On 04/25/2013 12:23 PM, Phil Hunt wrote:
I am not sure what to think about this.
1. I don't want this spec to be incomplete because there is another
external spec published for a specific purpose.
If we needed a registry we could define it in this spec. If we chose a
non-registry method (like how grant_type uses URIs) then it's
self-contained. I prefer the latter, myself.
2. In general i would like to avoid negotiations. It seems to me that
any developer making a client for a mutli-site deployed service would
already be aware of what the generic service require and implement
based on that oob knowledge. Thus when the server merely informs, the
client should be prepared.
The client already has to be prepared because the server will inform,
though. But by making it bidirectional (like all the other parameters)
it gives the client a chance to ask based on whatever information it
wants to. The server is perfectly free to ignore what the client asks
for and just hand it something, just as it's free to do so for all fields.
IMHO, though i understand the motivation, negotiation of client auth
creates more problems then it seems to solve in this case. Downgrade
attack is just one of the problems.
The parameters of the negotiation are going to be application-protocol
specific and depend on things like a Discovery layer for them to be
fully dynamic from a cold boot. And even then servers and clients that
care about this value are going to have to know how to enforce it (it's
the same as it is with grant_type, response_type, scope, and others).
If nothing else, it lets servers tell clients which auth method to use
at the token endpoint. The client can be smart and try to figure out if
it actually supports that method before trying it, or it can be dumb and
ignore the returned value. But with this parameter in the protocol, both
sides at least have a *chance* of doing the right thing.
-- Justin
Phil
On 2013-04-25, at 7:21, John Bradley <ve7...@ve7jtb.com
<mailto:ve7...@ve7jtb.com>> wrote:
I am OK with having a registry, Connect profiles the jwt assertions
draft to add specifics around keying material for interoperability.
It may well be that people will want other methods including SAML
assertions.
While sending a list of methods the client supports to the server and
getting back what is supported by the server works, it is awkward.
My point is mostly that there are lots of other parameters that are
set only by the server. I don't know if we want to start adding them
to registration just to allow for them to be discovered. Using a
simple .well-known discovery document seems simpler.
So making token_endpoint_auth_method an array is not the end of the
world and would work, but heads us in what I think is the wrong
direction.
John B.
On 2013-04-25, at 10:41 AM, Justin Richer <jric...@mitre.org
<mailto:jric...@mitre.org>> wrote:
John, I don't think that anybody's actually suggesting that we add
server discovery in here. :) But since the server does echo back the
configuration in its response, the client is discovering a few
things at run time about what it can and can't do with a particular
server. It's entirely possible that the client might get back a
configuration option that it can't use (say, it can't do
client_secret_jwt assertions but it can do
From what I can see from this thread though there are two open
questions that Phil's raised:
1: Extensibility of token_endpoint_auth_method values, and where
potential values are listed (IANA? fully qualified URIs for things
not in the base spec?)
2: Plurality of token_endpoint_auth_method (could be left as a
string, made an array, or be a JSON-style optional plural: string
value if singular or array if plural)
I think the first one should be addressed, but we just need to pick
the method. I'm personally in favor of the same method we used for
grant_type, which is short values in the spec and extensions as
fully qualified URIs. The second one could break existing
implementations (and other dependent specs), so if we change it, it
has to be for very good reason.
-- Justin
On 04/24/2013 07:23 PM, John Bradley wrote:
In Connect there is a AS discovery before registration.
The general pattern is the RP discovers the capabilities of the AS
authentication methods and algorithms supported by the AS.
The client then picks the best options for it and registers them.
It would in theory work of the client knowing nothing about the AS
pushed it's capabilities at the AS as you are suggesting and let
the AS pick.
My general feeling is that discovery with the client picking the
options works best.
In many cases the client doesn't need to register parameters as
they can be selected at run time once it knows what a server supports.
The token endpoint authentication method was a bit of a special
case where even though it could be all dynamic and work, you do
want to register a choice to prevent backwards compatibility attacks.
I don't really want to complicate registration by trying to make it
also cover AS discovery.
John B.
On 2013-04-24, at 7:55 PM, Phil Hunt <phil.h...@oracle.com
<mailto:phil.h...@oracle.com>> wrote:
Right and if the client wants a method not supported then what?
Why can't the client offer up a list of methods it is able to
support, say in order of preference?
The text appears to indicate only one value may be passed.
Given the way it is written. It seems better to just have the
server say the client must do authn method X in the response.
Phil
@independentid
www.independentid.com <http://www.independentid.com/>
phil.h...@oracle.com <mailto:phil.h...@oracle.com>
On 2013-04-24, at 3:41 PM, John Bradley wrote:
In Connect the AS may support a number of token endpoint
authentication methods. The reason to allow a client to register
using a particular one is to prevent downgrade attacks.
If the client wants to always use an asymmetric signature you
don't want to allow attackers to use weaker methods like http basic.
So a server may support any number of methods, but it is
reasonable for a client to specify which one it is going to use.
In a closed system that may not be that useful but in a open
system where the AS has a looser relationship to the client it is
important.
John B.
On 2013-04-24, at 7:30 PM, Phil Hunt <phil.h...@oracle.com
<mailto:phil.h...@oracle.com>> wrote:
Hmmm… what was the objective or use case for having the client
being able to choose in the first place?
It seems to me that the AS will make a decision based on many
factors. As you say, there isn't any other place that enumerates
the various [authn] methods a client can use to access the token
endpoint. So, why do it?
Phil
@independentid
www.independentid.com <http://www.independentid.com/>
phil.h...@oracle.com <mailto:phil.h...@oracle.com>
On 2013-04-24, at 2:07 PM, Justin Richer wrote:
Seems reasonable to me, can you suggest language to add in the
capability? Would it require an IANA registry? Right now there
isn't any other place that enumerates the various methods that
a client can use to access the token endpoint.
-- Justin
On 04/24/2013 04:17 PM, Phil Hunt wrote:
For parameters to token_endpoint_auth_method, the spec has
defined "client_secret_jwt" and "private_key_jwt". Shouldn't
there be similar options of SAML?
Shouldn't there be an extension point for other methods?
Phil
@independentid
www.independentid.com <http://www.independentid.com/>
phil.h...@oracle.com <mailto:phil.h...@oracle.com>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
