On 21/11/2019 03:29, Daniel Migault wrote:
Hi,This only concerns potential clarification of the text.While reviewing mqtt-profile draft I raised an issue regarding the reference for Oauth [RFC6749] while the remaining of the document references draft-ietf-ace-oauth-authz [1]. My reading of draft-ietf-ace-oauth-authz section 5.6.3 <https://tools..ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>. was the same of the one of mqtt-profile coauthors, that is error mandates the use of CBOR. Discussing this with others it seems a mis interpretation of draft-ietf-ace-oauth-authz section 5.6.3 <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3> [2].I believe that is nice this is a mis-interpretation, but I would recommend that the text makes it more explicit the use of JSON is permitted. This seems to me a request to clarify the text.Yours, Daniel
I would be happy to add more clarification, but I'm currently at a loss of what that would be. Most of the bullets you cited already modify the MUSTs with "...when CBOR is used" or something similar to the same effect. The idea was to express: You can use the vanilla OAuth interactions based on JSON, but if you use CBOR then do it as specified here.
I am happy to take suggestions. /Ludwig
[1] """ In the case of an error, the AS returns error responses for HTTP- based interactions as ASCII codes in JSON content, as defined in Section 5.2 of RFC 6749 <https://tools.ietf.org/html/rfc6749#section-5.2> [RFC6749 <https://tools.ietf.org/html/rfc6749>]. """ [2] """ 5.6.3 <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>. Error Response The error responses for CoAP-based interactions with the AS are generally equivalent to the ones for HTTP-based interactions as defined inSection 5.2 of [RFC6749] <https://tools.ietf.org/html/rfc6749#section-5.2>, with the following exceptions: o When using CBOR the raw payload before being processed by the communication security protocol MUST be encoded as a CBOR map. o A response code equivalent to the CoAP code 4.00 (Bad Request) MUST be used for all error responses, except for invalid_client where a response code equivalent to the CoAP code 4.01 (Unauthorized) MAY be used under the same conditions as specified inSection 5.2 of [RFC6749] <https://tools.ietf.org/html/rfc6749#section-5.2>. o The Content-Format (for CoAP-based interactions) or media type (for HTTP-based interactions) "application/ace+cbor" MUST be used for the error response. o The parameters "error", "error_description" and "error_uri" MUST be abbreviated using the codes specified in Figure 12, when a CBOR encoding is used. o The error code (i.e., value of the "error" parameter) MUST be abbreviated as specified in Figure 10, when a CBOR encoding is used. /------------------------+-------------\ | Name | CBOR Values | |------------------------+-------------| | invalid_request | 1 | | invalid_client | 2 | | invalid_grant | 3 | | unauthorized_client | 4 | | unsupported_grant_type | 5 | | invalid_scope | 6 | | unsupported_pop_key | 7 | | incompatible_profiles | 8 | \------------------------+-------------/ Figure 10: CBOR abbreviations for common error codes In addition to the error responses defined in OAuth 2.0, the following behavior MUST be implemented by the AS: o If the client submits an asymmetric key in the token request that the RS cannot process, the AS MUST reject that request with a response code equivalent to the CoAP code 4.00 (Bad Request) including the error code "unsupported_pop_key" defined in Figure 10. o If the client and the RS it has requested an access token for do not share a common profile, the AS MUST reject that request with a response code equivalent to the CoAP code 4.00 (Bad Request) including the error code "incompatible_profiles" defined in Figure 10. """ _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
-- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace