So long as you’re storing the client_id and client_secret in your LDAP and not putting a username and password (that normally represents a person) into the software, you’re fine. That’s just a case of externalizing the client registration to the LDAP system — it’s still registered.

Otherwise, if you’re putting a person’s information into the client there, you’re doing impersonation. That’s bad, don’t do that.

— Justin

> On Mar 15, 2016, at 9:17 AM, Sergey Beryozkin <***@gmail.com> wrote:
>
> Hi Justin
>
> Many thanks for the quick response.
> On 15/03/16 12:53, Justin Richer wrote:
>> Is Alice the client here (the piece of software), or is Alice the
>> resource owner?
> Piece of software, something that needs to run without the human user being involved
>> If Alice is the resource owner, then you should
>> absolutely not be using the client credentials flow like this.
>>
> Sure.
>
>> The client credentials flow is designed for cases where the client is
>> acting on its own behalf, not on behalf of any particular user. It's an
>> optimization of the canonical authorization code flow, where there is no
>> interaction with the resource owner because there is no resource owner
>> as a separate entity. It's most useful for backend systems that would
>> have traditionally used a developer key to get access to bulk data. If
>> you're using it for single-user access, you're doing it wrong.
>>
> I guess I'm still OK here, as I said, it is a piece of software which runs without a user. Like in all web services (SOAP or plain HTTP client invocations) where the client sets some credentials and accesses some data in the remote service.
>
>> Also, you should keep in mind that things that seem "simple" on the
>> surface are often simplified at the cost of making specific security
>> concessions and assumptions. The authorization code flow is "complex"
>> for very good reasons, all of them security focused. You should never
>> pick a different OAuth flow just because it looks simpler, you should
>> only pick them if you're within the use case that it was designed for,
>> and therefor the assumptions of its security patterns match.
>>
> +1
>> We've seen a *ton* of problems with people picking the implicit flow in
>> the real world and using it with clients other than in-browser
>> applications that it was designed for. If you're not in that specific
>> space, you're taking on huge risks.
> Sure, I understand.
>
> So, as far as my original question is concerned, given that a client piece of software (no human user is involved) uses some credentials to get the token with client_credentials, would it be OK to avoid the explicit 'Client' registration with AS, given that the authentication system employed by AS is already aware of such credentials, I guess yes.
>
> Thanks, Sergey
>>
>> -- Justin
>>
>> On 3/15/2016 8:37 AM, Sergey Beryozkin wrote:
>>> Hi All
>>>
>>> I've alway been thinking of Client Credentials as being the simplest
>>> flow but now that I'm looking at implementing it myself to be used in
>>> the real productions, I'm realizing that there's something I do not
>>> understand about it:
>>>
>>> Do the clients using Client Credentials flow need to be
>>> OAuth2-registered, even when such clients are already known to the
>>> authentication system ?
>>>
>>> For example, there might be some LDAP/etc entry for Alice (name,
>>> password). Now a client is using a client credentials flow to get an
>>> access token:
>>>
>>> POST /token HTTP/1.1
>>> Host: server.example.com
>>> Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
>>> Content-Type: application/x-www-form-urlencoded
>>>
>>> grant_type=client_credentials
>>>
>>> I hope that in this case no explicit registration (the one typically
>>> required in redirection based flows) is needed, the client (Alice) has
>>> been 'implicitly' registered (as far as the notion of OAuth2 client is
>>> concerned) in LDAP/etc.
>>>
>>> If the explicit registration with OAuth2 AS was still required in the
>>> case above then it would lead to a fairly massive duplication of
>>> effort (Alice is registered in Ldap, then also with OAuth2 AS), etc
>>>
>>> Can someone clarify it please ?
>>>
>>> Thanks, Sergey
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> ***@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> ***@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

And don't forget option 4: look it up in a database because the RS and
AS are in the same box.

-- Justin

On 3/15/2016 9:12 AM, John Bradley wrote:
> Access tokens are opaque to the client not the RS.
>
> You have three basic design choices.
> 1 Use a token that the RS can locally validate. JWT or SAML are standard options or you could do your own custom format and use a HMAC to integrity protect them. If using astandard token format this supports multiple AS.
>
> 2 Use a completely opaque token and introspect it at a known AS. This supports one AS
>
> 3 Hybrid use a JWT that contains an issuer as the token but with a single opaque claim that is used as a ID by the AS. The RS receives the token looks at the issuer and sends the token to the issuer for introspection. The introspection endpoint checks the signature and looks up the reference to provide the introspection response as in 2. This supports multiple AS.
>
> I think Juston was recommending 3 as something he has done.
>
> John B.
>
>> On Mar 15, 2016, at 10:01 AM, Sergey Beryozkin <***@gmail.com> wrote:
>>
>> Hi
>>
>> After following the recent thread on multiple authorization servers, but also reading some other related threads, I have a question related to when the token introspection can be avoided.
>>
>> My understanding has been that given that access tokens are opaque the RS does not know anything about its content, hence that was the purpose of the token introspection spec: provide an interoperable way for RS to submit a token to AS and get the token data for RS to make a final decision about this token.
>>
>> I think if the access tokens are really opaque, i.e, they are sequences RS can not look into, then having the introspection option is the only way to check what the token is really about.
>>
>> But the recent replies with respect to using JWS or JWE tokens have confused me.
>>
>> 1. AccessToken as JWS JWT Token:
>>
>> RS can easily look into it, but Justin mentioned that in one case they first validate this JWS token and then forward it for some further introspection. Why start introspecting if the token has been validated and its content is visible ?
>> Perhaps because some token data which are sensitive are only visible in the introspection response ? If yes then why use a self-contained token if some more external data are associated with it.
>>
>> 2. AccessToken as JWE JWT Token: this option was mentioned a couple of times recently, Jonh B. suggested in the other thread the introspection may not be needed (sorry if I misread it).
>> The question here, how can RS deal with a JWE token, it would need to share the decrypting key with AS.
>>
>> So, is introspection needed only for the completely opaque tokens or it is also needed for JWS and JWE tokens. I'd say it might be reasonable to skip it in case of JWS, depending on the specific requirements (as the expiry, issuer, will be typically set in JWS JWT), while with JWE I can not see how RS can avoid introspecting unless it shares the secret/private key with AS.
>>
>>
>> Thanks, Sergey
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> ***@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Hi John, Justin
On 15/03/16 13:12, John Bradley wrote:
> Access tokens are opaque to the client not the RS.
>
But only if they are self-contained as in the option 1 below, right ?
> You have three basic design choices.
> 1 Use a token that the RS can locally validate. JWT or SAML are standard options or you could do your own custom format and use a HMAC to integrity protect them. If using astandard token format this supports multiple AS.

OK.
>
> 2 Use a completely opaque token and introspect it at a known AS. This supports one AS
>
OK

> 3 Hybrid use a JWT that contains an issuer as the token but with a single opaque claim that is used as a ID by the AS. The RS receives the token looks at the issuer and sends the token to the issuer for introspection. The introspection endpoint checks the signature and looks up the reference to provide the introspection response as in 2. This supports multiple AS.
>
> I think Juston was recommending 3 as something he has done.
Thanks for clarifying it, that was what 'jti' was for I believe, very
interesting, I did not get the first time I read it for sure :-).
But this is a non-interoperable solution, right ? I.e, it depends on a
given AS preparing a token this way, would other AS be able to do it too ?

Thanks, Sergey
>
> John B.
>
>> On Mar 15, 2016, at 10:01 AM, Sergey Beryozkin <***@gmail.com> wrote:
>>
>> Hi
>>
>> After following the recent thread on multiple authorization servers, but also reading some other related threads, I have a question related to when the token introspection can be avoided.
>>
>> My understanding has been that given that access tokens are opaque the RS does not know anything about its content, hence that was the purpose of the token introspection spec: provide an interoperable way for RS to submit a token to AS and get the token data for RS to make a final decision about this token.
>>
>> I think if the access tokens are really opaque, i.e, they are sequences RS can not look into, then having the introspection option is the only way to check what the token is really about.
>>
>> But the recent replies with respect to using JWS or JWE tokens have confused me.
>>
>> 1. AccessToken as JWS JWT Token:
>>
>> RS can easily look into it, but Justin mentioned that in one case they first validate this JWS token and then forward it for some further introspection. Why start introspecting if the token has been validated and its content is visible ?
>> Perhaps because some token data which are sensitive are only visible in the introspection response ? If yes then why use a self-contained token if some more external data are associated with it.
>>
>> 2. AccessToken as JWE JWT Token: this option was mentioned a couple of times recently, Jonh B. suggested in the other thread the introspection may not be needed (sorry if I misread it).
>> The question here, how can RS deal with a JWE token, it would need to share the decrypting key with AS.
>>
>> So, is introspection needed only for the completely opaque tokens or it is also needed for JWS and JWE tokens. I'd say it might be reasonable to skip it in case of JWS, depending on the specific requirements (as the expiry, issuer, will be typically set in JWS JWT), while with JWE I can not see how RS can avoid introspecting unless it shares the secret/private key with AS.
>>
>>
>> Thanks, Sergey
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> ***@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

We have also implemented option 3. In our case, the RS is supporting our
own AS and an external trusted AS. The hybrid JWT allows us to know
where to validate the token and also allows the external AS to protect
it's token in a way that is not visible to us.

Thanks,
George

On 3/15/16 9:12 AM, John Bradley wrote:
> Access tokens are opaque to the client not the RS.
>
> You have three basic design choices.
> 1 Use a token that the RS can locally validate. JWT or SAML are standard options or you could do your own custom format and use a HMAC to integrity protect them. If using astandard token format this supports multiple AS.
>
> 2 Use a completely opaque token and introspect it at a known AS. This supports one AS
>
> 3 Hybrid use a JWT that contains an issuer as the token but with a single opaque claim that is used as a ID by the AS. The RS receives the token looks at the issuer and sends the token to the issuer for introspection. The introspection endpoint checks the signature and looks up the reference to provide the introspection response as in 2. This supports multiple AS.
>
> I think Juston was recommending 3 as something he has done.
>
> John B.
>
>> On Mar 15, 2016, at 10:01 AM, Sergey Beryozkin <***@gmail.com> wrote:
>>
>> Hi
>>
>> After following the recent thread on multiple authorization servers, but also reading some other related threads, I have a question related to when the token introspection can be avoided.
>>
>> My understanding has been that given that access tokens are opaque the RS does not know anything about its content, hence that was the purpose of the token introspection spec: provide an interoperable way for RS to submit a token to AS and get the token data for RS to make a final decision about this token.
>>
>> I think if the access tokens are really opaque, i.e, they are sequences RS can not look into, then having the introspection option is the only way to check what the token is really about.
>>
>> But the recent replies with respect to using JWS or JWE tokens have confused me.
>>
>> 1. AccessToken as JWS JWT Token:
>>
>> RS can easily look into it, but Justin mentioned that in one case they first validate this JWS token and then forward it for some further introspection. Why start introspecting if the token has been validated and its content is visible ?
>> Perhaps because some token data which are sensitive are only visible in the introspection response ? If yes then why use a self-contained token if some more external data are associated with it.
>>
>> 2. AccessToken as JWE JWT Token: this option was mentioned a couple of times recently, Jonh B. suggested in the other thread the introspection may not be needed (sorry if I misread it).
>> The question here, how can RS deal with a JWE token, it would need to share the decrypting key with AS.
>>
>> So, is introspection needed only for the completely opaque tokens or it is also needed for JWS and JWE tokens. I'd say it might be reasonable to skip it in case of JWS, depending on the specific requirements (as the expiry, issuer, will be typically set in JWS JWT), while with JWE I can not see how RS can avoid introspecting unless it shares the secret/private key with AS.
>>
>>
>> Thanks, Sergey
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> ***@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

+1 to all of this.

Our reasoning for the JWT+introspection was to allow for an RS to take in tokens from multiple AS, by looking up the issuer in the JWT itself.

— Justin

> On Mar 15, 2016, at 12:34 PM, Thomas Broyer <***@gmail.com> wrote:
>
>
>
> On Tue, Mar 15, 2016 at 2:02 PM Sergey Beryozkin <***@gmail.com <mailto:***@gmail.com>> wrote:
> Hi
>
> After following the recent thread on multiple authorization servers, but
> also reading some other related threads, I have a question related to
> when the token introspection can be avoided.
>
> My understanding has been that given that access tokens are opaque the
> RS does not know anything about its content, hence that was the purpose
> of the token introspection spec: provide an interoperable way for RS to
> submit a token to AS and get the token data for RS to make a final
> decision about this token.
>
> I think if the access tokens are really opaque, i.e, they are sequences
> RS can not look into, then having the introspection option is the only
> way to check what the token is really about.
>
> But the recent replies with respect to using JWS or JWE tokens have
> confused me.
>
> 1. AccessToken as JWS JWT Token:
>
> RS can easily look into it, but Justin mentioned that in one case they
> first validate this JWS token and then forward it for some further
> introspection. Why start introspecting if the token has been validated
> and its content is visible ?
>
> Because you want to know whether it's been revoked before its expiration. Introspection is the only way (unless AS and RS are colocated), as only the AS knows.
>
> Perhaps because some token data which are sensitive are only visible in
> the introspection response ? If yes then why use a self-contained token
> if some more external data are associated with it.
>
> If the token is not valid (bad issuer, bad signature, expired; or if the scopes are included: insufficient scopes), it saves you a request to the introspection endpoint ;-)
> Only if the token passes the first checks would you introspect it to see if it's still active (not revoked) and possibly retrieve more data about it.
>
> 2. AccessToken as JWE JWT Token: this option was mentioned a couple of
> times recently, Jonh B. suggested in the other thread the introspection
> may not be needed (sorry if I misread it).
> The question here, how can RS deal with a JWE token, it would need to
> share the decrypting key with AS.
>
> I think that was the idea yes (didn't someone commented on the thread that they deployed JWT tokens with shared secrets or symmetric keys?)
>
> So, is introspection needed only for the completely opaque tokens or it
> is also needed for JWS and JWE tokens. I'd say it might be reasonable to
> skip it in case of JWS, depending on the specific requirements (as the
> expiry, issuer, will be typically set in JWS JWT), while with JWE I can
> not see how RS can avoid introspecting unless it shares the
> secret/private key with AS.
>
> As Justin mentioned in the other thread: introspection is useful (required?) for checking the "liveness" of the token.
>
> Side-note: given the size of a JWT compared to some "simpler", opaque tokens (mere identifiers), and the fact introspection response are likely to be cached for a few minutes by the RS, I wonder if using a JWT so you can possibly avoid an introspection request outweights (sic!) the bloat of a JWT sent repeatedly over the network (possibly a network with high latency, low bandwidth, and sometimes paid based on exchanged volumes).
> This is rhetoric actually: I side on the "small token that require introspection" until someone comes with a compelling argument to go the other way.
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

While I understand the desire for small tokens, we chose JWT as a
wrapper for the external AS opaque token so that we would have a generic
implementation that can be expanded to additional partners without
affecting our implementation.

You could assign each AS in a multiple AS closed environment a unique
value and then pre/post-fix it to the opaque token so that the RS could
know where to introspect it. This is still a structured token, just a
binary representation to save size. There are probably better binary
ways to do this:)

Thanks,
George

On 3/15/16 12:34 PM, Thomas Broyer wrote:
>
>
> On Tue, Mar 15, 2016 at 2:02 PM Sergey Beryozkin <***@gmail.com
> <mailto:***@gmail.com>> wrote:
>
> Hi
>
> After following the recent thread on multiple authorization
> servers, but
> also reading some other related threads, I have a question related to
> when the token introspection can be avoided.
>
> My understanding has been that given that access tokens are opaque the
> RS does not know anything about its content, hence that was the
> purpose
> of the token introspection spec: provide an interoperable way for
> RS to
> submit a token to AS and get the token data for RS to make a final
> decision about this token.
>
> I think if the access tokens are really opaque, i.e, they are
> sequences
> RS can not look into, then having the introspection option is the only
> way to check what the token is really about.
>
> But the recent replies with respect to using JWS or JWE tokens have
> confused me.
>
> 1. AccessToken as JWS JWT Token:
>
> RS can easily look into it, but Justin mentioned that in one case they
> first validate this JWS token and then forward it for some further
> introspection. Why start introspecting if the token has been validated
> and its content is visible ?
>
>
> Because you want to know whether it's been revoked before its
> expiration. Introspection is the only way (unless AS and RS are
> colocated), as only the AS knows.
>
> Perhaps because some token data which are sensitive are only
> visible in
> the introspection response ? If yes then why use a self-contained
> token
> if some more external data are associated with it.
>
>
> If the token is not valid (bad issuer, bad signature, expired; or if
> the scopes are included: insufficient scopes), it saves you a request
> to the introspection endpoint ;-)
> Only if the token passes the first checks would you introspect it to
> see if it's still active (not revoked) and possibly retrieve more data
> about it.
>
> 2. AccessToken as JWE JWT Token: this option was mentioned a couple of
> times recently, Jonh B. suggested in the other thread the
> introspection
> may not be needed (sorry if I misread it).
> The question here, how can RS deal with a JWE token, it would need to
> share the decrypting key with AS.
>
>
> I think that was the idea yes (didn't someone commented on the thread
> that they deployed JWT tokens with shared secrets or symmetric keys?)
>
> So, is introspection needed only for the completely opaque tokens
> or it
> is also needed for JWS and JWE tokens. I'd say it might be
> reasonable to
> skip it in case of JWS, depending on the specific requirements (as the
> expiry, issuer, will be typically set in JWS JWT), while with JWE
> I can
> not see how RS can avoid introspecting unless it shares the
> secret/private key with AS.
>
>
> As Justin mentioned in the other thread: introspection is useful
> (required?) for checking the "liveness" of the token.
>
> Side-note: given the size of a JWT compared to some "simpler", opaque
> tokens (mere identifiers), and the fact introspection response are
> likely to be cached for a few minutes by the RS, I wonder if using a
> JWT so you can possibly avoid an introspection request outweights
> (sic!) the bloat of a JWT sent repeatedly over the network (possibly a
> network with high latency, low bandwidth, and sometimes paid based on
> exchanged volumes).
> This is rhetoric actually: I side on the "small token that require
> introspection" until someone comes with a compelling argument to go
> the other way.
>
>
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Hi Thomas

Yes, we currently only support 'small' tokens with the introspection and
the local caching (though not time but size based which is not ideal if
we talk about the revocations, though in a high end servers that should
still invalidate the cache fast enough).
But that does not support multiple AS (I haven't had such a requirement
but it is an important thing to know about), so a 'light-weight' hybrid
JWS as it was suggested by several experts seems like a neat compromise.

Sergey
On 15/03/16 16:34, Thomas Broyer wrote:
>
>
> On Tue, Mar 15, 2016 at 2:02 PM Sergey Beryozkin <***@gmail.com
> <mailto:***@gmail.com>> wrote:
>
> Hi
>
> After following the recent thread on multiple authorization servers, but
> also reading some other related threads, I have a question related to
> when the token introspection can be avoided.
>
> My understanding has been that given that access tokens are opaque the
> RS does not know anything about its content, hence that was the purpose
> of the token introspection spec: provide an interoperable way for RS to
> submit a token to AS and get the token data for RS to make a final
> decision about this token.
>
> I think if the access tokens are really opaque, i.e, they are sequences
> RS can not look into, then having the introspection option is the only
> way to check what the token is really about.
>
> But the recent replies with respect to using JWS or JWE tokens have
> confused me.
>
> 1. AccessToken as JWS JWT Token:
>
> RS can easily look into it, but Justin mentioned that in one case they
> first validate this JWS token and then forward it for some further
> introspection. Why start introspecting if the token has been validated
> and its content is visible ?
>
>
> Because you want to know whether it's been revoked before its
> expiration. Introspection is the only way (unless AS and RS are
> colocated), as only the AS knows.
>
> Perhaps because some token data which are sensitive are only visible in
> the introspection response ? If yes then why use a self-contained token
> if some more external data are associated with it.
>
>
> If the token is not valid (bad issuer, bad signature, expired; or if the
> scopes are included: insufficient scopes), it saves you a request to the
> introspection endpoint ;-)
> Only if the token passes the first checks would you introspect it to see
> if it's still active (not revoked) and possibly retrieve more data about it.
>
> 2. AccessToken as JWE JWT Token: this option was mentioned a couple of
> times recently, Jonh B. suggested in the other thread the introspection
> may not be needed (sorry if I misread it).
> The question here, how can RS deal with a JWE token, it would need to
> share the decrypting key with AS.
>
>
> I think that was the idea yes (didn't someone commented on the thread
> that they deployed JWT tokens with shared secrets or symmetric keys?)
>
> So, is introspection needed only for the completely opaque tokens or it
> is also needed for JWS and JWE tokens. I'd say it might be reasonable to
> skip it in case of JWS, depending on the specific requirements (as the
> expiry, issuer, will be typically set in JWS JWT), while with JWE I can
> not see how RS can avoid introspecting unless it shares the
> secret/private key with AS.
>
>
> As Justin mentioned in the other thread: introspection is useful
> (required?) for checking the "liveness" of the token.
>
> Side-note: given the size of a JWT compared to some "simpler", opaque
> tokens (mere identifiers), and the fact introspection response are
> likely to be cached for a few minutes by the RS, I wonder if using a JWT
> so you can possibly avoid an introspection request outweights (sic!) the
> bloat of a JWT sent repeatedly over the network (possibly a network with
> high latency, low bandwidth, and sometimes paid based on exchanged volumes).
> This is rhetoric actually: I side on the "small token that require
> introspection" until someone comes with a compelling argument to go the
> other way.


--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

If the client specifies the resource it wants the token for, then the meta-data would not be required unless the resources the token is good at are different from the request.
Lat is the same logic as scopes.

For backwards compatibility if the client is happy with the default resources based on scopes then I think it is a good idea to tell the client what the resources are in the response.

I suspect that it is simpler with less optionality and always return the resources, even if they are not required.

John B.

