Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration
Justin Richer <jricher@mitre.org> Mon, 20 May 2013 18:39 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3804D21F8AEA for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 11:39:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.378
X-Spam-Level:
X-Spam-Status: No, score=-6.378 tagged_above=-999 required=5 tests=[AWL=0.220, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LO3EZfYOnbI3 for <oauth@ietfa.amsl.com>; Mon, 20 May 2013 11:39:39 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id DB9FE21F8A74 for <oauth@ietf.org>; Mon, 20 May 2013 11:39:38 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5C80A1F06F8; Mon, 20 May 2013 14:39:38 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 463891F0437; Mon, 20 May 2013 14:39:38 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 20 May 2013 14:39:38 -0400
Message-ID: <519A6DCD.3050200@mitre.org>
Date: Mon, 20 May 2013 14:39:09 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <519A3C9A.8060305@mitre.org> <9D2C4D6F-EBC0-4313-B3B1-5981A865A604@oracle.com> <519A4607.1030900@mitre.org> <DF861D80-C924-427D-9678-08AF9CCB5A61@oracle.com> <519A5261.1010506@mitre.org> <4E1F6AAD24975D4BA5B168042967394367742D5A@TK5EX14MBXC283.redmond.corp.microsoft.com> <278419A3-8FFE-45F6-81A8-90D5CFFC13CB@oracle.com> <DA490296-52A3-4522-B237-2E2BA69B5FB2@oracle.com>
In-Reply-To: <DA490296-52A3-4522-B237-2E2BA69B5FB2@oracle.com>
Content-Type: multipart/alternative; boundary="------------000005020407090705010008"
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 18:39:44 -0000
Phil, that's not a fair comparison. What I've done is a fundamentally different kind of breaking change than the one you're asking for, though. To explain more concretely: The change I agreed to make here was to remove two underspecified values (of five listed) to a parameter that is intended to be extensible. The extensions to DynReg that are using these values (like OIDC registration) can then define them fully (like they already are). That is a good change, and prompted by the good discussion and feedback you've given here. That doesn't mean that the parameter itself is "broken", and I think it's entirely another thing to remove the parameter wholesale when it has proven utility. Getting rid of it entirely would make it an OIDC-only parameter, when people are using it in non-OIDC contexts. I acknowledge the concerns that you have with the draft, and I thank you for your feedback so far. However, I don't agree with your conclusions regarding those concerns. I do look forward to any concrete proposals you'll have later this week that will help further this discussion. -- Justin On 05/20/2013 02:27 PM, Phil Hunt wrote: > Further to my last... > > Justin has already committed to breaking changes. This may have been > lost or buried in the long review thread. > > Specifically - The client authentication types specified are > undocumented (client_secret_jwt and private_key_jwt) as they were all > Holder-of-Key authentication methods. The OAuth drafts currently only > have bearer drafts and dyn reg does not support these profiles. > Justin has acknowledged this. > > It seems to me, that since the token_endpoint_auth_method is broken, > the current implementations are actually implementing the draft > correctly or servers are just ignoring it the parameter. > > There are concerns with this draft. I plan to make specific > suggestions (some breaking) later this week. > > Phil > > @independentid > www.independentid.com <http://www.independentid.com> > phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > > > > > > On 2013-05-20, at 10:51 AM, Phil Hunt wrote: > >> -1 >> >> The draft has features that are unclear and will double the >> operational cost. The fact that it works doesn't mean it is ready >> from the wg perspective. >> >> For the production use, has anyone outside of oidc implemented and >> placed in production? >> >> As a non-oidc implementer, I can't make the same assumptions (like >> discovery) that oidc umplementers have. >> >> Phil >> >> On 2013-05-20, at 9:48, Mike Jones <Michael.Jones@microsoft.com >> <mailto:Michael.Jones@microsoft.com>> wrote: >> >>> The deployment evidence doesn't support your position, Phil. There >>> are over a dozen interoperable implementations already deployed. >>> Those deployments demonstrate that the spec, as written, is already >>> doing one thing well -- enabling clients (as defined by RFC 6749) to >>> register with Authorization Servers, obtaining client_id and >>> optionally client_secret values that enable those clients to use >>> those Authorization Servers. Doing one thing well is exactly what >>> we should be striving for, and the evidence says that we've achieved >>> that. >>> >>> It's time to ship it! >>> >>> -- Mike >>> >>> *From:*oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> >>> [mailto:oauth-bounces@ietf.org] *On Behalf Of *Justin Richer >>> *Sent:* Monday, May 20, 2013 9:42 AM >>> *To:* Phil Hunt >>> *Cc:* oauth@ietf.org <mailto:oauth@ietf.org> >>> *Subject:* Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic >>> Registration >>> >>> I, of course, disagree. But that's what we're trying to figure out >>> as a working group, after all. >>> >>> -- Justin >>> >>> On 05/20/2013 12:41 PM, Phil Hunt wrote: >>> >>> This draft isn't ready for LC. >>> >>> Phil >>> >>> >>> On 2013-05-20, at 8:49, Justin Richer <jricher@mitre.org >>> <mailto:jricher@mitre.org>> wrote: >>> >>> But also keep in mind that this is last-call, and that we >>> don't really want to encourage avoidable drastic changes at >>> this stage. >>> >>> -- Justin >>> >>> On 05/20/2013 11:21 AM, Phil Hunt wrote: >>> >>> Keep in mind there may be other changes coming. >>> >>> The issue is that new developers can't figure out what >>> token is being referred to. >>> >>> >>> Phil >>> >>> >>> On 2013-05-20, at 8:09, Justin Richer <jricher@mitre.org >>> <mailto:jricher@mitre.org>> wrote: >>> >>> Phil Hunt's review of the Dynamic Registration >>> specification has raised a couple of issues that I >>> felt were getting buried by the larger discussion >>> (which I still strongly encourage others to jump in >>> to). Namely, Phil has suggested a couple of syntax >>> changes to the names of several parameters. >>> >>> >>> 1) expires_at -> client_secret_expires_at >>> 2) issued_at -> client_id_issued_at >>> 3) token_endpoint_auth_method -> >>> token_endpoint_client_auth_method >>> >>> >>> I'd like to get a feeling, *especially from >>> developers* who have deployed this draft spec, what >>> we ought to do for each of these: >>> >>> A) Keep the parameter names as-is >>> B) Adopt the new names as above >>> C) Adopt a new name that I will specify >>> >>> In all cases, clarifying text will be added to the >>> parameter *definitions* so that it's more clear to >>> people reading the spec what each piece does. >>> Speaking as the editor: "A" is the default as far as >>> I'm concerned, since we shouldn't change syntax >>> without very good reason to do so. That said, if >>> it's going to be better for developers with the new >>> parameter names, I am open to fixing them now. >>> >>> Naming things is hard. >>> >>> -- Justin >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Donald F Coffin
- [OAUTH-WG] Proposed Syntax Changes in Dynamic Reg… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Phil Hunt
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Phil Hunt
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Mike Jones
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Mike Jones
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Phil Hunt
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Anthony Nadalin
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Phil Hunt
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Nat Sakimura
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Edmund Jay
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… nov matake
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… John Bradley
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Roland Hedberg
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Mike Jones
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Phil Hunt
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Anthony Nadalin
- [OAUTH-WG] Dyn Reg API Style: Was Re: Proposed Sy… Phil Hunt
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Dyn Reg API Style: Was Re: Propose… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Anthony Nadalin
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Phil Hunt
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Anthony Nadalin
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Roland Hedberg
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Edmund Jay
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Lewis Adam-CAL022
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Justin Richer
- Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic… Donald F Coffin