Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Anthony Nadalin <tonynad@microsoft.com> Fri, 11 March 2016 03:07 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C55112DABB for <oauth@ietfa.amsl.com>; Thu, 10 Mar 2016 19:07:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.013
X-Spam-Level:
X-Spam-Status: No, score=-0.013 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id brwA0R1zK0AD for <oauth@ietfa.amsl.com>; Thu, 10 Mar 2016 19:07:30 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0116.outbound.protection.outlook.com [65.55.169.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22CD12DD00 for <oauth@ietf.org>; Thu, 10 Mar 2016 19:07:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Osynop77SN0n7OE4pho9pEMcU8n9ifjL8vb3m2mnylw=; b=hovrSp06G0ty6zF4756H11+uRx97M1G5eTrrFAK94HE3oTva+RY6YqUj/zI0fuhePlac0JNtvNJjWYEtueoQH9ww3E5aY1XVbZyWo2JlCwVploXyF3AIq/1xpsl+nW+qCNMzZ0XLsSUfnzS7H+2gxa4LDjgICcL0QpTtWY1Z53o=
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com (10.161.207.22) by BN3PR0301MB1234.namprd03.prod.outlook.com (10.161.207.22) with Microsoft SMTP Server (TLS) id 15.1.427.16; Fri, 11 Mar 2016 03:07:27 +0000
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) by BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) with mapi id 15.01.0427.020; Fri, 11 Mar 2016 03:07:27 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Nat Sakimura <sakimura@gmail.com>, "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
Thread-Index: AQHRalH06DIAQfC9O0686lpsTuUfK59Sxh0AgAAqNQCAAAiJgIAAEaoAgACbQYCAAAsN0A==
Date: Fri, 11 Mar 2016 03:07:27 +0000
Message-ID: <BN3PR0301MB1234BFC8070FAC8CD5B3135FA6B50@BN3PR0301MB1234.namprd03.prod.outlook.com>
References: <56C5C9D5.6040703@gmx.net> <D5D8B85B-68E6-4E88-89F7-88E6851381E4@adm.umu.se> <CA+k3eCQOX6DgiJFp4b0A8R0boVQxVwGJP2-dY8_TbrCpJowOtw@mail.gmail.com> <56E19B6D.6060509@connect2id.com> <64D743EA-3F8D-403B-B05E-74539124A847@oracle.com> <CABzCy2D0P0NZW573g6NG3yYtbdVBifio=4hZi4QkYc3EKxOV5Q@mail.gmail.com>
In-Reply-To: <CABzCy2D0P0NZW573g6NG3yYtbdVBifio=4hZi4QkYc3EKxOV5Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.46.126.7]
x-ms-office365-filtering-correlation-id: c642202f-8703-4114-bc5a-08d3495a4716
x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1234; 5:oo3PvmGG9SgGOiAkaqzIkhuvzsnCQbYYRSmViANJqZv9TZAT1MJM1mdw0MvnnLi2rOh4xSuyJ51Hy2yMcZjN6Vni6uqFT9vu/3aLHctIGhEBx5FL1G9cz72run78lYINMzigbSE6DWasMNLB/RNQXA==; 24:i6mzEUt/QzQJT+eORSrjXmPJ/lZuZuV8gwi7dbMZsGescjEln0oUXrk5VTjD+ckTQDx8U0UG6AGrCPCfblhjeKoqJNf+IjuL2pyCNAwvZx0=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1234;
x-microsoft-antispam-prvs: <BN3PR0301MB12345BE98077179115C86CB0A6B50@BN3PR0301MB1234.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:BN3PR0301MB1234; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1234;
x-forefront-prvs: 087894CD3C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(53754006)(479174004)(24454002)(377454003)(377424004)(81166005)(10400500002)(5003600100002)(10290500002)(92566002)(3660700001)(93886004)(3280700002)(5005710100001)(77096005)(2950100001)(2900100001)(3846002)(586003)(1096002)(790700001)(6116002)(1220700001)(102836003)(15975445007)(86612001)(50986999)(4326007)(5002640100001)(19300405004)(10090500001)(5001770100001)(2906002)(189998001)(19609705001)(5008740100001)(86362001)(54356999)(33656002)(66066001)(19580405001)(19617315012)(76176999)(19580395003)(11100500001)(106116001)(99286002)(76576001)(19625215002)(122556002)(87936001)(74316001)(16236675004)(5004730100002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1234; H:BN3PR0301MB1234.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR0301MB1234BFC8070FAC8CD5B3135FA6B50BN3PR0301MB1234_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2016 03:07:27.5272 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1234
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/zgd5ljT1zLQGqV-HIhF17bJjrb4>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 03:07:32 -0000

The relationship between AS and RS need to be scoped to “does this RS accept tokens from this AS” as a list is too much information that could be used in the wrong way

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Nat Sakimura
Sent: Thursday, March 10, 2016 6:25 PM
To: Phil Hunt (IDM) <phil.hunt@oracle.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Phil,

Right. So what my conditional approvals (11 conditions in total) said was to drop the word "discovery" from everywhere. This is not a discovery spec. This is a configuration lookup spec as you correctly points out. So, I am with you here.

Also, my 2nd conditiion is essentially saying to drop section 3.

One thing that I overlooked and am with you is that we need to be able to express the AS-RS relationships. I have been preaching this in the other thread for so many times as you know so I thought I pointed it out, but missed apparently in my previous comment. So, I would add my 12th condition:

12. A way to express a list of valid RSs for this AS needs to be added to section 2.

Best,

Nat

2016-03-11 2:09 GMT+09:00 Phil Hunt (IDM) <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>:
I strongly oppose. 2 major issues.

This is not service discovery this is configuration lookup. The client must have already discovered the oauth issuer uri and the resource uri.

The objective was to provide a method to ensure the client has a valid set of endpoints to prevent mitm of endpoints like the token endpoint to the resource server.

The draft does not address the issue of a client being given a bad endpoint for an rs. What we end up with is a promiscuous authz service giving out tokens to an unwitting client.

Phil

On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote:
+1 to move forward with these
On 10/03/16 17:35, Brian Campbell wrote:

+1



On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg <roland.hedberg@umu.se><mailto:roland.hedberg@umu.se>

wrote:



I support this document being moved forward with these two changes:



- change name to “OAuth 2.0 Authorization Server Discovery Metadata” as

proposed by Brian and

- use the URI path suffix ’oauth-authorization-server’ instead of

’openid-configuration’ as proposed by Justin.



18 feb 2016 kl. 14:40 skrev Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>

:



Hi all,



This is a Last Call for comments on the  OAuth 2.0 Discovery

specification:

https://tools.ietf.org/html/draft-ietf-oauth-discovery-01<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-oauth-discovery-01&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=w3%2biiaWon81LJCU%2b2mCPRmA%2brECBHgqyRr0OgqiWSHU%3d>



Since this document was only adopted recently we are running this last

call for **3 weeks**.



Please have your comments in no later than March 10th.



Ciao

Hannes & Derek



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>

— Roland



”Everybody should be quiet near a little stream and listen."

>From ’Open House for Butterflies’ by Ruth Krauss





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>






_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/<https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fnat.sakimura.org%2f&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=6FVmdN7ad0YzoYKSNF%2fDO%2ffG2EF1haj5aOHiMid6UMI%3d>
@_nat_en