Re: [OAUTH-WG] Cross Platform Authentication - OAuth 2.0 Device Flow

2016-03-11 Thread Hannes Tschofenig
Hi Michael,

thanks for dropping us a note since I was not aware of the EBU work.
It is always intesting to hear from other communities who have been able
to make use of OAuth for their use cases.

I will take a look at your specification to better understand what you
have been doing in your working group.

Ciao
Hannes

On 03/07/2016 09:43 AM, Barroco, Michael wrote:
> Dear all,
> 
> 
> We are contacting you because we noticed that you recently restarted
> the work on OAuth 2.0 Device Flow. We are in the process of
> publishing an ETSI standard [1] specifying a protocol with very
> similar goals. This has been developed by an EBU (European
> Broadcasting Union) working group involving broadcasters, such as
> BBC, SRG-RTS, VRT, RTVE, TVP, Global Radio UK, and device
> manufacturers.
> 
> 
> Our work on the “Cross Platform Authentication” protocol targets
> media devices, such as connected TVs and radio receivers. It is based
> on the early OAuth 2.0 Device Flow draft, but includes additional
> features driven by broadcast industry requirements. These include:
> dynamic registration of clients, dynamic discovery of the
> authorization provider, and issuing of access tokens without
> requiring association with a user account in order to provide
> device-based authentication that does not require user sign-in or
> pairing. Our draft protocol specification is available here [2].
> 
> 
> Cross Platform Authentication also specifies several aspects left
> open to implementers in OAuth 2.0, such as endpoint URL paths, to
> facilitate interoperability. Also note that reference implementations
> are available [3].
> 
> 
> We would be very interested in working together with you to explain
> our design requirements and try to align our protocol designs.
> 
> 
> With best regards,
> 
> 
> The EBU Cross Platform Authentication group
> 
> https://tech.ebu.ch/cpa
> 
> 
> 
> [1]
> https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=47970
>
> 
> 
> [2] https://tech.ebu.ch/docs/tech/tech3366.pdf
> 
> [3] https://tech.ebu.ch/code/cpa 
> --
>
>  ** This email and
> any files transmitted with it are confidential and intended solely
> for the use of the individual or entity to whom they are addressed. 
> If you have received this email in error, please notify the system
> manager. This footnote also confirms that this email message has been
> swept by the mailgateway 
> **
> 
> ___ OAuth mailing list 
> OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] OAuth 2.0 for Native Apps: open source client libraries for Android and iOS now available

2016-03-11 Thread Hannes Tschofenig
Hi William,

sorry for the late response but I just wanted to note that I really
appreciate your efforts around making code available for specifications
we are developing. The implementation efforts that take place currently
with specification writing have always provided a lot of valuable feedback.

I will take a look at your libraries in the near future since I am
interested in using those myself for the IoT environment.

Ciao
Hannes


On 02/26/2016 08:30 PM, William Denniss wrote:
> The Google Identity team this week open sourced AppAuth for Android and
> iOS. AppAuth is a client library for OAuth that enables native Android
> and iOS apps to perform authorization flows in a secure and usable way
> using in-app browser tabs (Custom Tabs on Android,
> SFSafariViewController on iOS), fully supporting the draft best practice
>  for
> performing standards-based auth in native apps.
> 
> The libraries are opinionated and follow the draft best practice
> completely. Low-level protocol APIs are exposed allowing customizability
> including the ability to support OAuth extensions and custom parameters.
> Higher level convenience APIs are also provided to assist with auth
> state management, and encapsulate common requests like exchanging the
> authorization code and making API calls with fresh tokens.
> 
> You can grab the code here:
> https://openid.github.io/AppAuth-Android
> https://openid.github.io/AppAuth-iOS
> 
> The library should work with any Authorization Server that supports
> public clients with custom URI scheme and/or app-claimed HTTPS redirects
> (custom URI schemes are still required for full backwards compatibility
> support, though on newer systems app-claimed HTTPS links are viable –
> both are supported by the library). We have verified interop with the
> Google and PingFederate OAuth implementations.
> 
> Please give it a spin, and let me know how it works with your own
> implementations!
> 
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 



signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Melvin Carvalho
On 18 February 2016 at 14:40, Hannes Tschofenig 
wrote:

> Hi all,
>
> This is a Last Call for comments on the  OAuth 2.0 Discovery specification:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-01
>
> Since this document was only adopted recently we are running this last
> call for **3 weeks**.
>
> Please have your comments in no later than March 10th.
>

Just finished reviewing this.  Since it's 1 day past the comments dealine,
I'll just leave some high level thoughts, based on how I may implement some
of this.  No need to respond.

1. I'd like to see a path supporting the increasingly popular w3c REC, JSON
LD.

2. General feedback I've had since the inception of webfinger was that it's
had decreasing adoption.  Perhaps an idea to remove reference.  Usage stats
would be interesting if public.

3. I feel the mandatory-ness of TLS/SSL slightly over the top.  I dont
think we are at HTTPS everywhere yet, and it's still a pain for the long
tail of developers.

Ill be interested to see this work in action.

>
>
> Ciao
> Hannes & Derek
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread George Fletcher

+1 for these changes and finishing the doc

On 3/10/16 10:45 AM, Nat Sakimura wrote:

+1 in proceeding with the following changes:

 1. Change name to "*OAuth 2.0 Authorization Server Metadata*",
aligning with section 2.
 2. Have the AS dictate the URI path suffix through link header in the
HEAD response to AS or OOB mechanism.
 3. Align the title of section 3 to section 2 so that it will be
"Obtaining Authorization Server Metadata"
 4. Align the title of section 3.1 to section 2 so that it will be
"Authorization Server Metadata Request"
 5. Align the title of section 3.2 to section 2 so that it will be
"Authorization Server Metadata Response"
 6. Align the title of section 3.3 to section 2 so that it will be
"Authorization Server Metadata Validation"
 7. Align the title of section 7.1 to section 2 so that it will be
"*OAuth Authorization Server Metadata Registry*"
 8. Change all the occurrence of "authorization server discovery
metadata" to "authorization server metadata".
 9. Change all the occurrence of "discovery metadata" to
"authorization server metadata" in a not-case-sensitive way but
preserving the original case.
10. Change "supporting discovery" to "supporting this specification".
11. Change abbrev="OAuth 2.0 Discovery" to abbrev="OAuth 2.0 AS Metadata"

Best,

Nat Sakimura

2016年3月10日(木) 22:05 Roland Hedberg >:


I support this document being moved forward with these two changes:

- change name to “OAuth 2.0 Authorization Server Discovery
Metadata” as proposed by Brian and
- use the URI path suffix ’oauth-authorization-server’ instead of
’openid-configuration’ as proposed by Justin.

> 18 feb 2016 kl. 14:40 skrev Hannes Tschofenig
mailto:hannes.tschofe...@gmx.net>>:
>
> Hi all,
>
> This is a Last Call for comments on the  OAuth 2.0 Discovery
specification:
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-01
>
> Since this document was only adopted recently we are running
this last
> call for **3 weeks**.
>
> Please have your comments in no later than March 10th.
>
> Ciao
> Hannes & Derek
>
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth

— Roland

”Everybody should be quiet near a little stream and listen."
>From ’Open House for Butterflies’ by Ruth Krauss

___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth



___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Chief Architect
Identity Services Engineering Work: george.fletc...@teamaol.com
AOL Inc.  AIM:  gffletch
Mobile: +1-703-462-3494   Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544   Photos: http://georgefletcher.photography

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread George Fletcher
I am strongly against requiring the AS to know about RS URIs and 
managing that based on a client request for a token. I've stated my 
reasons previously.


Happy to agree to disagree:)

Thanks,
George

On 3/10/16 10:17 PM, Phil Hunt (IDM) wrote:

Nat,

Agree with your points.

Regarding the last, I am not sure an AS should release the set of 
valid rs's. I think the returned data has to be limited somehow. Maybe 
by aud uri or maybe just a yes/no to a uri the client provides. This 
needs discussion.


Am worried about the resource side discovery and how much we can 
intrude here. It may have similar issues disclosing approved ASs.


Finally since we might not control rs discovery it may be possible 
that the discovery is fake. Maybe this is where something like 
software statements comes into play as it would at least prevent a 
mitm from changing the assertions in its discovery. It would not have 
the RS's private key and this signed statements might build trust.


Phil

On Mar 10, 2016, at 18:24, Nat Sakimura > wrote:



Phil,

Right. So what my conditional approvals (11 conditions in total) said 
was to drop the word "discovery" from everywhere. This is not a 
discovery spec. This is a configuration lookup spec as you correctly 
points out. So, I am with you here.


Also, my 2nd conditiion is essentially saying to drop section 3.

One thing that I overlooked and am with you is that we need to be 
able to express the AS-RS relationships. I have been preaching this 
in the other thread for so many times as you know so I thought I 
pointed it out, but missed apparently in my previous comment. So, I 
would add my 12th condition:


12. A way to express a list of valid RSs for this AS needs to be 
added to section 2.


Best,

Nat

2016-03-11 2:09 GMT+09:00 Phil Hunt (IDM) >:


I strongly oppose. 2 major issues.

This is not service discovery this is configuration lookup. The
client must have already discovered the oauth issuer uri and the
resource uri.

The objective was to provide a method to ensure the client has a
valid set of endpoints to prevent mitm of endpoints like the
token endpoint to the resource server.

The draft does not address the issue of a client being given a
bad endpoint for an rs. What we end up with is a promiscuous
authz service giving out tokens to an unwitting client.

Phil

On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov
mailto:vladi...@connect2id.com>> wrote:


+1 to move forward with these

On 10/03/16 17:35, Brian Campbell wrote:

+1

On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg 

wrote:


I support this document being moved forward with these two changes:

- change name to “OAuth 2.0 Authorization Server Discovery Metadata” as
proposed by Brian and
- use the URI path suffix ’oauth-authorization-server’ instead of
’openid-configuration’ as proposed by Justin.


18 feb 2016 kl. 14:40 skrev Hannes Tschofenig mailto:hannes.tschofe...@gmx.net>
:

Hi all,

This is a Last Call for comments on the  OAuth 2.0 Discovery

specification:

https://tools.ietf.org/html/draft-ietf-oauth-discovery-01

Since this document was only adopted recently we are running this last
call for **3 weeks**.

Please have your comments in no later than March 10th.

Ciao
Hannes & Derek

___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth

— Roland

”Everybody should be quiet near a little stream and listen."
 From ’Open House for Butterflies’ by Ruth Krauss


___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth





___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org 
https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread John Bradley
I think Phil is proposing something different.   Should the client send a token 
from this AS to that RS.  

His goal is to prevent man in the middle attacks where a bad RS gets a AT that 
is audianced to/accepted by another RS.

That is separate from the question of if a RS accepts tokens from a good AS.   
A bad AS would always say yes.

We need to be careful of what if anything the RS provides to the client as 
meta-data without validation.

Currently the client can provide a list of scopes required to get access.   I 
personally feel it would be useful to also include in the unauthenticated error 
response an indication of what API the resource supports.  Say “scim2” as an 
example.   I don’t think adding that is however a high priority as most if all 
clients know what API they expect.   It might be useful if at some point in the 
future if a client were to be given a RS URI it could check to see if it is a 
protocol that it supports before bothering with OAuth.I expect that a lot 
of people will want that left to the API definition.   I think we can talk 
about it but rate this low priority.

I agree that the RS giving out a list of AS that it trusts is a generally bad 
idea.  I hope that is not on the table.

I don’t think that preventing a client from sending a token to the wrong RS is 
part of a AS meta-data discovery problem.

I do however think that it is important.

We have been discussing this as a separate problem to AS meta-data discovery 
where the endpoints of the AS and it’s configuration are discovery.   Sorry for 
perhaps stating the obvious, but the RS is explicitly not part of the AS in 
OAuth 2.   Starting in WAP that was a core principal.

So we have a number of options to address the RS token leakage via MiTM attacks.

1) PoP bound tokens.  If they are bound to the TLS channel by mutual TLS or 
Token binding they cannot be replayed.  Signed messages where the signing 
covers the RS Host and path components,  also would work.

2) Have the AS audience restrict the resources the AT is good at. (AT should be 
doing that now) 
In the token response include the list of audience/s the token is presentable 
at.  The client would throw an error if the RS it intends to send the token to 
is not on the list.   The RS the token is good at might change based on scopes, 
client_id and resource owner.   This is the place where all of that comes 
together.   In some cases the RS and AS might not have a pre-established 
relationship.   The client should send the RS base URI to the AS as part of the 
request.  The AS can use that to audience restrict the AT and issue the AT or 
refuse to issue the AT based on policy.
It can also use the audience in the request to down audience the AT if the 
default is to have multiple audiences.We may want to use a term other than 
audience for this like resource or destination.  It is a audience but that term 
might confuse people with AT.

We did talk about breaking audience out of POP key distribution, and Brian 
Campbell did a draft https://tools.ietf.org/html/draft-campbell-oauth-dst4jwt.  
 

To do this we could take dst4jwt and add another spec that adds a new dst 
parameter to the token and authorization endpoints requests That would be a 
space separated list of dst values.  and in the response from the token 
endpoint would be a JSON array of dst values.

3) Have the AS always return all the list of all RS the token can be used at 
(basically Nat's link relationship proposal).  It needs a way to handle 
down destinationing of AT and to allow for un-configured RS that it might issue 
a token for.  So could be combined with dst from 2.  Basically returning the 
acceptable destinations as link headers vs JS in the response is mostly a style 
issue that other people can bike shed.


4) Trying to add all the RS to the AS discovery document.  This seems 
impractical as there would be multiple protocols and doesn’t address 
un-configured RS.

5) Some new AS endpoint that the client could introspect the RS URI and get 
back metadata about if the client should send tokens there.
A couple of problems with this.  The first is that it would not support 
un-configured RS unless you add dst to the token and authorization endpoints.   
The other is that the introspection endpoint doesn’t have the context of the RO 
and client_id unless you also pass the code/RT and client_id, and probably 
client credentials.Basically this is trying to introspect the AT to 
determine the audiance/dst.   By the time you build a new introspection 
endpoint securely it is going to look like the token endpoint with a bit more 
meta data about the token beyond expiry and scopes.


I think we should go a head with the renamed "OAuth 2.0 Authorization Server 
Discovery Metadata” 
I am also fine with making the default document 'openid-configuration’  as long 
as we allow for protocol specific variation so that SCIM2 could define a file 
name.If people want we could do a API

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Phil Hunt (IDM)
John

In many case all the AS has to check is the domain name component to check for 
mitm. 

POP and the other solns are dramatically more complex than a simple check. 

I see it as part of the discovery(bad name aside) problem because we discussed 
that if a client finds app.example.com how do we ensure it gets a complete set 
of oauth endpoints as a valid set of endpoints--that a hacker has not inserted 
one of their own endpoints. The most important endpoint to get right is 
ensuring the resource server (and optionally the path) is the correct one. We 
can't really define resource discovery but we can validate it to some degree. 

I am not stuck on webfinger or well-known. Because this is config maybe it 
should be an oauth endpoint. 

Phil

> On Mar 11, 2016, at 06:51, John Bradley  wrote:
> 
> I think Phil is proposing something different.   Should the client send a 
> token from this AS to that RS.  
> 
> His goal is to prevent man in the middle attacks where a bad RS gets a AT 
> that is audianced to/accepted by another RS.
> 
> That is separate from the question of if a RS accepts tokens from a good AS.  
>  A bad AS would always say yes.
> 
> We need to be careful of what if anything the RS provides to the client as 
> meta-data without validation.
> 
> Currently the client can provide a list of scopes required to get access.   I 
> personally feel it would be useful to also include in the unauthenticated 
> error response an indication of what API the resource supports.  Say “scim2” 
> as an example.   I don’t think adding that is however a high priority as most 
> if all clients know what API they expect.   It might be useful if at some 
> point in the future if a client were to be given a RS URI it could check to 
> see if it is a protocol that it supports before bothering with OAuth.I 
> expect that a lot of people will want that left to the API definition.   I 
> think we can talk about it but rate this low priority.
> 
> I agree that the RS giving out a list of AS that it trusts is a generally bad 
> idea.  I hope that is not on the table.
> 
> I don’t think that preventing a client from sending a token to the wrong RS 
> is part of a AS meta-data discovery problem.
> 
> I do however think that it is important.
> 
> We have been discussing this as a separate problem to AS meta-data discovery 
> where the endpoints of the AS and it’s configuration are discovery.   Sorry 
> for perhaps stating the obvious, but the RS is explicitly not part of the AS 
> in OAuth 2.   Starting in WAP that was a core principal.
> 
> So we have a number of options to address the RS token leakage via MiTM 
> attacks.
> 
> 1) PoP bound tokens.  If they are bound to the TLS channel by mutual TLS or 
> Token binding they cannot be replayed.  Signed messages where the signing 
> covers the RS Host and path components,  also would work.
> 
> 2) Have the AS audience restrict the resources the AT is good at. (AT should 
> be doing that now) 
> In the token response include the list of audience/s the token is presentable 
> at.  The client would throw an error if the RS it intends to send the token 
> to is not on the list.   The RS the token is good at might change based on 
> scopes, client_id and resource owner.   This is the place where all of that 
> comes together.   In some cases the RS and AS might not have a 
> pre-established relationship.   The client should send the RS base URI to the 
> AS as part of the request.  The AS can use that to audience restrict the AT 
> and issue the AT or refuse to issue the AT based on policy.
> It can also use the audience in the request to down audience the AT if the 
> default is to have multiple audiences.We may want to use a term other 
> than audience for this like resource or destination.  It is a audience but 
> that term might confuse people with AT.
> 
> We did talk about breaking audience out of POP key distribution, and Brian 
> Campbell did a draft 
> https://tools.ietf.org/html/draft-campbell-oauth-dst4jwt.   
> 
> To do this we could take dst4jwt and add another spec that adds a new dst 
> parameter to the token and authorization endpoints requests That would be a 
> space separated list of dst values.  and in the response from the token 
> endpoint would be a JSON array of dst values.
> 
> 3) Have the AS always return all the list of all RS the token can be used at 
> (basically Nat's link relationship proposal).  It needs a way to handle 
> down destinationing of AT and to allow for un-configured RS that it might 
> issue a token for.  So could be combined with dst from 2.  Basically 
> returning the acceptable destinations as link headers vs JS in the response 
> is mostly a style issue that other people can bike shed.
> 
> 
> 4) Trying to add all the RS to the AS discovery document.  This seems 
> impractical as there would be multiple protocols and doesn’t address 
> un-configured RS.
> 
> 5) Some new AS endpoint that the client could introspect the RS

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Anthony Nadalin
There have been way too many issues, confused conversations and discussions on 
and off list to have this document move forward, suggest that this be one of 
the main items on the agenda for when we meet.

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt (IDM)
Sent: Thursday, March 10, 2016 9:09 AM
To: Vladimir Dzhuvinov 
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

I strongly oppose. 2 major issues.

This is not service discovery this is configuration lookup. The client must 
have already discovered the oauth issuer uri and the resource uri.

The objective was to provide a method to ensure the client has a valid set of 
endpoints to prevent mitm of endpoints like the token endpoint to the resource 
server.

The draft does not address the issue of a client being given a bad endpoint for 
an rs. What we end up with is a promiscuous authz service giving out tokens to 
an unwitting client.

Phil

On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov 
mailto:vladi...@connect2id.com>> wrote:
+1 to move forward with these
On 10/03/16 17:35, Brian Campbell wrote:

+1



On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg 


wrote:



I support this document being moved forward with these two changes:



- change name to “OAuth 2.0 Authorization Server Discovery Metadata” as

proposed by Brian and

- use the URI path suffix ’oauth-authorization-server’ instead of

’openid-configuration’ as proposed by Justin.



18 feb 2016 kl. 14:40 skrev Hannes Tschofenig 
mailto:hannes.tschofe...@gmx.net>

:



Hi all,



This is a Last Call for comments on the  OAuth 2.0 Discovery

specification:

https://tools.ietf.org/html/draft-ietf-oauth-discovery-01



Since this document was only adopted recently we are running this last

call for **3 weeks**.



Please have your comments in no later than March 10th.



Ciao

Hannes & Derek



___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth

— Roland



”Everybody should be quiet near a little stream and listen."

From ’Open House for Butterflies’ by Ruth Krauss





___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth








___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread John Bradley
Inline
> On Mar 11, 2016, at 12:13 PM, Phil Hunt (IDM)  wrote:
> 
> John
> 
> In many case all the AS has to check is the domain name component to check 
> for mitm. 
> 
> POP and the other solns are dramatically more complex than a simple check. 

I was proposing ding that check at the authorization endpoint or token endpoint 
as part of AT issuance. 

It is up to the AS how much of the path to validate and or put in the aud or 
dst. 


> 
> I see it as part of the discovery(bad name aside) problem because we 
> discussed that if a client finds app.example.com  
> how do we ensure it gets a complete set of oauth endpoints as a valid set of 
> endpoints--that a hacker has not inserted one of their own endpoints. The 
> most important endpoint to get right is ensuring the resource server (and 
> optionally the path) is the correct one. We can't really define resource 
> discovery but we can validate it to some degree. 
> 
I think it is part of core protocol security and should/must not require 
discovery. 

What is app.example.com ? 

If it is the resource then the client would be preconfigured for it’s AS out of 
band or optionally would do discovery on the issuer uri that you admit needs to 
be configured out of band some way (note discovery is optional)

In the AS meta-data draft it would do a get on a well known file that would 
have configuration for the AS, but not the RS, though some API may optionally 
list a API endpoint like connect has.  

The client then makes a authorization request (after registering out of band or 
dynamically).  
As part of the authorization request for implicit it could provide the aud/dst 
that it wants the token for.
If that is not sent then the aud/dst are implicit in the scopes.

The client gets back a AT with a list of scopes granted, aud/dst allowed and 
time to live for the token (one extra thing returned)

This doesn’t require any discovery (yes there is a optional AS meta-data 
discovery but not required)

I prefer to fix the RS man in the middle issue as part of the protocol and not 
part of discovery that should remain optional.

I honestly don’t quite know how the client learns about this bad RS and starts 
talking to it, so this may be a solution to a problem that doesn’t yet exist.   
The one place this is posable is if the registration for the client is 
compromised.  However we are discussing other mitigations for that that also 
explicitly do not require discovery.

John B.


