>
>>>         On 05/20/2013 11:21 AM, Phil Hunt wrote:
>>>
>>>             Keep in mind there may be other changes coming.
>>>
>>>             The issue is that new developers can't figure out what
>>>             token is being referred to.
>>>
>>>
>>>             Phil
>>>
>>>
>>>             On 2013-05-20, at 8:09, Justin Richer <jricher@mitre.org
>>>             <mailto:jricher@mitre.org>> wrote:
>>>
>>>                 Phil Hunt's review of the Dynamic Registration
>>>                 specification has raised a couple of issues that I
>>>                 felt were getting buried by the larger discussion
>>>                 (which I still strongly encourage others to jump in
>>>                 to). Namely, Phil has suggested a couple of syntax
>>>                 changes to the names of several parameters.
>>>
>>>
>>>                 1) expires_at -> client_secret_expires_at
>>>                 2) issued_at -> client_id_issued_at
>>>                 3) token_endpoint_auth_method ->
>>>                 token_endpoint_client_auth_method
>>>
>>>
>>>                 I'd like to get a feeling, *especially from
>>>                 developers* who have deployed this draft spec, what
>>>                 we ought to do for each of these:
>>>
>>>                  A) Keep the parameter names as-is
>>>                  B) Adopt the new names as above
>>>                  C) Adopt a new name that I will specify
>>>
>>>                 In all cases, clarifying text will be added to the
>>>                 parameter *definitions* so that it's more clear to
>>>                 people reading the spec what each piece does.
>>>                 Speaking as the editor: "A" is the default as far as
>>>                 I'm concerned, since we shouldn't change syntax
>>>                 without very good reason to do so. That said, if
>>>                 it's going to be better for developers with the new
>>>                 parameter names, I am open to fixing them now.
>>>
>>>                 Naming things is hard.
>>>
>>>                  -- Justin
>>>
>>>                 _______________________________________________
>>>                 OAuth mailing list
>>>                 OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>                 https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email