Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata now with WWW-Authenticate

2023-09-06 Thread Rebecca Warren 


Get Outlook for iOS
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata now with WWW-Authenticate

2023-07-25 Thread Giuseppe De Marco 
Hi,
I am happy that this draft is progressing, draft 01 was adopted two years
ago for the Italian Attribute Authorities (SPID Attribute Authorities)
because there was a need to publish the metadata of a RS.
I see that many steps forward have been made and in a short time. I have
read Brian's reaction and believe it is important for the evolution of the
specification, which I hereby support

Il giorno mar 11 lug 2023 alle ore 02:34 Michael Jones <
michael_b_jo...@hotmail.com> ha scritto:

> In collaboration with Aaron Parecki , the
> ability for OAuth 2.0 protected resource servers to return their resource
> identifiers via WWW-Authenticate has been added to the OAuth 2.0
> Protected Resource Metadata specification. This enables clients to
> dynamically learn about and use protected resources they may have no prior
> knowledge of, including learning what authorization servers can be used
> with them.
>
>
>
> This incorporates functionality originally incubated in
> draft-parecki-oauth-authorization-server-discovery-00
> .
> Aaron and I had been asked to merge the functionality of our two drafts
> during an OAuth working group session at IETF 116. We’re both happy with
> the result!
>
>
>
> The specification is available at:
>
> ·
> https://www.ietf.org/archive/id/draft-jones-oauth-resource-metadata-04.html
>
>
>
>-- Mike
>
>
>
> P.S.  This notice was also posted at https://self-issued.info/?p=2377 and
> was referenced from
> https://twitter.com/selfissued/status/1677471513023508481.
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata now with WWW-Authenticate

2023-07-19 Thread Brian Campbell 
This certainly isn't a comprehensive review or endorsement necessarily but
I read though the latest draft and had a couple of off-the-cuff*
comments/questions:

The abstract and intro talk only about enabling clients to obtain
information needed to interact with a protected resource. However, the
jwks_uri protected resource metadata parameter mentions that it might
contain encryption key(s) that are used to encrypt access tokens to the
protected resource, which would be something the AS does. It seems like
the abstract and/or intro text should be adjusted or augmented a bit so as
not to suggest that an AS is precluded from using the protected resource
metadata.

I'm struggling to see how the resource_signing_alg_values_supported,
resource_encryption_alg_values_supported, and
resource_encryption_enc_values_supported parameters would be used in a
meaningful or interoperability improving way.  What "content" is being
signed or encrypted and by whom? These parameters seem to me to
clutter/confuse the draft more than providing actual useful information.

If you know (well-known), you know. The way it's done here makes a lot of
sense for the context but might raise some eyebrows down the road, if this
draft progresses.


* Actually, I may have had some of these same thoughts in 2017 when -01 was
presented to the WG but didn't get around to mentioning them back then :)

On Mon, Jul 10, 2023 at 6:34 PM Michael Jones 
wrote:

> In collaboration with Aaron Parecki , the
> ability for OAuth 2.0 protected resource servers to return their resource
> identifiers via WWW-Authenticate has been added to the OAuth 2.0
> Protected Resource Metadata specification. This enables clients to
> dynamically learn about and use protected resources they may have no prior
> knowledge of, including learning what authorization servers can be used
> with them.
>
>
>
> This incorporates functionality originally incubated in
> draft-parecki-oauth-authorization-server-discovery-00
> .
> Aaron and I had been asked to merge the functionality of our two drafts
> during an OAuth working group session at IETF 116. We’re both happy with
> the result!
>
>
>
> The specification is available at:
>
> ·
> https://www.ietf.org/archive/id/draft-jones-oauth-resource-metadata-04.html
>
>
>
>-- Mike
>
>
>
> P.S.  This notice was also posted at https://self-issued.info/?p=2377 and
> was referenced from
> https://twitter.com/selfissued/status/1677471513023508481.
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata

2023-01-30 Thread Rifaat Shekh-Yusef 
I added both to the list of topics to discuss in Yokohama.
Let's have that discussion first, before calling for any adoption.

