[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-resource-metadata-10: (with DISCUSS and COMMENT)
David Waite <david@alkaline-solutions.com> Wed, 02 October 2024 18:27 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 352DBC1840C1; Wed, 2 Oct 2024 11:27:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKvzsXVdPEAU; Wed, 2 Oct 2024 11:27:24 -0700 (PDT)
Received: from mail.alkaline-solutions.com (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0973C1CAE69; Wed, 2 Oct 2024 11:27:11 -0700 (PDT)
From: David Waite <david@alkaline-solutions.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1727893630; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=qUMbf9rfAh8M96lLHXOsrhtWWSe+N/+GF701nTwCldM=; b=N3Zgo4Wci8mEsGZpTlCYbEybATVqIjgRn0QLdpshoB1TWUZszZ9x37fv+FRtO9QyrJotOs rGbJ6SI0X83oqaDvzblfpRKSrcnO52eDejQJ8XhlEJKr/RTdHJ8FxbLtxvLJe5H67t71Fj BxVVq7CnizuFx96weNkKb+nuswf0g6r6jv4s22iuYU5A+R5W5qMnxn99ej5aX5HcJG/+Xo 9sW3FNtgLukNmWCXFOM7WGnYGofKicLIJ5VXYg/CdjAOzSiDG//WRVy3TphwKBtgLIJIoU PpgJfklS7iRcTBynoN7Rik8lDypRsHtaonFQzeF9/Abrw0TOZC8rOAZg0Rvz6Q==
Authentication-Results: mail.alkaline-solutions.com; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Message-Id: <A4755690-5B8E-4D25-AE34-3DE1AB4C3538@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_681DE5C6-21EB-4C1D-B7EE-6B2E74003475"
Mime-Version: 1.0
Date: Wed, 02 Oct 2024 12:26:58 -0600
In-Reply-To: <CAN8C-_+Sb0upN1Qq0mKWeAeLj0tiJuqMcnVA10h83RyLquxZYA@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
References: <172780986106.795146.3754827883737941273@dt-datatracker-7bbd96684-zjf54> <PH0PR02MB7430C2C8DC6289BA1DAA520AB7772@PH0PR02MB7430.namprd02.prod.outlook.com> <PH0PR02MB7430B4D44B362D6EC95BE6B5B7702@PH0PR02MB7430.namprd02.prod.outlook.com> <CAN8C-_+Sb0upN1Qq0mKWeAeLj0tiJuqMcnVA10h83RyLquxZYA@mail.gmail.com>
X-Spamd-Bar: --
Message-ID-Hash: FEVDZFVB4QPJLKOGKP5XV3E2SNPWFQHO
X-Message-ID-Hash: FEVDZFVB4QPJLKOGKP5XV3E2SNPWFQHO
X-MailFrom: david@alkaline-solutions.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-oauth-resource-metadata@ietf.org" <draft-ietf-oauth-resource-metadata@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc5
Precedence: list
Subject: [OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-resource-metadata-10: (with DISCUSS and COMMENT)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/y13GS1dgFpNzGJPzrG9Zu0kw7Q8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
> On Oct 2, 2024, at 11:38 AM, Orie Steele <orie@transmute.industries> wrote: > > Hi Mike, > > Your PR looks good to me. > > My objection is limited to defining http based resource identifiers as "URIs" that do not contain query, because this contradicts the common interpretation of http resource identifiers which includes: > > The query component contains non-hierarchical data that, along with > data in the path component (Section 3.3), serves to identify a > resource within the scope of the URI's scheme and naming authority > (if any). > > https://datatracker.ietf.org/doc/html/rfc3986#section-3.4 > > I don't believe you need to describe in any detail how query parameters interact with well known URIs. The challenge of course is that there is no canonical representation of a query component, nor is the query component itself required to be in a particular format like query parameters. The various HTTP implementations _may_ restrict themselves to only support query parameters, and may further do so in a way that does not preserve the original escaping or ordering. The resource identifier is meant to be understood by the client, which often is not first party to the AS. This means that unlike Resource Parameters in RFC 8707, allowing query parameters but not answering the question on how such would be handled will have a stronger negative impact on interoperability. Conveying queries in a metadata request also adds the risk that it will share OAuth request information more broadly, e.g. if the well-known logic and the protected resource logic are separated responsibilities. I would propose that a resource identifier is the URI with query and fragment components _removed_, e.g. that all accepted query components amount to a collection with the same metadata. This clarifies that the spec does not attempt to restrict to only resource servers which do not use query components. Otherwise, the protected resource metadata request needs to be modified to include a query component, every possible query will be sent to this endpoint, and we probably should note the potential of sharing request information. -DW
- [OAUTH-WG] Orie Steele's Discuss on draft-ietf-oa… Orie Steele via Datatracker
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Michael Jones
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Michael Jones
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Orie Steele
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… David Waite
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… Orie Steele
- [OAUTH-WG] Re: Orie Steele's Discuss on draft-iet… David Waite