Re: [OAUTH-WG] Namespacing "type" in RAR

Justin Richer <jricher@mit.edu> Sat, 18 July 2020 15:13 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A29E3A03ED for <oauth@ietfa.amsl.com>; Sat, 18 Jul 2020 08:13:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgly8Fd8R550 for <oauth@ietfa.amsl.com>; Sat, 18 Jul 2020 08:13:01 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99D8E3A0303 for <oauth@ietf.org>; Sat, 18 Jul 2020 08:13:01 -0700 (PDT)
Received: from [192.168.1.3] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06IFCvdt011710 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 18 Jul 2020 11:12:58 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>
Date: Sat, 18 Jul 2020 11:12:57 -0400
Cc: oauth@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B5B80874-7A8F-4B9B-AA97-0516661F4E9D@mit.edu>
References: <E9F67961-B83D-40EF-A9CC-F3E4B495379F@mit.edu> <4ea6f9af-d67f-97df-6bae-752cf34f920c@connect2id.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xFUVqAyjwe2bwNEx7r0i9_MOXyM>
Subject: Re: [OAUTH-WG] Namespacing "type" in RAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2020 15:13:03 -0000

I think publishing supported “type” parameters isn’t a bad idea, and it aligns with publishing supported scopes and claims in discovery.

I have always seen the resource indicators work as providing a more specific dimension to the requests that scopes didn’t allow to be described very well, pointing at a specific RS instead of just “some kind of access”, so I’m not sure how they’re a testament to name spacing issues with scopes. Can you help me understand here?

I do think that if nothing else we can give better guidance in RAR as to what the “type” field is. I do think it should still just be a string, but we can help people make better decisions about what to put in that string.

 — Justin

> On Jul 17, 2020, at 2:13 PM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
> 
> 
> On 17/07/2020 17:38, Justin Richer wrote:
>> And all that brings me to my proposal: 
>> 
>> 4) Require all values to be defined by the AS, and encourage specification developers to use URIs for collision resistance.
>> 
>> So officially in RAR, the AS would decide what “type” means, and nobody else. But we can also guide people who are developing general-purpose interoperable APIs to use URIs for their RAR “type” definitions. This would keep those interoperable APIs from stepping on each other, and from stepping on any locally-defined special “type” structure. But at the end of the day, the URI carries no more weight than just any other string, and the AS decides what it means and how it applies.
> 
> Define, but not publish in AS metadata?
> 
> 
>> My argument is that this seems to have worked very, very well for scopes, and the RAR “type” is cut from similar descriptive cloth.
> 
> I would argue that it didn't work so well for scopes - the OAuth
> Resource Indicators spec is a testament to that.
> 
> But one could also argue that scopes were not defined along the lines of
> your proposal for "type" in RAR. In fact, RFC 6749 has no mention of
> collision resistance or name spacing for scope values.
> 
> 
> Vladimir
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth