IETF Logo Mail Archive

[OAUTH-WG] Re: OAuth Client ID Metadata Document

"Emelia S." <emelia@brandedcode.com> Mon, 08 July 2024 18:34 UTC

Return-Path: <emelia@brandedcode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F6F9C013D0B for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 11:34:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brandedcode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QgDvhUG99w6e for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 11:34:36 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECAC9C1F73D4 for <oauth@ietf.org>; Mon, 8 Jul 2024 11:33:35 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-4266ea6a488so5218125e9.1 for <oauth@ietf.org>; Mon, 08 Jul 2024 11:33:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brandedcode.com; s=google; t=1720463614; x=1721068414; darn=ietf.org; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uxZtZ2wb2pVoFb7IBlQKDRc1nrUkVKlfLqFh5NjN7RA=; b=LZNNkLazX4L6KAvTa5jUzHrCaFRudGFGFh8lXlNodohXthLmCbCnE42OfbsAnjVHOW SeaUZkiVeM3sgHiQReAUzVQc50xiIzJ+Mf/jJrhEIXf2kSABOKAwt/uyfP3DL9IXAElb dL69NyIcAH6nfDUOO7FXVNgmlgPHg4AjCLUBVDmO8sJW00mNspsxOhA0/3oMvvbS6+UT hf4Uc3czxrygWT8Rtesx8PYbeI3B6gzLOAe9gTP3jV+STrpQzL+Rdwypj0y3MsRzGdEa MzEBY7PIDDFBYKsCtMVFZ2DWSiq/SqfQ0NInz8drwqbouK3qZsCZQzhem6uXkTpH5U9e FUvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720463614; x=1721068414; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uxZtZ2wb2pVoFb7IBlQKDRc1nrUkVKlfLqFh5NjN7RA=; b=iccEGjiMqjgYYO5et/uk74bsK9UjtFYI9tQ9avGi11yDipmUJPE2jbeXx8vpfEYlTs wZ/gEBo/21EzuMKIHO7uIF/WamcqjukkoV9Rul7kZJud+Flc7DKfvLeDGCbQKUoIMUm9 K5ghftcd8PK7yIoM4imYB04FW3Z7Lz5tJY2CfH84p2ovXm0OOsS/tQHQyjE0rCKQpqZ0 mYb9LG+cfZU7M55aMwV0Tt4Xllz1AtWYV7u8wHZnWWefa8+QIR7GAwPWFGEvBQTFU+Pc vf3wQP5I8i+lP/NSVrTiG/7BwmOCBg7FQGPRS9TCihoKzhsWFSuiTCkCcWaN9gAukp+V OYeQ==
X-Forwarded-Encrypted: i=1; AJvYcCVWJGR/Td2gUPEW66OchqYSogoE6m3llNU6Kq9NFj9tuiLqOS3moKAPM+3JngWSA61hXEXn3VgtJE+Em/yWlQ==
X-Gm-Message-State: AOJu0Yx7UQhX/baO9Ca0E+U/IWlMLJQ9m8lJmtBV+/jQQBE3uPhGH1DL kMNCs9+dwCeJdmr1THLpWYMMHLZo5cX349aRAeWHfjO1J6KP0SyYoGBWWSvsgIU=
X-Google-Smtp-Source: AGHT+IFZWK6MD5Ac4bVoBSuOWvUs1Il0sHUDSrvgRAk2wPH1j5xlqS614J3m77Ln3utK00Ukf0uGBw==
X-Received: by 2002:a05:600c:4a24:b0:426:690d:d5b7 with SMTP id 5b1f17b1804b1-426707f858bmr3154825e9.25.1720463613609; Mon, 08 Jul 2024 11:33:33 -0700 (PDT)
Received: from smtpclient.apple (p200300ef2f04445a541501a67501c204.dip0.t-ipconnect.de. [2003:ef:2f04:445a:5415:1a6:7501:c204]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4266f741fa6sm8026755e9.45.2024.07.08.11.33.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2024 11:33:33 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_181272DC-B07E-4244-B73D-C8ED7BB4EF91"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: "Emelia S." <emelia@brandedcode.com>
In-Reply-To: <CAD9ie-tp+EsPR2eQMXCrxFnrZr-BfRzS1bg_pm68uEhjmytggg@mail.gmail.com>
Date: Mon, 08 Jul 2024 20:33:22 +0200
Message-Id: <A7950258-8328-4B2E-B857-46383224BD21@brandedcode.com>
References: <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com> <BB9F5666-3FD7-4B38-A9E5-C7777FEE14E0@brandedcode.com> <CAD9ie-tp+EsPR2eQMXCrxFnrZr-BfRzS1bg_pm68uEhjmytggg@mail.gmail.com>
To: Dick.Hardt@gmail.com
X-Mailer: Apple Mail (2.3774.600.62)
Message-ID-Hash: FWWIQMKYACCVWSMOZFZSESJ7JCS7FMV5
X-Message-ID-Hash: FWWIQMKYACCVWSMOZFZSESJ7JCS7FMV5
X-MailFrom: emelia@brandedcode.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Client ID Metadata Document
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/z6ZUVAzgYBXZM4HkNuj9NR6D6VE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I would suggest that if an AS were to implement to competing specifications for what a client_id means, then it'd be up to the implementor to decide what is used when. E.g., it'd be difficult to support both OpenID Federation and this I-D simultaneously without some degree of work on the implementors' behalf to try to decide which specification should be used (both have client_id's as URIs, but operate very differently)

The only real mechanism for "claim" here would be through some sort of DNS proof, but that requires either some sort of binding between the client identifier metadata document and the DNS record, or some pre-existing relationship with the AS where the AS provides the value for the proof. I'd be inclined to consider this out of scope, and just allow AS's to provide access to resources as they see fit (no different to dynamic client registration)

> Thanks for this work Emelia! Will you be in Vancouver IETF?

Unfortunately I won't be in Vancouver for it, but do intend to attend remotely where possible. (I'm an independent developer, so don't typically have budget for travel)

Yours,
Emelia Smith

> On 8 Jul 2024, at 20:07, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> On Mon, Jul 8, 2024 at 10:15 AM Emelia Smith <emelia@brandedcode.com <mailto:emelia@brandedcode.com>> wrote:
>> Just to follow up on this, further:
>> > > 1. If an AS supports both registered, and unregistered clients, is there any guidance or requirements on differentiating between them such as NOT issuing other identifiers that start with 'https"? 
>> >
>> > This is probably a good call-out. I am unsure about how many AS's would actually support both types of clients in practice though.
>> 
>> In practice you're not checking for "https" but "https://", furthermore most implementations use random bytes, often base64url or hex encoded, so they simply don't have the character set necessary to generate client_id's that are also valid URIs (or at least, the probability of this is incredibly small)
> 
> Agree on the "https://" -- that was what I intended.
> 
> There may be ASes that use URLs as identifiers. I don't know of any.
> 
> Not having thought it all through, I might allow a developer to "claim" a "https://" client_id so that they could have more functionality, for example to enable localhost or access to more sensitive data. 
> 
> Thanks for this work Emelia! Will you be in Vancouver IETF?
> 
> /Dick

v2.35.0 | Report a Bug | By Email | System Status