> I am not stuck on webfinger or well-known. Because this is config maybe it 
> should be an oauth endpoint. 
> 
> Phil
> 
> On Mar 11, 2016, at 06:51, John Bradley  > wrote:
> 
>> I think Phil is proposing something different.   Should the client send a 
>> token from this AS to that RS.  
>> 
>> His goal is to prevent man in the middle attacks where a bad RS gets a AT 
>> that is audianced to/accepted by another RS.
>> 
>> That is separate from the question of if a RS accepts tokens from a good AS. 
>>   A bad AS would always say yes.
>> 
>> We need to be careful of what if anything the RS provides to the client as 
>> meta-data without validation.
>> 
>> Currently the client can provide a list of scopes required to get access.   
>> I personally feel it would be useful to also include in the unauthenticated 
>> error response an indication of what API the resource supports.  Say “scim2” 
>> as an example.   I don’t think adding that is however a high priority as 
>> most if all clients know what API they expect.   It might be useful if at 
>> some point in the future if a client were to be given a RS URI it could 
>> check to see if it is a protocol that it supports before bothering with 
>> OAuth.I expect that a lot of people will want that left to the API 
>> definition.   I think we can talk about it but rate this low priority.
>> 
>> I agree that the RS giving out a list of AS that it trusts is a generally 
>> bad idea.  I hope that is not on the table.
>> 
>> I don’t think that preventing a client from sending a token to the wrong RS 
>> is part of a AS meta-data discovery problem.
>> 
>> I do however think that it is important.
>> 
>> We have been discussing this as a separate problem to AS meta-data discovery 
>> where the endpoints of the AS and it’s configuration are discovery.   Sorry 
>> for perhaps stating the obvious, but the RS is explicitly not part of the AS 
>> in OAuth 2.   Starting in WAP that was a core principal.
>> 
>> So we have a number of options to address the RS token leakage via MiTM 
>> attacks.
>> 
>> 1) PoP bound tokens.  If they are bound to the TLS channel by mutual TLS or 
>> Token binding they cannot be replayed.  Signed messages where the signing 
>> covers the RS Host and path components,  also would work.
>> 
>> 2) Have the AS audience restrict the resources the AT is good at. (AT should 
>> be doing that now) 
>> In the token response include the list of audience/s the token is 
>> presenta

[OAUTH-WG] Concluding the Call for Adoption of the Authorization Server Mix-Up Specification

2016-03-11 Thread Hannes Tschofenig
Hi all,

on February 19 I posted a note to the list asking the group to consider
a call for adoption of either 
or , see
https://www.ietf.org/mail-archive/web/oauth/current/msg15829.html

I gave time till early March to think about this topic and there was a
lot of feedback on the mailing list.

Here are key observations I made:

 (1) Most folks argued that they wanted
 as a starting point for a
solution (*).

 There are, however, various issues that surfaced:

a) From the discussions I think the document needs to provide more
information about the attack (in addition to the reference to the
research paper).

b) William furthermore suggested to change the title of the document
to have a more positive tone, namely to focus on the use case it support
rather than the attack it mitigates. I am open to suggestions to hear
better document titles and abstracts.

c) Torsten argued that the code injection/copy and paste attack
should go into a separate document (instead of covering both type of
issues in the same document).

 (2) There is some interest to explore a PKCE-based solution approach as
well. I believe we should survey the landscape extensively and also
consider this approach.

To acknowledge the work Nat has put into this topic with the work on
 and the discussion feedback I would like
to have him participate in the work of the working group item as a
co-author.

I would like to already now thank those who had spent time and energy in
exploring this topic. Big thanks also go to Roland, Brian and Hans for
their prototyping efforts.

Ciao
Hannes

PS: During the discussion some other issues surface, such as associating
the access tokens with a specific audience, and this is a topic we will
have to cover separately.




signature.asc
Description: OpenPGP digital signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Brian Campbell
I tend to agree with John that addressing the concerns Phil raises should
be part of (extension to) the core protocol.  And that those kinds of
concerns don't manifest in the way OAuth is typically deployed now.

The hopefully soon to be named "OAuth 2.0 Authorization Server Metadata"
should keep it's scope to the publishing of authorization server metadata.
The act of doing discovery is beyond its scope and so is trying to prevent
a client from presenting a token to someplace it shouldn't.



On Fri, Mar 11, 2016 at 9:08 AM, John Bradley  wrote:

> Inline
>
> On Mar 11, 2016, at 12:13 PM, Phil Hunt (IDM) 
> wrote:
>
> John
>
> In many case all the AS has to check is the domain name component to check
> for mitm.
>
> POP and the other solns are dramatically more complex than a simple check.
>
>
> I was proposing ding that check at the authorization endpoint or token
> endpoint as part of AT issuance.
>
> It is up to the AS how much of the path to validate and or put in the aud
> or dst.
>
>
>
> I see it as part of the discovery(bad name aside) problem because we
> discussed that if a client finds app.example.com how do we ensure it gets
> a complete set of oauth endpoints as a valid set of endpoints--that a
> hacker has not inserted one of their own endpoints. The most important
> endpoint to get right is ensuring the resource server (and optionally the
> path) is the correct one. We can't really define resource discovery but we
> can validate it to some degree.
>
> I think it is part of core protocol security and should/must not require
> discovery.
>
> What is app.example.com ?
>
> If it is the resource then the client would be preconfigured for it’s AS
> out of band or optionally would do discovery on the issuer uri that you
> admit needs to be configured out of band some way (note discovery is
> optional)
>
> In the AS meta-data draft it would do a get on a well known file that
> would have configuration for the AS, but not the RS, though some API may
> optionally list a API endpoint like connect has.
>
> The client then makes a authorization request (after registering out of
> band or dynamically).
> As part of the authorization request for implicit it could provide the
> aud/dst that it wants the token for.
> If that is not sent then the aud/dst are implicit in the scopes.
>
> The client gets back a AT with a list of scopes granted, aud/dst allowed
> and time to live for the token (one extra thing returned)
>
> This doesn’t require any discovery (yes there is a optional AS meta-data
> discovery but not required)
>
> I prefer to fix the RS man in the middle issue as part of the protocol and
> not part of discovery that should remain optional.
>
> I honestly don’t quite know how the client learns about this bad RS and
> starts talking to it, so this may be a solution to a problem that doesn’t
> yet exist.   The one place this is posable is if the registration for the
> client is compromised.  However we are discussing other mitigations for
> that that also explicitly do not require discovery.
>
> John B.
>
>
> I am not stuck on webfinger or well-known. Because this is config maybe it
> should be an oauth endpoint.
>
> Phil
>
> On Mar 11, 2016, at 06:51, John Bradley  wrote:
>
> I think Phil is proposing something different.   Should the client send a
> token from this AS to that RS.
>
> His goal is to prevent man in the middle attacks where a bad RS gets a AT
> that is audianced to/accepted by another RS.
>
> That is separate from the question of if a RS accepts tokens from a good
> AS.   A bad AS would always say yes.
>
> We need to be careful of what if anything the RS provides to the client as
> meta-data without validation.
>
> Currently the client can provide a list of scopes required to get access.
>   I personally feel it would be useful to also include in the
> unauthenticated error response an indication of what API the resource
> supports.  Say “scim2” as an example.   I don’t think adding that is
> however a high priority as most if all clients know what API they expect.
> It might be useful if at some point in the future if a client were to be
> given a RS URI it could check to see if it is a protocol that it supports
> before bothering with OAuth.I expect that a lot of people will want
> that left to the API definition.   I think we can talk about it but rate
> this low priority.
>
> I agree that the RS giving out a list of AS that it trusts is a generally
> bad idea.  I hope that is not on the table.
>
> I don’t think that preventing a client from sending a token to the wrong
> RS is part of a AS meta-data discovery problem.
>
> I do however think that it is important.
>
> We have been discussing this as a separate problem to AS meta-data
> discovery where the endpoints of the AS and it’s configuration are
> discovery.   Sorry for perhaps stating the obvious, but the RS is
> explicitly not part of the AS in OAuth 2.   Starting in WAP that was a core
> principal.
>
> So we have a numbe

