Actually, if it is to return it in the HTTP header, then it should
also use the RFC5988 Web Linking format.
Now, that is nice to have, but for many JSON programmers, I agree that
it would be a hassle to obtain the header and store them in addition
to the JSON. So, it is nicer to have it in JSON body.
Re: Is "_links.self.href" grossly complex over "registration_access_url"?
I do not think so. Accessing a flat top level parameter such
as registration_access_url and _links.self.href does not make any
difference from a
client programmers point of view. That's a beauty of JSON. Both can be
treated as a parameter name. Doing a group operation on the links makes
difference though: the structured one is easier since you can just operate
on _links while in case of the top level parameters, you have to have an
explicit list of them and do the matches. (See below for the necessity
for the grouping).
I and John discussed this for at least half an hour F2F last week, both
technically and from operation/legal point of view, for OpenID Connect
Registration.
Similar points could be made to OAuth dyn reg.
Here is what we have discussed:
When dynamically registering the client to the server,
the server probably needs to return the following:
* terms-of-service (terms of service of the server to the client)
* privacy-policy (privacy policy of the server to the client)
Both are defined in RFC5988/IANA Link Relations registry.
They should be returned together with
* self.href
which is also defined in RFC5988/IANA Link Relations registry.
There are several ways to do it.
* Return these using RFC5988 (HTTP Header)
* Return these in entity body
* Use HAL (or OAuth-meta)/JSON Schema
* Use something else (e.g., a top level items)
Returning it in the entity body has several advantage over HTTP header:
* They can be captured in one call;
* They are protocol agnostic;
We determined that these advantages outweighs the disadvantage of creating
a new standard.
The question becomes then whether to:
* Use HAL (or OAuth-meta)/JSON Schema
* Use something else (e.g., a top level items)
First, we have to consider what needs to be returned in the
link/relationship category. If it were just _links.self.href, then grouping
probably does not make sense. However, since we have terms-of-service and
privacy-policy as well already, it may well make sense.
Moreover, when we think of a multi-tenant authorization server that may
want to use different OAuth authz and token endpoints for different
tennants, it would be better to be able to return those in the registration
response. Then, it would make sense to register OAuth authz and token
endpoints as rel type in the IANA registry (like Bill Mills is trying to
do) and use them in a uniform manner. Note: these per tenant endpoints may
support different scopes etc. as well. Then, these has to be coupled with
the URIs. That is why all of RFC5988/HAL/JSON Schema uses href instead of
just having the URL as the value of the parameter. The semantic
relationship would often have an associated URI, and other parameters that
goes with it.
e.g.:
{
"_links": {
"terms-of-service": {
"href": "https: //server.example.com/tos"
},
"privacy-policy": {
"href": "https: //server.example.com/pp"
},
"self": {
"href": "https: //server.example.com/clients/1234",
"authorize": "Bearer"
},
"oauth_authz": {
"href": "https: //server.example.com/authz",
"scopes": "openid profile email",
"response_types": [
"token id_token",
"code id_token",
"token",
"code"
]
},
"oauth_token": {
"href": "https: //server.example.com/token",
"authorize": "Basic"
}
}
}
In short, there are bunch of link relations that needs to be returned
with additional parameters.
Grouping them seems to make sense.
Considering all these, John and I came to the conclusion that the HAL type
syntax would probably make more sense.
(Note: JSON Schema syntax does not make the parameter access as easy as HAL.)
In fact, Mike Kelly (the author of HAL) and I have just submit
a new version of draft-sakimura-oauth-meta
http://tools.ietf.org/html/draft-sakimura-oauth-meta-02
The proposal was discussed at IETF 85 OAuth WG and the chairs asked to
submit the draft.
The -00 appeared in December, and this -02 has some simplification and
the addition
of the "operations" inspired by
https://tools.ietf.org/html/draft-ietf-scim-api-00#section-3.5 .
It is arguably a subset of HAL plus some OAuth specifics.
