The challenge is that we project an environment where there could be thousands
of applications conforming to a particular API (see
http://wiki.siframework.org/ABBI+Pull+Workgroup), with thousands of data
holders making data available through those APIs, and several authorizers (in
the OAuth 2.0 sense). For public (locally installed or web-browser based
applications), we'd like to avoid what I call the million registration
problem<http://motorcycleguy.blogspot.com/2012/10/thousand-of-providers-and-apps-for-abbi.html>
(ignore the technical details), which would require thousands of developers to
manually register their applications with all of the authorizers.
Because this is healthcare data, it is entirely possible that data holders will
INSIST on being authorizers, which makes the problem even more challenging.
The issue that the ABBI Pull workgroup has been asked to address is to ensure
that there is some way to manage bad actors in this eco-system, e.g., through a
black-list, white-list or other trust-mechanism. This wouldn't necessarily be
required to be used, but would help an authorizer make an application access
control decision.
The challenge with a public application using dynamic registration is that
a) The application cannot keep it's credentials secret, and so must
retrieve them in some way securely
b) If the client_id is not tied back to the application identity, then we
have concerns about the trust mechanism being able to protect the environment,
c) And yet, we also want to protect clients from denial of service attacks
where a client could be impersonated (to an authorizer), and obtain a client_id.
Imagine the case where I purchase an application and download it to my iPhone
and to my iPad. Then I connect that application to a data holder/authorizer
combination it hasn't seen before. Through dynamic client registration, I
could register that application for my iPhone, but the instance of that same
application running on my iPad would know nothing about the first registration.
So it would attempt to do it all over again. What happens here?
Keith
_________________________________
Keith W. Boone
Standards Architect
GE Healthcare
M +1 617 640 7007
[email protected]<mailto:[email protected]>
www.gehealthcare.com<http://www.gehealthcare.com/>
116 Huntington Ave
Boston, MA 02116
USA
GE imagination at work
From: Richer, Justin P. [mailto:[email protected]]
Sent: Thursday, January 10, 2013 4:39 PM
To: Boone, Keith W (GE Healthcare)
Cc: [email protected] WG
Subject: Re: Mail regarding draft-ietf-oauth-dyn-reg
Interesting use case, and not dissimilar to some others I've heard. How would
you go about tracking this? Why would the instances need to know about each
other?
One possible approach would be to use a common initializing Request Access
Token that is used to call client_register on all instances of a given client.
They wouldn't know about each other, per se, but the Authorization Server would
at least know enough to be able to tie them together.
There's also the OAuth2 Instance Information extension that I had tried to push
a few years ago that comes up every now and again, that might be of use here
with some modifications:
http://tools.ietf.org/html/draft-richer-oauth-instance-00
I think I'd like to know more about your concerns and the parameters of your
use case first.
I am CC'ing the IETF OAuth Working Group email list, where this draft is being
discussed and worked on.
-- Justin
On Jan 10, 2013, at 4:24 PM, "Boone, Keith W (GE Healthcare)"
<[email protected]<mailto:[email protected]>> wrote:
I would like to be able to use this protocol to dynamically register clients,
but am challenged by the fact that there could be multiple instances of a
public client, each unaware of what others have done. The current protocol
doesn't seem to address this.
Keith
_________________________________
Keith W. Boone
Standards Architect
GE Healthcare
M +1 617 640 7007
[email protected]<mailto:[email protected]>
www.gehealthcare.com<http://www.gehealthcare.com/>
116 Huntington Ave
Boston, MA 02116
USA
GE imagination at work
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