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Anthony Nadalin
Disagree, what purpose is this activity solving then, it was being pushed as 
what was need to solve the Mix-up, but that is not true. So now you are 
suggesting a change in scope and not dealing with discovery.

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, March 11, 2016 3:11 PM
To: John Bradley 
Cc: oauth 
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

I tend to agree with John that addressing the concerns Phil raises should be 
part of (extension to) the core protocol.  And that those kinds of concerns 
don't manifest in the way OAuth is typically deployed now.

The hopefully soon to be named "OAuth 2.0 Authorization Server Metadata" should 
keep it's scope to the publishing of authorization server metadata. The act of 
doing discovery is beyond its scope and so is trying to prevent a client from 
presenting a token to someplace it shouldn't.


On Fri, Mar 11, 2016 at 9:08 AM, John Bradley 
mailto:ve7...@ve7jtb.com>> wrote:
Inline
On Mar 11, 2016, at 12:13 PM, Phil Hunt (IDM) 
mailto:phil.h...@oracle.com>> wrote:

John

In many case all the AS has to check is the domain name component to check for 
mitm.

POP and the other solns are dramatically more complex than a simple check.

I was proposing ding that check at the authorization endpoint or token endpoint 
as part of AT issuance.

It is up to the AS how much of the path to validate and or put in the aud or 
dst.



I see it as part of the discovery(bad name aside) problem because we discussed 
that if a client finds 
app.example.com
 how do we ensure it gets a complete set of oauth endpoints as a valid set of 
endpoints--that a hacker has not inserted one of their own endpoints. The most 
important endpoint to get right is ensuring the resource server (and optionally 
the path) is the correct one. We can't really define resource discovery but we 
can validate it to some degree.

I think it is part of core protocol security and should/must not require 
discovery.

What is 
app.example.com
 ?

If it is the resource then the client would be preconfigured for it’s AS out of 
band or optionally would do discovery on the issuer uri that you admit needs to 
be configured out of band some way (note discovery is optional)

In the AS meta-data draft it would do a get on a well known file that would 
have configuration for the AS, but not the RS, though some API may optionally 
list a API endpoint like connect has.

The client then makes a authorization request (after registering out of band or 
dynamically).
As part of the authorization request for implicit it could provide the aud/dst 
that it wants the token for.
If that is not sent then the aud/dst are implicit in the scopes.

The client gets back a AT with a list of scopes granted, aud/dst allowed and 
time to live for the token (one extra thing returned)

This doesn’t require any discovery (yes there is a optional AS meta-data 
discovery but not required)

I prefer to fix the RS man in the middle issue as part of the protocol and not 
part of discovery that should remain optional.

I honestly don’t quite know how the client learns about this bad RS and starts 
talking to it, so this may be a solution to a problem that doesn’t yet exist.   
The one place this is posable is if the registration for the client is 
compromised.  However we are discussing other mitigations for that that also 
explicitly do not require discovery.

John B.



I am not stuck on webfinger or well-known. Because this is config maybe it 
should be an oauth endpoint.

Phil

On Mar 11, 2016, at 06:51, John Bradley 
mailto:ve7...@ve7jtb.com>> wrote:
I think Phil is proposing something different.   Should the client send a token 
from this AS to that RS.

His goal is to prevent man in the middle attacks where a bad RS gets a AT that 
is audianced to/accepted by another RS.

That is separate from the question of if a RS accepts tokens from a good AS.   
A bad AS would always say yes.

We need to be careful of what if anything the RS provides to the client as 
meta-data without validation.

Currently the client can provide a list of scopes required to get access.   I 
personally feel it would be useful to also include in the unauthenticated error 
response an indication of what API the resource supports.  Say “scim2” as an 
example.   I don’t think adding that is however a high priority as most if all 
clients know what API they expect.   It might be useful if at some point in th

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Brian Campbell
That *is* the scope of the current document, which a majority of folks have
agreed with. I was reiterating that the name of the document should reflect
its content, something else that has been widely agreed with.