I have not added Discovery response example,
but adding them would makes even more sense, I think.
Cheers,
Nat
2013/2/13 Justin Richer <jric...@mitre.org>
>
> Agreed - I didn't think that header-only was the proposal, but let's be
> explicit about the returned body always containing the URL. The way I read
> the 201 definition, it suggests (SHOULD) that you use the location header,
> but also says that the entity should refer to the new resource. It was my
> assumption that the returned JSON would still have some form of client-entity
> management URL (whether it's the HAL _links structure or
> registration_management_url or something else is still up for debate).
>
> -- Justin
>
>
>
> On 02/12/2013 10:28 AM, John Bradley wrote:
>
> Returning a location header in the 201 ids fine as long as we also have the
> same info as a claim.
>
> I think most clients will want to process the JSON and store all the
> parameters together. Making them fish out a header makes the W3C happy and
> is the correct thing to do but taking it from a claim is what developers are
> more comfortable with.
>
> John B.
>
> On 2013-02-12, at 11:25 AM, Justin Richer <jric...@mitre.org> wrote:
>
> I'd be fine with the return from a creation request being a 201 instead of a
> 200.
>
> -- Justin
>
> On 02/11/2013 06:33 PM, Richard Harrington wrote:
>
> Since the request is an HTTP POST and a resource is created
> (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5) the response
> should be an HTTP 201 Created
> (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.2) which is
> supposed to include the location of the newly created resource.
>
> This is a good pattern to follow since, as you say, it does provide
> flexibility.
>
>
>
> On Feb 11, 2013, at 1:14 PM, Justin Richer <jric...@mitre.org> wrote:
>
> Draft -05 of OAuth Dynamic Client Registration [1] returns a URL pointer for
> the client to perform update and secret rotation actions. This functionality
> arose from discussions on the list about moving towards a more RESTful
> pattern, and Nat Sakimura proposed this approach in the OpenID Connect
> Working Group. This URL may be distinct from the Client Registration Endpoint
> URL, but draft -05 makes no promises as to its content, form, or structure,
> though it does contain implementor's notes on possible methods.
>
> Two questions arise from this change:
> - The semantics of returning the client manipulation URL
> - The syntax (derived from HAL for JSON [2], an individual I-D submission)
>
> On semantics:
>
> Pro:
> - The server has flexibility on how to define the "update" endpoint, sending
> all clients to one URL, sending different clients to different URLs, or
> sending clients to a URL with a baked-in query parameter
> - The client can take the URL as-is and use it for all management operations
> (ie, it doesn't have to generate or compose the URL based on component parts)
>
> Con:
> - The client must remember one more piece of information from the server at
> runtime if it wants to do manipulation and management of itself at the server
> (in addition to client_id, client_secret, registration_access_token, and
> others)
>
> Alternatives include specifying a URL pattern for the server to use and all
> clients to follow, specifying a query parameter for the update action, and
> specifying a separate endpoint entirely and using the presence of items such
> as client_id and the registration access token to differentiate the requests.
> Note that *all* of these alternatives can be accommodated using the semantics
> described above, with the same actions on the client's part.
>
>
> On syntax:
>
> Pro:
> - Follows the designs of RFC5988 for link relations
> - The HAL format is general, and allows for all kinds of other information to
> be placed inside the _links structure
> - Allows for full use of the JSON object to specify advanced operations on
> the returned endpoint if desired
>
> Con:
> - The rest of OAuth doesn't follow link relation guidelines (though it's been
> brought up)
> - The HAL format is general, and allows for all kinds of other information to
> be placed inside the _links structure
> - The HAL-JSON document is an expired individual I-D, and it's unclear what
> wider adoption looks like right now
>
> Alternatives include returning the URL as a separate data member
> (registration_update_url), using HTTP headers, or using JSON Schema.
>
> -- Justin
>
>
>
> [1] http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-05
> [2] http://tools.ietf.org/html/draft-kelly-json-hal-03
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