Regards,
 Rifaat & Hannes


On Sat, Jan 28, 2023 at 8:35 PM Aaron Parecki  wrote:

> There is significant overlap between this draft and the concepts brought
> to the OAuth WG at the last IETF meeting by Ben Schwartz, which he also
> presented to the HTTPAPI WG. After that meeting, I volunteered to work with
> Ben on adapting his concepts to a model that would fit better within the
> OAuth framework. I published an early draft, which I am planning on
> presenting at the next IETF meeting.
> https://datatracker.ietf.org/doc/draft-parecki-oauth-authorization-server-discovery/
>
> During the HTTPAPI and OAuth sessions at IETF 115, there were many
> concerns expressed by various people in the groups about establishing and
> enabling this kind of relationship, which would also apply to this Resource
> Metadata draft. I believe there should be further discussions about the
> concepts described here as well as how best to enable other working groups
> to take advantage of this kind of relationship between an RS and AS before
> adopting this particular draft.
>
> Aaron
>
>
>
> On Sat, Jan 28, 2023 at 5:21 PM David Waite  40alkaline-solutions@dmarc.ietf.org> wrote:
>
>> I support adoption by the working group.
>>
>> -DW
>>
>> On Jan 24, 2023, at 2:38 AM, Giuseppe De Marco 
>> wrote:
>>
>> Hello everybody,
>>
>> I would like to bring to your attention this expired draft:
>> https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/
>>
>> I propose the take up this individual draft for its adoption as an
>> official internet draft.
>> The reason I ask this is that there are implementations of this draft
>> born with the need to have metadata for entities of type RS.
>>
>> The implementation of which I am aware concerns the Italian "Attribute
>> Authorities" [0]. OpenID Federation draft also defines the metadata of the
>> oauth_resource type [1], taking up the elements defined in the draft in
>> question. Recently, an interesting reflection seems to have arisen also in
>> OpenID4VCI/OpenID4VP [2].
>>
>> Thank you for your attention, I hope to read your valuable feedback soon,
>> best
>>
>> [0] https://italia.github.io/spid-cie-oidc-docs/en/metadata_aa.html
>> [1]
>> https://openid.net/specs/openid-connect-federation-1_0.html#section-4.7
>> [2]
>> https://bitbucket.org/openid/connect/issues/1781/do-new-entity-types-required-for-oid4vp
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata

2023-01-28 Thread Aaron Parecki 
There is significant overlap between this draft and the concepts brought to
the OAuth WG at the last IETF meeting by Ben Schwartz, which he also
presented to the HTTPAPI WG. After that meeting, I volunteered to work with
Ben on adapting his concepts to a model that would fit better within the
OAuth framework. I published an early draft, which I am planning on
presenting at the next IETF meeting.
https://datatracker.ietf.org/doc/draft-parecki-oauth-authorization-server-discovery/

During the HTTPAPI and OAuth sessions at IETF 115, there were many concerns
expressed by various people in the groups about establishing and enabling
this kind of relationship, which would also apply to this Resource Metadata
draft. I believe there should be further discussions about the concepts
described here as well as how best to enable other working groups to take
advantage of this kind of relationship between an RS and AS before adopting
this particular draft.

Aaron



On Sat, Jan 28, 2023 at 5:21 PM David Waite  wrote:

> I support adoption by the working group.
>
> -DW
>
> On Jan 24, 2023, at 2:38 AM, Giuseppe De Marco 
> wrote:
>
> Hello everybody,
>
> I would like to bring to your attention this expired draft:
> https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/
>
> I propose the take up this individual draft for its adoption as an
> official internet draft.
> The reason I ask this is that there are implementations of this draft born
> with the need to have metadata for entities of type RS.
>
> The implementation of which I am aware concerns the Italian "Attribute
> Authorities" [0]. OpenID Federation draft also defines the metadata of the
> oauth_resource type [1], taking up the elements defined in the draft in
> question. Recently, an interesting reflection seems to have arisen also in
> OpenID4VCI/OpenID4VP [2].
>
> Thank you for your attention, I hope to read your valuable feedback soon,
> best
>
> [0] https://italia.github.io/spid-cie-oidc-docs/en/metadata_aa.html
> [1]
> https://openid.net/specs/openid-connect-federation-1_0.html#section-4.7
> [2]
> https://bitbucket.org/openid/connect/issues/1781/do-new-entity-types-required-for-oid4vp
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata

2023-01-28 Thread David Waite 
I support adoption by the working group.

-DW

> On Jan 24, 2023, at 2:38 AM, Giuseppe De Marco  wrote:
> 
> Hello everybody,
> 
> I would like to bring to your attention this expired draft: 
> https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/
> 
> I propose the take up this individual draft for its adoption as an official 
> internet draft.
> The reason I ask this is that there are implementations of this draft born 
> with the need to have metadata for entities of type RS.
> 
> The implementation of which I am aware concerns the Italian "Attribute 
> Authorities" [0]. OpenID Federation draft also defines the metadata of the 
> oauth_resource type [1], taking up the elements defined in the draft in 
> question. Recently, an interesting reflection seems to have arisen also in 
> OpenID4VCI/OpenID4VP [2].
> 
> Thank you for your attention, I hope to read your valuable feedback soon,
> best
> 
> [0] https://italia.github.io/spid-cie-oidc-docs/en/metadata_aa.html
> [1] https://openid.net/specs/openid-connect-federation-1_0.html#section-4.7
> [2] 
> https://bitbucket.org/openid/connect/issues/1781/do-new-entity-types-required-for-oid4vp
> 
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata

2023-01-28 Thread Dick Hardt 
I support adoption by the WG

On Fri, Jan 27, 2023 at 8:51 AM Mike Jones  wrote:

> Given that the draft is now being used, I support working group adoption.
>
>
>
> I’d also like to request time in Yokohama to talk about the draft.
>
>
>
>Thanks,
>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of * Giuseppe De Marco
> *Sent:* Tuesday, January 24, 2023 1:38 AM
> *To:* oauth 
> *Cc:* flo...@agid.gov.it; michele.dam...@agid.gov.it; cole...@agid.gov.it;
> nunzio.napolit...@agid.gov.it; fa.mar...@ipzs.it;
> michela.c...@teamdigitale.governo.it
> *Subject:* [OAUTH-WG] OAuth 2.0 Protected Resource Metadata
>
>
>
> Hello everybody,
>
> I would like to bring to your attention this expired draft:
> https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/
>
> I propose the take up this individual draft for its adoption as an
> official internet draft.
> The reason I ask this is that there are implementations of this draft born
> with the need to have metadata for entities of type RS.
>
> The implementation of which I am aware concerns the Italian "Attribute
> Authorities" [0]. OpenID Federation draft also defines the metadata of the
> oauth_resource type [1], taking up the elements defined in the draft in
> question. Recently, an interesting reflection seems to have arisen also in
> OpenID4VCI/OpenID4VP [2].
>
> Thank you for your attention, I hope to read your valuable feedback soon,
>
> best
>
>
>
> [0] https://italia.github.io/spid-cie-oidc-docs/en/metadata_aa.html
>
> [1]
> https://openid.net/specs/openid-connect-federation-1_0.html#section-4.7
>
> [2]
> https://bitbucket.org/openid/connect/issues/1781/do-new-entity-types-required-for-oid4vp
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata

2023-01-27 Thread Mike Jones 
Given that the draft is now being used, I support working group adoption.

I’d also like to request time in Yokohama to talk about the draft.

   Thanks,
   -- Mike

From: OAuth  On Behalf Of Giuseppe De Marco
Sent: Tuesday, January 24, 2023 1:38 AM
To: oauth 
Cc: flo...@agid.gov.it; michele.dam...@agid.gov.it; cole...@agid.gov.it; 
nunzio.napolit...@agid.gov.it; fa.mar...@ipzs.it; 
michela.c...@teamdigitale.governo.it
Subject: [OAUTH-WG] OAuth 2.0 Protected Resource Metadata

Hello everybody,

I would like to bring to your attention this expired draft: 
https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/

I propose the take up this individual draft for its adoption as an official 
internet draft.
The reason I ask this is that there are implementations of this draft born with 
the need to have metadata for entities of type RS.

The implementation of which I am aware concerns the Italian "Attribute 
Authorities" [0]. OpenID Federation draft also defines the metadata of the 
oauth_resource type [1], taking up the elements defined in the draft in 
question. Recently, an interesting reflection seems to have arisen also in 
OpenID4VCI/OpenID4VP [2].

Thank you for your attention, I hope to read your valuable feedback soon,
best

[0] https://italia.github.io/spid-cie-oidc-docs/en/metadata_aa.html
[1] https://openid.net/specs/openid-connect-federation-1_0.html#section-4.7
[2] 
https://bitbucket.org/openid/connect/issues/1781/do-new-entity-types-required-for-oid4vp
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth