Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-12 Thread Thomas Broyer
On Sat, Mar 12, 2016 at 6:01 PM Anthony Nadalin wrote: > This is not discovery, its simply metadata, […], I don’t understand the > rush to get this document out when we already know it’s incomplete > +1 ___ OAuth mailing list

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-12 Thread Phil Hunt (IDM)
8:20 AM > To: Mike Jones <michael.jo...@microsoft.com>; Brian Campbell > <bcampb...@pingidentity.com>; John Bradley <ve7...@ve7jtb.com> > Cc: oauth <oauth@ietf.org> > Subject: RE: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery > > We agreed upon a

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-12 Thread Anthony Nadalin
; Cc: oauth <oauth@ietf.org> Subject: RE: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery The AS metadata format is a necessary part of discovery. No, it doesn’t accomplish every possible aspect of discovery – nor was it ever intended to. I’ve consistently encouraged Phil

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-12 Thread Mike Jones
t;mailto:ve7...@ve7jtb.com>> Cc: oauth <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: RE: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery The draft enables easy configuration of OAuth clients with an AS. For instance, the Microsoft “ADAL” OAuth client software u

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-12 Thread Anthony Nadalin
From: Mike Jones Sent: Saturday, March 12, 2016 8:06 AM To: Anthony Nadalin <tony...@microsoft.com>; Brian Campbell <bcampb...@pingidentity.com>; John Bradley <ve7...@ve7jtb.com> Cc: oauth <oauth@ietf.org> Subject: RE: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-12 Thread Mike Jones
Of Brian Campbell Sent: Friday, March 11, 2016 3:11 PM To: John Bradley <ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>> Cc: oauth <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery I tend to agree with John that

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Brian Campbell
com] > *Sent:* Friday, March 11, 2016 3:59 PM > *To:* Anthony Nadalin <tony...@microsoft.com> > *Cc:* John Bradley <ve7...@ve7jtb.com>; oauth <oauth@ietf.org> > > *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery > > > > That *is* t

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Anthony Nadalin
ect: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery That *is* the scope of the current document, which a majority of folks have agreed with. I was reiterating that the name of the document should reflect its content, something else that has been widely agreed with. On Fri, Mar 11, 2016 a

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Brian Campbell
Behalf Of *Brian > Campbell > *Sent:* Friday, March 11, 2016 3:11 PM > *To:* John Bradley <ve7...@ve7jtb.com> > > *Cc:* oauth <oauth@ietf.org> > *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery > > > > I tend to agree with John th

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Anthony Nadalin
, March 11, 2016 3:11 PM To: John Bradley <ve7...@ve7jtb.com> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery I tend to agree with John that addressing the concerns Phil raises should be part of (extension to) the core protocol. An

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Brian Campbell
Honestly we probably should have separated scope and destination > in the first place and returned both dst and scope in the response all > along, so this is update that is consistent with the eisting architecture > of OAuth 2. > > Lets keep the two issues separate. > > John B. > >

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread John Bradley
ng, so this is update that is consistent with the eisting architecture of >> OAuth 2. >> >> Lets keep the two issues separate. >> >> John B. >> >> >> >> >>> On Mar 11, 2016, at 12:07 AM, Anthony Nadalin <ton

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Anthony Nadalin
, March 10, 2016 9:09 AM To: Vladimir Dzhuvinov <vladi...@connect2id.com> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery I strongly oppose. 2 major issues. This is not service discovery this is configuration lookup. The client must have already disc

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Phil Hunt (IDM)
t; > Lets keep the two issues separate. > > John B. > > > > >> On Mar 11, 2016, at 12:07 AM, Anthony Nadalin <tony...@microsoft.com> wrote: >> >> The relationship between AS and RS need to be scoped to “does this RS accept >> tokens from this

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread John Bradley
016 6:25 PM > To: Phil Hunt (IDM) <phil.h...@oracle.com> > Cc: oauth <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery > > Phil, > > Right. So what my conditional approvals (11 conditions in total) said was to

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread George Fletcher
I am strongly against requiring the AS to know about RS URIs and managing that based on a client request for a token. I've stated my reasons previously. Happy to agree to disagree:) Thanks, George On 3/10/16 10:17 PM, Phil Hunt (IDM) wrote: Nat, Agree with your points. Regarding the last,