> On Mar 15, 2016, at 12:46 PM, Brian Campbell <***@pingidentity.com> wrote:
>
> If the client specifies the desired audience(s)/resource(s), is that metadata to the client needed? The AS can audience restrict the token as needed or respond with an error if it can't or wont issue a token for the resource the client asked for.
>
> On Tue, Mar 15, 2016 at 9:37 AM, John Bradley <***@ve7jtb.com <mailto:***@ve7jtb.com>> wrote:
> Yes, I think bearer tokens with no audience are a bad idea.
>
> The AS needs to infer an audience from the scopes snd/or have the client specify the desired audience.
>
> If the AT has a audience or audiences then as long as the endpoint URI are provided as meta-data with the token, the client can determine if it is sending the token to the correct place.
>
> I think Phil would prefer the server rather than the client do the check, but the client always needs to take some responsibility to not leak tokens giving them to the wrong RS or the code to the wrong token endpoint is leaking.
>
> I imagine that claims based access tokens are going to become more popular and the static relationship between one RS and one AS will not be the majority of deployments over time.
>
> In any case where the client is configured up front to know the RS and the AS it seems like that would not require Phil’s Solution, but that is the only case supported by that discovery.
>
> If the client itself is bad there is not much you can do to stop it from passing on the AT in way way it wants. That however is a different problem and needs claimed URI or attestations to prevent client spoofing.
> William and I are working on that in the mobile best practices draft.
>
> John B.
>
>
>> On Mar 15, 2016, at 12:09 PM, George Fletcher <***@aol.com <mailto:***@aol.com>> wrote:
>>
>> I worry about two directions I see in this thread...
>>
>> 1. Client's accessing resources dynamically so that discovery is required to know the correct AS, etc. This is pretty much the classic use case for UMA and I'd rather not re-invent the wheel.
>>
>> 2. Creating a tight coupling between RS and AS such that RS endpoint changes must be continually communicated to the AS. If an RS supports multiple AS's then the RS has to deal with "guaranteed" delivery. The AS needs an endpoint to receive such communications. If not dynamic via APIs, then deployment of the new RS is bound by the associated AS's getting and deploying the new endpoints. Can both endpoints of the RS be supported within the AS for some period of time, etc. This is an operation nightmare and almost assuredly going to go wrong in production.
>>
>> Maybe an OAuth2 "audience binding" spec is what's needed for those deployments that require this. I believe that is what John Bradley is suggesting.
>>
>> Thanks,
>> George
>>
>> On 3/14/16 7:29 PM, Hans Zandbelt wrote:
>>> +1, I've found the very same in OAuth deployments that I was involved in; the hard part is to give names and descriptions to these concepts so that they cover all use cases and can be applied unambiguously
>>>
>>> Hans.
>>>
>>> On 3/14/16 10:44 PM, Justin Richer wrote:
>>>> I agree that this is valuable, and not just for PoP. In all honesty,
>>>> it’s not even really required for PoP to function in many cases — it’s
>>>> just an optimization for one particular kind of key distribution
>>>> mechanism in that case.
>>>>
>>>> In the years of deployment experience with OAuth 2, I think we’ve really
>>>> got three different kinds of things that currently get folded into
>>>> “scope” that we might want to try separating out better:
>>>>
>>>>
>>>> - What things do I want to access? (photos, profile)
>>>> - What actions do I want to take on these things? (read, write, delete)
>>>> - How long do I want these tokens to work?
>>>> (offline_access/refresh_token, one time use, next hour, etc)
>>>>
>>>>
>>>> I think the first one is close to the audience/resource parameters that
>>>> have been bandied about a few times, including in the current token
>>>> exchange document. We should be consistent across drafts in that regard.
>>>> The second is more traditional scope-ish. The third has been patched in
>>>> with things like “offline_access” in certain APIs.
>>>>
>>>> Just another vector to think about if we’re going to be adding things
>>>> like “audience” or “resource” or both to the token requests.
>>>>
>>>> — Justin
>>>>
>>>>
>>>>> On Mar 14, 2016, at 6:26 PM, John Bradley <***@ve7jtb.com <mailto:***@ve7jtb.com>
>>>>> <mailto:***@ve7jtb.com> <mailto:***@ve7jtb.com>> wrote:
>>>>>
>>>>> Yes I will work on another proposal for allowing clients to specify
>>>>> what resource they want a token for and providing the meta-data to the
>>>>> client about the resources that a token is valid for.
>>>>>
>>>>> We have part of it in the POP key distribution spec and talked about
>>>>> separating it, as it is used more places than just for assigning keys.
>>>>> I know some AS use different token formats for different RS so are
>>>>> all-ready needing to pass the resource in the request to avoid making
>>>>> a mess of scopes.
>>>>>
>>>>> John B.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Mar 14, 2016, at 7:17 PM, Phil Hunt (IDM) <***@oracle.com <mailto:***@oracle.com>
>>>>>> <mailto:***@oracle.com> <mailto:***@oracle.com>> wrote:
>>>>>>
>>>>>> Inline
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On Mar 14, 2016, at 14:13, John Bradley <***@ve7jtb.com <mailto:***@ve7jtb.com>
>>>>>> <mailto:***@ve7jtb.com> <mailto:***@ve7jtb.com>> wrote:
>>>>>>
>>>>>>> We had two mandates. One was to provide a spec for AS metadata.
>>>>>>> The other was to mitigate the client mixup attack. The request was
>>>>>>> to do the latter without requiring the former for clients that don’t
>>>>>>> otherwise need discovery.
>>>>>> There is no mandate for any of this. See
>>>>>> http://tools.ietf.org/wg/oauth/charters?item=charter-oauth-2016-01-22.txt <http://tools.ietf.org/wg/oauth/charters?item=charter-oauth-2016-01-22.txt>
>>>>>>>
>>>>>>> Returning the issuer and client_id from the authorization endpoint
>>>>>>> and the client checking them can be done by the client without
>>>>>>> discovery.
>>>>>>
>>>>>> How does this address the issue of whether the client is talking to
>>>>>> the wrong endpoint?
>>>>>>>
>>>>>>> Any client that has the resource and issuer hard coded probably
>>>>>>> doesn’t need discovery.
>>>>>> We agree
>>>>>>
>>>>>>
>>>>>>> One of the things that a client will need discovery for is to find
>>>>>>> the RS, so requiring the client to know the RS URI before getting
>>>>>>> the AS config seems backwards to me.
>>>>>> How can you make an assumption on order? You seem to be conflating
>>>>>> authentication with authorization by assuming the identity drives
>>>>>> what the resource is.
>>>>>>
>>>>>> There are lots of applications that require user rights but are not
>>>>>> identify centric. For example a document service.
>>>>>>>
>>>>>>> Unless the client tells the AS where it intends to use the token we
>>>>>>> will be leaving a security hole because the bearer tokens will have
>>>>>>> too loose an audience if they have one at all.
>>>>>> This is the biggest risk we have IMHO.
>>>>>>>
>>>>>>> True you are telling the AS (Webfinger service) what the RS is but
>>>>>>> that is not at a place that is useful in the token production process.
>>>>>>
>>>>>> This has nothing to do with token production.
>>>>>>
>>>>>> What we want to ensure is whether an honest client is correctly
>>>>>> configured and has not been mislead - eg by a phishing page.
>>>>>>>
>>>>>>> I also think there are use cases where the AS doesn’t know all the
>>>>>>> possible RS. That is not something that a out of band check can
>>>>>>> address.
>>>>>>
>>>>>> May be. Lets identify them.
>>>>>>
>>>>>>> There are also cases where a token might be good at multiple RS
>>>>>>> endpoints intentionally.
>>>>>>
>>>>>>> In your solution the client would need to make a discovery request
>>>>>>> for each endpoint.
>>>>>> Sure. Otherwise how would it know if there is one AS or a pool of AS
>>>>>> servers assigned to each instance?
>>>>>>> Those requests lack the context of who the client and resource owner
>>>>>>> are. I think that will be a problem in some use cases.
>>>>>>
>>>>>> Not sure I agree. This is about discovering a valid set of endpoints.
>>>>>> For mitm, we mainly want to check the hostname is correct. If a
>>>>>> client chooses evil.com <http://evil.com/> <http://evil.com/> <http://evil.com/> the cert can be valid and
>>>>>> TLS will pass. How does it otherwise know it is supposed to talk to
>>>>>> res.example.com <http://res.example.com/> <http://res.example.com/> <http://res.example.com/>?
>>>>>>>
>>>>>>> If this is added to the token endpoint it would be checked when code
>>>>>>> or refresh are exchanged, not every time the token is used.
>>>>>> Your proposal requires rhe client to check. I am not clear how the AS
>>>>>> can know the exact uri. It is far easier to validate than to lookup
>>>>>> since as you say the client may be authorized to use multiple ASs.
>>>>>>> With a out of band check the client would never know if a RS was
>>>>>>> removed/revoked.
>>>>>>
>>>>>> Not sure that is in scope.
>>>>>>
>>>>>> None of the current proposals address this issue.
>>>>>>>
>>>>>>> I don’t see checking when refreshing a token as something that is a
>>>>>>> huge burden.
>>>>>>
>>>>>> Still its a lot more than once.
>>>>>>
>>>>>> Why don't you draft another alternative?
>>>>>>>
>>>>>>> If the server wants to do the check on it’s side then we could
>>>>>>> require the client to send the RS URI in the token request. that way
>>>>>>> you really know the client is not going to get a token for the wrong
>>>>>>> RS endpoint.
>>>>>>> If you check out of band in discovery you really have no idea if the
>>>>>>> client is checking.
>>>>>>
>>>>>> In the new webfinger draft, the client isn't checking. The service
>>>>>> provider simply does not disclose oauth information to misconfigured
>>>>>> clients.
>>>>>>>
>>>>>>> John B.
>>>>>>>
>>>>>>>
>>>>>>>> On Mar 14, 2016, at 3:56 PM, Phil Hunt <***@oracle.com <mailto:***@oracle.com>
>>>>>>>> <mailto:***@oracle.com> <mailto:***@oracle.com>> wrote:
>>>>>>>>
>>>>>>>> Thanks to Mike and John for their feedback. I’ll take each in turn:
>>>>>>>>
>>>>>>>> Mike,
>>>>>>>>
>>>>>>>> Regarding your suggested amendments
>>>>>>>>
>>>>>>>> Item 1: Returning the config URL would create two problems. One,it
>>>>>>>> makes bound discovery a two-step process - that adds complexity.
>>>>>>>> It seems far simpler to mandate TLS (which I think it already does
>>>>>>>> in the security considerations).
>>>>>>>>
>>>>>>>> The two-step process allows the current discovery process to
>>>>>>>> continue. I disagree with this. This is why I put forward an
>>>>>>>> “alternate" draft that is almost the same but simply adds the check
>>>>>>>> before returning the configuration data. I worry that developers
>>>>>>>> would have no incentive to do the two-step approach. They would
>>>>>>>> just start at step 2 which in turn puts AS’s at risk of exposing
>>>>>>>> tokens because it works. This makes OAuth promiscuous.
>>>>>>>>
>>>>>>>> Regarding existing implementations. Most of those implementations
>>>>>>>> are for OIDC. I think it makes sense for OIDF to continue use of
>>>>>>>> OIDC's discovery spec because the UserInfo endpoint is well defined
>>>>>>>> and the likelihood of a client mis-informed about the resource
>>>>>>>> endpoint is not there. IMO This does not apply to the broader
>>>>>>>> OAuth community.
>>>>>>>>
>>>>>>>> Item 2: It may be appropriate to have a separate configuration
>>>>>>>> registry specification, but I think we should hold off until we
>>>>>>>> have a complete solution and then make the decision what drafts
>>>>>>>> should exist and how many pieces. A big concern is the perceived
>>>>>>>> complexity of multiple solutions and multiple drafts.
>>>>>>>>
>>>>>>>> As to John Bradley’s comments:
>>>>>>>>
>>>>>>>> Re: Discovery is the wrong place to mitigate threats.
>>>>>>>> I’m confused by this. Our mandate was to solve a security threat
>>>>>>>> by having a discovery specification to prevent clients being
>>>>>>>> mis-lead about endpoints (of which resource service is one) in an
>>>>>>>> oauth protected exchange. Maybe what you mean is we should not use
>>>>>>>> .well-known of any kind and we should just create a “/Config”
>>>>>>>> endpoint to OAuth?
>>>>>>>>
>>>>>>>> Re: Your proposal for MITM mitigation
>>>>>>>> You propose that instead the resource endpoint check should be in
>>>>>>>> the oauth protocol itself. The difference is that validation is
>>>>>>>> transferred back to the client to get it right. As well, without
>>>>>>>> the client informing the AS, I can’t see a way for the AS to know
>>>>>>>> what endpoint the client is using. The webfinger approach does
>>>>>>>> this once and only requires that the host name be checked in many
>>>>>>>> cases.
>>>>>>>>
>>>>>>>> As a principle, the members have discussed many times that the AS
>>>>>>>> service should do validation when possible — this was particularly
>>>>>>>> true at the Germany meeting when this came up. This is why I prefer
>>>>>>>> the client tell the service provider what it intends to do and the
>>>>>>>> service provider can fail that request immediately if necessary. We
>>>>>>>> don’t have to depend on the developer getting the spec correct to
>>>>>>>> fail the correct way.
>>>>>>>>
>>>>>>>> I worry that adding more parameters to the authz and token protocol
>>>>>>>> flows increases complexity and attack surface. It also means per
>>>>>>>> authorization validation has to take place vs. a one-time