On Fri, Mar 11, 2016 at 4:24 PM, Anthony Nadalin 
wrote:

> Disagree, what purpose is this activity solving then, it was being pushed
> as what was need to solve the Mix-up, but that is not true. So now you are
> suggesting a change in scope and not dealing with discovery.
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian
> Campbell
> *Sent:* Friday, March 11, 2016 3:11 PM
> *To:* John Bradley 
>
> *Cc:* oauth 
> *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
>
>
>
> I tend to agree with John that addressing the concerns Phil raises should
> be part of (extension to) the core protocol.  And that those kinds of
> concerns don't manifest in the way OAuth is typically deployed now.
>
> The hopefully soon to be named "OAuth 2.0 Authorization Server Metadata"
> should keep it's scope to the publishing of authorization server metadata.
> The act of doing discovery is beyond its scope and so is trying to prevent
> a client from presenting a token to someplace it shouldn't.
>
>
>
> On Fri, Mar 11, 2016 at 9:08 AM, John Bradley  wrote:
>
> Inline
>
> On Mar 11, 2016, at 12:13 PM, Phil Hunt (IDM) 
> wrote:
>
>
>
> John
>
>
>
> In many case all the AS has to check is the domain name component to check
> for mitm.
>
>
>
> POP and the other solns are dramatically more complex than a simple check.
>
>
>
> I was proposing ding that check at the authorization endpoint or token
> endpoint as part of AT issuance.
>
>
>
> It is up to the AS how much of the path to validate and or put in the aud
> or dst.
>
>
>
>
>
>
>
> I see it as part of the discovery(bad name aside) problem because we
> discussed that if a client finds app.example.com
> 
> how do we ensure it gets a complete set of oauth endpoints as a valid set
> of endpoints--that a hacker has not inserted one of their own endpoints.
> The most important endpoint to get right is ensuring the resource server
> (and optionally the path) is the correct one. We can't really define
> resource discovery but we can validate it to some degree.
>
>
>
> I think it is part of core protocol security and should/must not require
> discovery.
>
>
>
> What is app.example.com
> 
> ?
>
>
>
> If it is the resource then the client would be preconfigured for it’s AS
> out of band or optionally would do discovery on the issuer uri that you
> admit needs to be configured out of band some way (note discovery is
> optional)
>
>
>
> In the AS meta-data draft it would do a get on a well known file that
> would have configuration for the AS, but not the RS, though some API may
> optionally list a API endpoint like connect has.
>
>
>
> The client then makes a authorization request (after registering out of
> band or dynamically).
>
> As part of the authorization request for implicit it could provide the
> aud/dst that it wants the token for.
>
> If that is not sent then the aud/dst are implicit in the scopes.
>
>
>
> The client gets back a AT with a list of scopes granted, aud/dst allowed
> and time to live for the token (one extra thing returned)
>
>
>
> This doesn’t require any discovery (yes there is a optional AS meta-data
> discovery but not required)
>
>
>
> I prefer to fix the RS man in the middle issue as part of the protocol and
> not part of discovery that should remain optional.
>
>
>
> I honestly don’t quite know how the client learns about this bad RS and
> starts talking to it, so this may be a solution to a problem that doesn’t
> yet exist.   The one place this is posable is if the registration for the
> client is compromised.  However we are discussing other mitigations for
> that that also explicitly do not require discovery.
>
>
>
> John B.
>
>
>
>
>
> I am not stuck on webfinger or well-known. Because this is config maybe it
> should be an oauth endpoint.
>
> Phil
>
>
> On Mar 11, 2016, at 06:51, John Bradley  wrote:
>
> I think Phil is proposing something different.   Should the client send a
> token from this AS to that RS.
>
>
>
> His goal is to prevent man in the middle attacks where a bad RS gets a AT
> that is audianced to/accepted by another RS.
>
>
>
> That is separate from the question of if a RS accepts tokens from a good
> AS.   A bad AS would always say yes.
>
>
>
> We need to be careful of what if anything the 

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Anthony Nadalin
Sorry but not true, this started out as “discovery” and now it’s not

From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Friday, March 11, 2016 3:59 PM
To: Anthony Nadalin 
Cc: John Bradley ; oauth 
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

That *is* the scope of the current document, which a majority of folks have 
agreed with. I was reiterating that the name of the document should reflect its 
content, something else that has been widely agreed with.

On Fri, Mar 11, 2016 at 4:24 PM, Anthony Nadalin 
mailto:tony...@microsoft.com>> wrote:
Disagree, what purpose is this activity solving then, it was being pushed as 
what was need to solve the Mix-up, but that is not true. So now you are 
suggesting a change in scope and not dealing with discovery.

From: OAuth [mailto:oauth-boun...@ietf.org] On 
Behalf Of Brian Campbell
Sent: Friday, March 11, 2016 3:11 PM
To: John Bradley mailto:ve7...@ve7jtb.com>>

Cc: oauth mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

I tend to agree with John that addressing the concerns Phil raises should be 
part of (extension to) the core protocol.  And that those kinds of concerns 
don't manifest in the way OAuth is typically deployed now.

The hopefully soon to be named "OAuth 2.0 Authorization Server Metadata" should 
keep it's scope to the publishing of authorization server metadata. The act of 
doing discovery is beyond its scope and so is trying to prevent a client from 
presenting a token to someplace it shouldn't.

On Fri, Mar 11, 2016 at 9:08 AM, John Bradley 
mailto:ve7...@ve7jtb.com>> wrote:
Inline
On Mar 11, 2016, at 12:13 PM, Phil Hunt (IDM) 
mailto:phil.h...@oracle.com>> wrote:

John

In many case all the AS has to check is the domain name component to check for 
mitm.

POP and the other solns are dramatically more complex than a simple check.

I was proposing ding that check at the authorization endpoint or token endpoint 
as part of AT issuance.

It is up to the AS how much of the path to validate and or put in the aud or 
dst.



I see it as part of the discovery(bad name aside) problem because we discussed 
that if a client finds 
app.example.com
 how do we ensure it gets a complete set of oauth endpoints as a valid set of 
endpoints--that a hacker has not inserted one of their own endpoints. The most 
important endpoint to get right is ensuring the resource server (and optionally 
the path) is the correct one. We can't really define resource discovery but we 
can validate it to some degree.

I think it is part of core protocol security and should/must not require 
discovery.

What is 
app.example.com
 ?

If it is the resource then the client would be preconfigured for it’s AS out of 
band or optionally would do discovery on the issuer uri that you admit needs to 
be configured out of band some way (note discovery is optional)

In the AS meta-data draft it would do a get on a well known file that would 
have configuration for the AS, but not the RS, though some API may optionally 
list a API endpoint like connect has.

The client then makes a authorization request (after registering out of band or 
dynamically).
As part of the authorization request for implicit it could provide the aud/dst 
that it wants the token for.
If that is not sent then the aud/dst are implicit in the scopes.

The client gets back a AT with a list of scopes granted, aud/dst allowed and 
time to live for the token (one extra thing returned)

This doesn’t require any discovery (yes there is a optional AS meta-data 
discovery but not required)

I prefer to fix the RS man in the middle issue as part of the protocol and not 
part of discovery that should remain optional.

I honestly don’t quite know how the client learns about this bad RS and starts 
talking to it, so this may be a solution to a problem that doesn’t yet exist.   
The one place this is posable is if the registration for the client is 
compromised.  However we are discussing other mitigations for that that also 
explicitly do not require discovery.

John B.


I am not stuck on webfinger or well-known. Because this is config maybe it 
should be an oauth endpoint.

Phil

On Mar 11, 2016, at 06:51, John Bradley 
mailto:ve7...@ve7jtb.com>> wrote:
I think Phil is proposing something different.   Should the client send a token 
from this AS to that RS.

His goal is to prevent man in the middle attacks where a bad RS gets

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Brian Campbell
Good to see you are following along with what's happened.

On Fri, Mar 11, 2016 at 5:00 PM, Anthony Nadalin 
wrote:

> Sorry but not true, this started out as “discovery” and now it’s not
>
>
>
> *From:* Brian Campbell [mailto:bcampb...@pingidentity.com]
> *Sent:* Friday, March 11, 2016 3:59 PM
> *To:* Anthony Nadalin 
> *Cc:* John Bradley ; oauth 
>
> *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
>
>
>
> That *is* the scope of the current document, which a majority of folks
> have agreed with. I was reiterating that the name of the document should
> reflect its content, something else that has been widely agreed with.
>
>
>
> On Fri, Mar 11, 2016 at 4:24 PM, Anthony Nadalin 
> wrote:
>
> Disagree, what purpose is this activity solving then, it was being pushed
> as what was need to solve the Mix-up, but that is not true. So now you are
> suggesting a change in scope and not dealing with discovery.
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Brian
> Campbell
> *Sent:* Friday, March 11, 2016 3:11 PM
> *To:* John Bradley 
>
>
> *Cc:* oauth 
> *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
>
>
>
> I tend to agree with John that addressing the concerns Phil raises should
> be part of (extension to) the core protocol.  And that those kinds of
> concerns don't manifest in the way OAuth is typically deployed now.
>
> The hopefully soon to be named "OAuth 2.0 Authorization Server Metadata"
> should keep it's scope to the publishing of authorization server metadata.
> The act of doing discovery is beyond its scope and so is trying to prevent
> a client from presenting a token to someplace it shouldn't.
>
>
>
> On Fri, Mar 11, 2016 at 9:08 AM, John Bradley  wrote:
>
> Inline
>
> On Mar 11, 2016, at 12:13 PM, Phil Hunt (IDM) 
> wrote:
>
>
>
> John
>
>
>
> In many case all the AS has to check is the domain name component to check
> for mitm.
>
>
>
> POP and the other solns are dramatically more complex than a simple check.
>
>
>
> I was proposing ding that check at the authorization endpoint or token
> endpoint as part of AT issuance.
>
>
>
> It is up to the AS how much of the path to validate and or put in the aud
> or dst.
>
>
>
>
>
>
>
> I see it as part of the discovery(bad name aside) problem because we
> discussed that if a client finds app.example.com
> 
> how do we ensure it gets a complete set of oauth endpoints as a valid set
> of endpoints--that a hacker has not inserted one of their own endpoints.
> The most important endpoint to get right is ensuring the resource server
> (and optionally the path) is the correct one. We can't really define
> resource discovery but we can validate it to some degree.
>
>
>
> I think it is part of core protocol security and should/must not require
> discovery.
>
>
>
> What is app.example.com
> 
> ?
>
>
>
> If it is the resource then the client would be preconfigured for it’s AS
> out of band or optionally would do discovery on the issuer uri that you
> admit needs to be configured out of band some way (note discovery is
> optional)
>
>
>
> In the AS meta-data draft it would do a get on a well known file that
> would have configuration for the AS, but not the RS, though some API may
> optionally list a API endpoint like connect has.
>
>
>
> The client then makes a authorization request (after registering out of
> band or dynamically).
>
> As part of the authorization request for implicit it could provide the
> aud/dst that it wants the token for.
>
> If that is not sent then the aud/dst are implicit in the scopes.
>
>
>
> The client gets back a AT with a list of scopes granted, aud/dst allowed
> and time to live for the token (one extra thing returned)
>
>
>
> This doesn’t require any discovery (yes there is a optional AS meta-data
> discovery but not required)
>
>
>
> I prefer to fix the RS man in the middle issue as part of the protocol and
> not part of discovery that should remain optional.
>
>
>
> I honestly don’t quite know how the client learns about this bad RS and
> starts talking to it, so this may be a solution to a problem that doesn’t
> yet exist.   The one place this is posable is if the registration for the
> client is compromised.  However we are discussing other mitigations for
> that that also explicitly do not require discovery.
>
>
>
> John B.
>
>
>
>
>
> I am not stuck on webfinger or well-known. Because this is config maybe it
> should be an oauth endpoint.
>
> Phil
>
>
> On Mar 11,

[OAUTH-WG] Multiple authorization servers for one resource server

2016-03-11 Thread Takahiko Kawasaki
Hello,

I have a question.

If there exist multiple authorization servers that can issue access tokens
for one resource server, when the resource server receives an access token
from a client application, as the first step, the resource server has to
determine which authorization server to use for access token introspection.

Is there any standard way to determine which authorization server to use?

There may be several ways, for example:

(1) Embed information about the access token issuer in the access token.
(2) Add a request parameter to identify the access token issuer.
(3) Separate protected resource endpoints for each authorization server.

If there is a standard way, I'd like to know it.

Best Regards,
Takahiko Kawasaki
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth