[OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Justin Richer
Phil Hunt's review of the Dynamic Registration specification has raised a couple of issues that I felt were getting buried by the larger discussion (which I still strongly encourage others to jump in to). Namely, Phil has suggested a couple of syntax changes to the names of several parameters.

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Phil Hunt
Keep in mind there may be other changes coming. The issue is that new developers can't figure out what token is being referred to. Phil On 2013-05-20, at 8:09, Justin Richer wrote: > Phil Hunt's review of the Dynamic Registration specification has raised a > couple of issues that I felt we

Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

2013-05-20 Thread Justin Richer
On 05/17/2013 07:29 PM, Phil Hunt wrote: He's saying every client gets a registration token and a client token. What's a "client token", exactly? There are three potential places for OAuth tokens in and around dynamic registration, and none of them are called "client token". 1) The registra

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Justin Richer
But also keep in mind that this is last-call, and that we don't really want to encourage avoidable drastic changes at this stage. -- Justin On 05/20/2013 11:21 AM, Phil Hunt wrote: Keep in mind there may be other changes coming. The issue is that new developers can't figure out what token i

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Donald F Coffin
Justin, We are still working on the requirement document for integrating OAuth 2.0 into the NAESB ESPI standard. To date, no one who has implemented the current "Download My Data" or "Connect My Data" features of the ESPI standard would be affected, since they have not implemented OAuth 2.0.

Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

2013-05-20 Thread Phil Hunt
Phil On 2013-05-20, at 8:45, Justin Richer wrote: > > On 05/17/2013 07:29 PM, Phil Hunt wrote: >> He's saying every client gets a registration token and a client token. > What's a "client token", exactly? There are three potential places for OAuth > tokens in and around dynamic registration,

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Phil Hunt
This draft isn't ready for LC. Phil On 2013-05-20, at 8:49, Justin Richer wrote: > But also keep in mind that this is last-call, and that we don't really want > to encourage avoidable drastic changes at this stage. > > -- Justin > > > On 05/20/2013 11:21 AM, Phil Hunt wrote: >> Keep in m

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Justin Richer
I, of course, disagree. But that's what we're trying to figure out as a working group, after all. -- Justin On 05/20/2013 12:41 PM, Phil Hunt wrote: This draft isn't ready for LC. Phil On 2013-05-20, at 8:49, Justin Richer > wrote: But also keep in mind that this

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Mike Jones
The deployment evidence doesn’t support your position, Phil. There are over a dozen interoperable implementations already deployed. Those deployments demonstrate that the spec, as written, is already doing one thing well – enabling clients (as defined by RFC 6749) to register with Authorizatio

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Mike Jones
I believe that no syntax changes are necessary. Of the three possible changes described below, I particularly believe that (3) is completely unnecessary, as there is nothing that authenticates to the Token Endpoint other than the client. Thus, adding “client_” to the name adds no useful semant

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Justin Richer
For what it's worth, I also agree that (3) is overkill. The other two, I believe, have more potential value in clarity, and I haven't yet heard evidence that making this particular syntax change would be either easy or difficult from other developers. It's possible (though completely conjectura

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Phil Hunt
-1 The draft has features that are unclear and will double the operational cost. The fact that it works doesn't mean it is ready from the wg perspective. For the production use, has anyone outside of oidc implemented and placed in production? As a non-oidc implementer, I can't make the same a

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Justin Richer
Phil, I think what you're bringing up is a red herring. Everyone that does OAuth today does "discovery" in some manner or another, even if it's not specified to be dynamic like it is in OIDC. Most of the time this happens manually, out of band. For instance, a number of our clients here have hi

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Justin Richer
Tony, can you be more specific? What needs to be changed in your opinion? What text changes would you suggest? -- Justin On 05/20/2013 02:09 PM, Anthony Nadalin wrote: Agree *From:*oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On Behalf Of *Phil Hunt *Sent:* Monday, May 20, 2013

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Anthony Nadalin
Agree From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Phil Hunt Sent: Monday, May 20, 2013 9:42 AM To: Justin Richer Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration This draft isn't ready for LC. Phil On 2013-05-20, at 8:49,

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Phil Hunt
Further to my last… Justin has already committed to breaking changes. This may have been lost or buried in the long review thread. Specifically - The client authentication types specified are undocumented (client_secret_jwt and private_key_jwt) as they were all Holder-of-Key authentication me

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Justin Richer
Phil, that's not a fair comparison. What I've done is a fundamentally different kind of breaking change than the one you're asking for, though. To explain more concretely: The change I agreed to make here was to remove two underspecified values (of five listed) to a parameter that is intended

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Nat Sakimura
No change please. =nat via iPhone On May 20, 2013, at 17:10, Justin Richer wrote: Phil Hunt's review of the Dynamic Registration specification has raised a couple of issues that I felt were getting buried by the larger discussion (which I still strongly encourage others to jump in to). Namely,

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Edmund Jay
+1 for keeping names as is. From: Justin Richer To: "oauth@ietf.org" Sent: Mon, May 20, 2013 8:10:13 AM Subject: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration Phil Hunt's review of the Dynamic Registration specification has raised a couple of

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread nov matake
+1 On 2013/05/21, at 5:23, Edmund Jay wrote: > +1 for keeping names as is. > > From: Justin Richer > To: "oauth@ietf.org" > Sent: Mon, May 20, 2013 8:10:13 AM > Subject: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration > > Phil Hunt's review of the Dynamic Registration specificatio

Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

2013-05-20 Thread John Bradley
Dynamic registration provides: 1 A client_id 2 (Optionally) a client secret that is used at the token endpoint per OAuth. to authenticate the associated client_id 3 a URI that can be used to update the client_id (this is a REST concept and may be thought of as a instance of client_id rather than

Re: [OAUTH-WG] Client Credential Expiry and new Registration Access Token - draft-ietf-oauth-dyn-reg-10

2013-05-20 Thread John Bradley
Dynamic registration provides: 1 A client_id 2 (Optionally) a client secret that is used at the token endpoint per OAuth. to authenticate the associated client_id 3 a URI that can be used to update the client_id (this is a REST concept and may be thought of as a instance of client_id rather than

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread John Bradley
Phil the token_endpoint_auth_method is not broken. We have agreed that the methods defined in Connect and not in the base spec will be registered separately in the registry rather than being in the base spec. I don't think that is broken. They are documented in Connect, that works for connect

Re: [OAUTH-WG] Proposed Syntax Changes in Dynamic Registration

2013-05-20 Thread Roland Hedberg
+1 Sent from my iPhone On 21 maj 2013, at 00:21, "nov matake" mailto:mat...@gmail.com>> wrote: +1 On 2013/05/21, at 5:23, Edmund Jay mailto:e...@mgi1.com>> wrote: +1 for keeping names as is. From: Justin Richer mailto:jric...@mitre.org>> To: "oauth@ietf.org