>>>>>>>> validation at config time. Placing it in the configuration lookup
>>>>>>>> phase (whether via web finger or just a special OAuth endpoint)
>>>>>>>> seems more appropriate and far less complex - as the request itself
>>>>>>>> is simple and has only one parameter. Here we are not considered
>>>>>>>> about legitimacy of the client. we’re just concerned with the issue
>>>>>>>> "has the client been correctly informed?”
>>>>>>>>
>>>>>>>> That said, it may be that when we consider all the use cases, some
>>>>>>>> combination of AS protocol and discovery may be both needed. I’m
>>>>>>>> not ready to make conclusions about this. The current
>>>>>>>> oauth-discovery spec seems to put future generic clients at risk
>>>>>>>> and that is my primary concern.
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>>
>>>>>>>> Phil
>>>>>>>>
>>>>>>>> @independentid
>>>>>>>> www.independentid.com <http://www.independentid.com/> <http://www.independentid.com/> <http://www.independentid.com/>
>>>>>>>> ***@oracle.com <mailto:***@oracle.com> <mailto:***@oracle.com> <mailto:***@oracle.com>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> On Mar 13, 2016, at 10:28 PM, Mike Jones
>>>>>>>>> <***@microsoft.com <mailto:***@microsoft.com> <mailto:***@microsoft.com> <mailto:***@microsoft.com>>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> Thanks for posting this, Phil. It provides a concrete example of
>>>>>>>>> a way that protected resource discovery could be added to
>>>>>>>>> authorization server metadata discovery, and as such, should
>>>>>>>>> provide useful input for working group discussions on this topic.
>>>>>>>>> It’s always great when someone takes the time to write an actual
>>>>>>>>> draft that can be examined and implemented, and I appreciate you
>>>>>>>>> doing that.
>>>>>>>>> The content of your draft points out that there appears to be
>>>>>>>>> complete agreement on what the authorization server metadata
>>>>>>>>> format should be, which is great! I’ll note that Section 3 of
>>>>>>>>> draft-hunt-oauth-bound-config-00 titled “Authorization Server
>>>>>>>>> Metadata” is an exact copy of Section 2 of
>>>>>>>>> draft-ietf-oauth-discovery-01 (with the same title), modulo
>>>>>>>>> applying a correction suggested by the working group. To me this
>>>>>>>>> suggests that the authorization server metadata definitions in
>>>>>>>>> draft-ietf-oauth-discovery (which is now the whole normative
>>>>>>>>> content of the draft) are clearly ready for standardization, since
>>>>>>>>> even your alternative proposal includes them verbatim.
>>>>>>>>> Reading your draft, the problem I have with it is that you are
>>>>>>>>> returning the AS metadata only as a WebFinger response, rather
>>>>>>>>> than as an https-protected resource published by the authorization
>>>>>>>>> server. The choice to only return this via WebFinger makes your
>>>>>>>>> draft incompatible with most deployed implementations of OAuth
>>>>>>>>> metadata, including the 22 implementations using it listed
>>>>>>>>> athttp://openid.net/certification/ <>(see the “OP Config” column in
>>>>>>>>> the table) andOAuth 2.0 libraries such as Microsoft’s “ADAL”
>>>>>>>>> library, which uses the metadata path for client configuration.
>>>>>>>>> Without having ASs provide the metadata as an https-protected
>>>>>>>>> resource, implementations such as ADAL can’t use it for client
>>>>>>>>> configuration as the currently do.
>>>>>>>>> Therefore, I would request that you make these minor revisions to
>>>>>>>>> your draft and republish, so as to provide a unified way forward
>>>>>>>>> that is compatible with all known existing OAuth Discovery
>>>>>>>>> deployments:
>>>>>>>>> 1.Modify your section 2 “Authorization Server WebFinger Discovery”
>>>>>>>>> to have the WebFinger request return the issuer identifier for the
>>>>>>>>> AS as the “WebFinger “rel” value, rather than returning the
>>>>>>>>> metadata values by value as the “properties” value.
>>>>>>>>> 2.Reference the metadata definitions from Section 2 of
>>>>>>>>> draft-ietf-oauth-discovery, rather than duplicating them in your
>>>>>>>>> Section 3.
>>>>>>>>> That would have the advantage of paring your draft down to only
>>>>>>>>> the new things that it proposes, enabling them to be more clearly
>>>>>>>>> understood and evaluated on their own merits. I look forward to
>>>>>>>>> the discussions of ways of performing additional kinds of OAuth
>>>>>>>>> discovery, and consider your draft a valuable input to those
>>>>>>>>> discussions.
>>>>>>>>> Best wishes,
>>>>>>>>> -- Mike
>>>>>>>>> *From:*OAuth [mailto:oauth-***@ietf.org <mailto:oauth-***@ietf.org>]*On Behalf Of*John Bradley
>>>>>>>>> *Sent:*Sunday, March 13, 2016 6:45 PM
>>>>>>>>> *To:*Phil Hunt <***@oracle.com <mailto:***@oracle.com> <mailto:***@oracle.com> <mailto:***@oracle.com>>
>>>>>>>>> *Cc:*oauth <***@ietf.org <mailto:***@ietf.org> <mailto:***@ietf.org> <mailto:***@ietf.org>>
>>>>>>>>> *Subject:*Re: [OAUTH-WG] New Version Notification for
>>>>>>>>> draft-hunt-oauth-bound-config-00.txt
>>>>>>>>> As I have told Phil off list.
>>>>>>>>> Discovery is the wrong place to try and provide security against
>>>>>>>>> man in the middle attacks on the RS.
>>>>>>>>> This requires the client to know what the RS URI is before
>>>>>>>>> retrieving the information on the AS Configuration.
>>>>>>>>> The proposal Mike and I have been working on requires the client
>>>>>>>>> to have a notion of what API it is looking for and retrieve the
>>>>>>>>> .well-known file for that API from the issuer. That allows a
>>>>>>>>> protocol like Connect to register its own config file that can
>>>>>>>>> point to the RS.
>>>>>>>>> If the API specific well known is not available the client can try
>>>>>>>>> the default oauth-server one.
>>>>>>>>> That then allows us to deal with restricting where AT are
>>>>>>>>> presented as part of the protocol rather then dragging discovery
>>>>>>>>> in as a requirement.
>>>>>>>>> In my opinion the resource the token is targeted to should be
>>>>>>>>> separated from the scope and returned as part of the meta-data
>>>>>>>>> about the AT along with scopes granted and expiry time. We
>>>>>>>>> should also have a input parameter for resources so that a client
>>>>>>>>> can restrict tokens issued to a subset of the ones granted by the
>>>>>>>>> refresh token. It would then also be possible to ask a AS for a
>>>>>>>>> token for a unregistered RS and have the AS produce a JWT access
>>>>>>>>> token with the resource as an audience if policy allows.
>>>>>>>>> That however was supposed to be dealt with as part of the mixed up
>>>>>>>>> client set of mitigations.
>>>>>>>>> In that the goal was to mitigate the attacks by returning
>>>>>>>>> meta-data about the tokens, and not to require discovery.
>>>>>>>>> We intend to return “iss” and “cleint_id” for the code, and I
>>>>>>>>> intend to discuss at the F2F returning resource for AT as well.
>>>>>>>>> Those mitigate the attack.
>>>>>>>>> I will continue to resist mixing up discovery of configuration
>>>>>>>>> meta-data with mitigation of the attacks.
>>>>>>>>> We return meta-data about the tokens now, because AT are opaque to
>>>>>>>>> the client, we neglected to include some of the information for
>>>>>>>>> the client needs to be secure. We just need to add that in to
>>>>>>>>> the existing flows.
>>>>>>>>> While Phil’s proposal is easier for the AS to implement as an add
>>>>>>>>> on, it puts more of a burden on the client needing to potentially
>>>>>>>>> change how it stores the relationships between AS and RS to
>>>>>>>>> prevent compromise, I think the solution should be biased towards
>>>>>>>>> simplicity on the client side.
>>>>>>>>> If we return the resources as part of the existing meta data the
>>>>>>>>> client checks that against the resource it intends to send the
>>>>>>>>> token to and if it is not in the list then it can’t send the
>>>>>>>>> token. Simple check every time it gets a new AT, no optionality.
>>>>>>>>> I am not saying anything new Nat has been advocating basically
>>>>>>>>> this for some time, and dis submit a draft. I prefer to return
>>>>>>>>> the info in the existing format rather than as link headers, but
>>>>>>>>> that is the largest difference between what Nat and I are saying
>>>>>>>>> with respect to resource.
>>>>>>>>> That is the core of my problem with Phil’s draft.
>>>>>>>>> I guess we will need to have a long conversation in BA.
>>>>>>>>> Regards
>>>>>>>>> John B.
>>>>>>>>>
>>>>>>>>> On Mar 13, 2016, at 8:12 PM, Phil Hunt <***@oracle.com <mailto:***@oracle.com>
>>>>>>>>> <mailto:***@oracle.com> <mailto:***@oracle.com>> wrote:
>>>>>>>>> This draft is a proposed alternate proposal for
>>>>>>>>> draft-ietf-oauth-discovery. As such, it contains the same
>>>>>>>>> registry for OAuth Config Metadata as the authors believe that
>>>>>>>>> both solutions are not required, or depending on WG discussion
>>>>>>>>> they will be merged. The intent is to provide a simple
>>>>>>>>> complete draft for consideration.
>>>>>>>>> How it works...
>>>>>>>>> Given that a client has previously discovered an OAuth
>>>>>>>>> protected resource, the bound configuration method allows a
>>>>>>>>> client to return the configuration for an oauth authorization
>>>>>>>>> server that can issue tokens for the resource URI specified by
>>>>>>>>> the client. The AS is not required to be in the same domain.
>>>>>>>>> The AS is however required to know if it can issue tokens for
>>>>>>>>> a resource service (which presumes some agreement exists on
>>>>>>>>> tokens etc).
>>>>>>>>> The draft does not require that the resource exist (e.g. for
>>>>>>>>> unconfigured or new user based resources). It only requires
>>>>>>>>> that the AS service provider agrees it can issue tokens.
>>>>>>>>> From a security perspective, returning the OAuth service
>>>>>>>>> configuration for a specified resource URI serves to confirm
>>>>>>>>> the client is in possession of a valid resource URI ensuring
>>>>>>>>> the client has received a valid set of endpoints for the
>>>>>>>>> resource and the associated oauth services.
>>>>>>>>> I propose that the WG consider the alternate draft carefully
>>>>>>>>> as well as other submissions and evaluate the broader
>>>>>>>>> discovery problem before proceeding with WGLC on OAuth Discovery.
>>>>>>>>> Thanks!
>>>>>>>>> Phil
>>>>>>>>> @independentid
>>>>>>>>> www.independentid.com <http://www.independentid.com/> <http://www.independentid.com/> <http://www.independentid.com/>
>>>>>>>>> ***@oracle.com <mailto:***@oracle.com> <mailto:***@oracle.com> <mailto:***@oracle.com>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Begin forwarded message:
>>>>>>>>> *From:*internet-***@ietf.org <mailto:internet-***@ietf.org>
>>>>>>>>> <mailto:internet-***@ietf.org> <mailto:internet-***@ietf.org>
>>>>>>>>> *Subject: New Version Notification for
>>>>>>>>> draft-hunt-oauth-bound-config-00.txt*
>>>>>>>>> *Date:*March 13, 2016 at 3:53:37 PM PDT
>>>>>>>>> *To:*"Phil Hunt" <***@yahoo.com <mailto:***@yahoo.com>
>>>>>>>>> <mailto:***@yahoo.com> <mailto:***@yahoo.com>>, "Anthony Nadalin"
>>>>>>>>> <***@microsoft.com <mailto:***@microsoft.com> <mailto:***@microsoft.com> <mailto:***@microsoft.com>>,
>>>>>>>>> "Tony Nadalin" <***@microsoft.com <mailto:***@microsoft.com>
>>>>>>>>> <mailto:***@microsoft.com> <mailto:***@microsoft.com>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> A new version of I-D, draft-hunt-oauth-bound-config-00.txt
>>>>>>>>> has been successfully submitted by Phil Hunt and posted to the
>>>>>>>>> IETF repository.
>>>>>>>>>
>>>>>>>>> Name:draft-hunt-oauth-bound-config
>>>>>>>>> Revision:00
>>>>>>>>> Title:OAuth 2.0 Bound Configuration Lookup
>>>>>>>>> Document date:2016-03-13
>>>>>>>>> Group:Individual Submission
>>>>>>>>> Pages:22
>>>>>>>>> URL:
>>>>>>>>> https://www.ietf.org/internet-drafts/draft-hunt-oauth-bound-config-00.txt <https://www.ietf.org/internet-drafts/draft-hunt-oauth-bound-config-00.txt>
>>>>>>>>> Status:
>>>>>>>>> https://datatracker.ietf.org/doc/draft-hunt-oauth-bound-config/ <https://datatracker.ietf.org/doc/draft-hunt-oauth-bound-config/>
>>>>>>>>> Htmlized:
>>>>>>>>> https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00 <https://tools.ietf.org/html/draft-hunt-oauth-bound-config-00>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Abstract:
>>>>>>>>> This specification defines a mechanism for the client of
>>>>>>>>> an OAuth 2.0
>>>>>>>>> protected resource service to obtain the configuration
>>>>>>>>> details of an
>>>>>>>>> OAuth 2.0 authorization server that is capable of
>>>>>>>>> authorizing access
>>>>>>>>> to a specific resource service. The information
>>>>>>>>> includes the OAuth
>>>>>>>>> 2.0 component endpoint location URIs and as well as
>>>>>>>>> authorization
>>>>>>>>> server capabilities.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Please note that it may take a couple of minutes from the
>>>>>>>>> time of submission
>>>>>>>>> until the htmlized version and diff are available
>>>>>>>>> attools.ietf.org <http://attools.ietf.org/> <http://tools.ietf.org/> <http://tools.ietf.org/>.
>>>>>>>>>
>>>>>>>>> The IETF Secretariat
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> ***@ietf.org <mailto:***@ietf.org> <mailto:***@ietf.org> <mailto:***@ietf.org>
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>>>>>
>>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> ***@ietf.org <mailto:***@ietf.org> <mailto:***@ietf.org> <mailto:***@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> ***@ietf.org <mailto:***@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>
>>>
>>
>
>
> _______________________________________________
> OAuth mailing list
> ***@ietf.org <mailto:***@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>
>