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread George Fletcher
+1 for these changes and finishing the doc On 3/10/16 10:45 AM, Nat Sakimura wrote: +1 in proceeding with the following changes: 1. Change name to "*OAuth 2.0 Authorization Server Metadata*", aligning with section 2. 2. Have the AS dictate the URI path suffix through link header in the

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-11 Thread Melvin Carvalho
On 18 February 2016 at 14:40, Hannes Tschofenig wrote: > Hi all, > > This is a Last Call for comments on the OAuth 2.0 Discovery specification: > https://tools.ietf.org/html/draft-ietf-oauth-discovery-01 > > Since this document was only adopted recently we are running

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Phil Hunt (IDM)
Nat, Agree with your points. Regarding the last, I am not sure an AS should release the set of valid rs's. I think the returned data has to be limited somehow. Maybe by aud uri or maybe just a yes/no to a uri the client provides. This needs discussion. Am worried about the resource side

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Anthony Nadalin
) <phil.h...@oracle.com> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery Phil, Right. So what my conditional approvals (11 conditions in total) said was to drop the word "discovery" from everywhere. This i

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Nat Sakimura
Phil, Right. So what my conditional approvals (11 conditions in total) said was to drop the word "discovery" from everywhere. This is not a discovery spec. This is a configuration lookup spec as you correctly points out. So, I am with you here. Also, my 2nd conditiion is essentially saying to

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Phil Hunt (IDM)
I strongly oppose. 2 major issues. This is not service discovery this is configuration lookup. The client must have already discovered the oauth issuer uri and the resource uri. The objective was to provide a method to ensure the client has a valid set of endpoints to prevent mitm of

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread William Denniss
I support the document moving forward, and agree with the proposal to rename it to "OAuth 2.0 Authorization Server Discovery Metadata". Personally I was fine with re-using 'openid-configuration' for compatibility, but I suppose it's not a big burden for everyone who is already using that to setup

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Vladimir Dzhuvinov
+1 to move forward with these On 10/03/16 17:35, Brian Campbell wrote: > +1 > > On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg > wrote: > >> I support this document being moved forward with these two changes: >> >> - change name to “OAuth 2.0 Authorization Server

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Nat Sakimura
+1 in proceeding with the following changes: 1. Change name to "*OAuth 2.0 Authorization Server Metadata*", aligning with section 2. 2. Have the AS dictate the URI path suffix through link header in the HEAD response to AS or OOB mechanism. 3. Align the title of section 3 to

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Brian Campbell
+1 On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg wrote: > I support this document being moved forward with these two changes: > > - change name to “OAuth 2.0 Authorization Server Discovery Metadata” as > proposed by Brian and > - use the URI path suffix

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Roland Hedberg
I support this document being moved forward with these two changes: - change name to “OAuth 2.0 Authorization Server Discovery Metadata” as proposed by Brian and - use the URI path suffix ’oauth-authorization-server’ instead of ’openid-configuration’ as proposed by Justin. > 18 feb 2016 kl.

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Samuel Erdtman
th-authorization-server” > identifier, as discussed in that thread. > > > > -- Mike > > > > *From:* OAuth [mailto:oauth-boun...@ietf.org] *On Behalf Of *Samuel > Erdtman > *Sent:* Wednesday, March 9, 2016 11:28 PM > *To:* Hannes Tschofenig <hannes.ts

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Thomas Broyer
*To:* Hannes Tschofenig <hannes.tschofe...@gmx.net> > *Cc:* oauth@ietf.org > *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery > > > > Hi, > > > > I sent a few comments two weeks ago that has not been explicitly commented > on. (I m

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-10 Thread Mike Jones
ofe...@gmx.net> Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery Hi, I sent a few comments two weeks ago that has not been explicitly commented on. (I might have sent them in the wrong way, if so sorry about that) https://mailarchive.ietf.org/arch/msg

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-03-09 Thread Samuel Erdtman
Hi, I sent a few comments two weeks ago that has not been explicitly commented on. (I might have sent them in the wrong way, if so sorry about that) https://mailarchive.ietf.org/arch/msg/oauth/Z0LCBuvFDCQTd4xfwoddlbC2P7w Most of the comments are minor but I would like to se jwks_uri to be

[OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

2016-02-18 Thread Hannes Tschofenig
Hi all, This is a Last Call for comments on the OAuth 2.0 Discovery specification: https://tools.ietf.org/html/draft-ietf-oauth-discovery-01 Since this document was only adopted recently we are running this last call for **3 weeks**. Please have your comments in no later than March 10th. Ciao