Re: [Txauth] Changes to XYZ
Justin Richer <jricher@mit.edu> Fri, 11 October 2019 19:26 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6834E1200B4 for <txauth@ietfa.amsl.com>; Fri, 11 Oct 2019 12:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mI14ZaQUaAT0 for <txauth@ietfa.amsl.com>; Fri, 11 Oct 2019 12:26:35 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC4FE120103 for <txauth@ietf.org>; Fri, 11 Oct 2019 12:26:15 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id x9BJQA0f028135; Fri, 11 Oct 2019 15:26:11 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 11 Oct 2019 15:26:12 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by oc11expo18.exchange.mit.edu (18.9.4.49) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Fri, 11 Oct 2019 15:26:11 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1365.000; Fri, 11 Oct 2019 15:26:11 -0400
From: Justin Richer <jricher@mit.edu>
To: David Waite <david@alkaline-solutions.com>
CC: "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: [Txauth] Changes to XYZ
Thread-Index: AQHVgEBxlFNcuZqYrU+R/5hxKy51KadWAHYAgAAVkAA=
Date: Fri, 11 Oct 2019 19:26:10 +0000
Message-ID: <66E1EFF4-BC59-4286-BDA0-6C7BF45179C4@mit.edu>
References: <CCA51923-A6AA-4F87-B823-6DAA7C327668@mit.edu> <3FCF36FC-F428-49CF-8581-F78207150602@alkaline-solutions.com>
In-Reply-To: <3FCF36FC-F428-49CF-8581-F78207150602@alkaline-solutions.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [71.174.62.56]
Content-Type: multipart/alternative; boundary="_000_66E1EFF4BC594286BDA06C7BF45179C4mitedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Y6oz30iW9ulzHAU2AxhqFxG_a_A>
Subject: Re: [Txauth] Changes to XYZ
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 19:26:40 -0000
On Oct 11, 2019, at 2:09 PM, David Waite <david@alkaline-solutions.com<mailto:david@alkaline-solutions.com>> wrote:
On Oct 11, 2019, at 8:30 AM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
<snip>
- Clients can now signal more than one kind of interaction is possible. Syntactically this means we’re sending keys with booleans instead of a “type” key with a string value. Practically this means that the AS now can choose from among a set of options that the client can do and determine what makes the most sense, probably allowing multiple options that it supports.
Would it make sense for the interaction configuration to be the value of that key? e.g.
"redirect": {
"callback": "https://client.example.net/return/123455",
"nonce": "LKLTI25DK82FX4T4QFZC"
}
That’s an interesting idea, and that’s kinda why “callback” is an object but “redirect” is a boolean now. I’d looked into doing exactly what you suggest above, but I think it makes more sense to keep them separate because the way the client can get the user :out: to some interaction piece and the way the client gets information :back: from the AS could be different.
Take for example the device-with-QR-code case. Here you have a client that’s capable of getting the user to an arbitrary URL (by having the user scan a QR code), but not back from it on the same channel. So that’s a “redirect” interaction but without the “callback” portion. Or with the DIDComm work, the client could get the user out to an agent with a DIDComm message, but then the agent might send its responses directly to the AS through some shared fabric, while the client polls.
- I renamed the “client” section to “display” because that’s more what it was — user-facing elements. It’s my hope that this will be less of a place to hang everything off of, like the client ended up being in OAuth2.
It sounds like the use of the term “client” is being deemphasized in the protocol. Would a tweak to the role name potentially be in scope, or would we want to avoid the arguments that come from adding that whole extra wing onto the current bike shed?
I ask because while I have obviously gotten very comfortable with the use of the term client, the generic nature of the term does cause collisions and confusion when OAuth is adopted into a pre-existing space.
It may also be that the use of ‘client’ gets qualified and/or deemphasized once you are talking about the role only in the context of interaction with transaction endpoints.
So it’s not so much that the “client” is de-emphasized in the protocol, so much as that section isn’t really talking just about the “client” as a whole piece of software, and I think it’s important that we don’t pretend that it is. Otherwise we run the risk of lots of other stuff, like capabilities and keys and callbacks and scopes, all getting dumped into that section. In other words, it’s an attempt to separate concerns.
I believe that in OAuth2 we’ve got an unfortunate situation where the “client” data object became the thing that we hung :everything: off of. And so we need the “client_id” everywhere because that’s the only chance we have to switch a whole bunch of functionality. It’s awkward and I think e can do better with this. Keeping this section to just “user-facing display information about the client software instance” is one step toward there.
I don’t really want to bike shed the name of the role right now, even with its baggage. What’s more important to me is that we get pieces of the protocol to represent what we intend them to in a clear way.
— Justin
- [Txauth] Changes to XYZ Justin Richer
- Re: [Txauth] Changes to XYZ David Waite
- Re: [Txauth] Changes to XYZ Justin Richer