On 24/04/15 13:20, Justin Richer wrote:
> Stephen, thanks for the comments.
> 
> We discussed but decided to stop short of a full back-and-forth
> multi-trip information negotiation protocol in order to keep things as
> simple as possible for the simple case. The model here is that the
> client *requests* a certain set of information in the registration, and
> the server *dictates* to the client what actually occurred. This is to
> allow sensible defaults for blank fields, and other mechanisms like
> that. Instead of just saying "no", the server here has an opportunity to
> do something slightly reasonable. It's up to the client if it agrees
> with the reasonableness, and most clients (in my experience) are going
> to be super dumb and just do what they're told by the server if they're
> able to. If they're unable to, they'll just fail to use the OAuth
> protocol with that AS and users will complain (rightly) of an
> incompatibility bug. A smarter client can try to re-register and see if
> that works instead, but the vast majority of OAuth clients are really
> dumb (by design).
> 
> However, there's a bit more to the story: As it turns out, when coupled
> with the management protocol and a discovery mechanism, you actually can
> do more of a negotiated registration with the existing mechanism: client
> says "I want foo", server says "you get bar", client sends an UPDATE
> that says "can I have baz instead?", and so forth. Without the update
> mechanism, you don't have a way to tie one registration request to a
> subsequent one. If you've got server capability discovery (such as is
> defined in OpenID Connect and still-ignored by this working group) then
> you've got the ability for a smart client to see which values might work
> ahead of time. This gets a little tricky with values that have
> relationships (such as grant_types and response_types), but it's still
> workable when they've got well-defined relationships (as is required in
> the Dyn Reg spec).
> 
> So it really is out of scope for us to say what the client does when it
> gets information back it doesn't want: it can ignore it, fail on it, or
> use it. With management and discovery, it can try to re-negotiate, but
> that's a fairly sophisticated behavior.

So could we just point at the relevant specs for that behaviour?
(Not normatively, and I don't care if they're not RFCs.)

S.

> 
> Hope this helps,
>  -- Justin
> 
> On 4/24/2015 8:09 AM, Stephen Farrell wrote:
>> So this is to follow up on my discuss point#2, which said:
>>
>> (2) If the response (defined in 3.2.1) includes metadata that
>> the server has altered, but that the client doesn't like, then
>> what does the client do? (It may be that that's ok, but I'm
>> not following why that is the case.) I'm also not sure the
>> "https" requirement (1st bullet in section 5) is useful there.
>>
>> In -28 you added a bit of text to 3.2.1. saying:
>>
>> "The client or developer can check the values in the response to   
>> determine if the registration is sufficient for use (e.g., the   
>> registered "token_endpoint_auth_method" is supported by the client   
>> software) and determine a course of action appropriate for the client   
>> software.  The response to such a situation is out of scope for this   
>> specification but could include filing a report with the application   
>> developer or authorization server provider."
>>
>> That new text may be fine, but I'd like to check that I
>> understand it correctly and that it addresses the issue
>> sensibly.
>>
>> Say I'm a developer who writes and distributes a client
>> that uses this and I test it with the BIGreg.example.com
>> registration endpoint and it works, but for my application
>> to work I need a specific token_endpoint_auth_method, say
>> client_secret_basic.
>>
>> Say time passes, and we discover that client_secret_basic
>> is bad for some reason and client_secret_supergood is
>> invented and gets used a lot.
>>
>> At that point BIGreg.example.com would like to turn off
>> the (now-crappy) client_secret_basic and only allow use
>> of client_secret_supergood. If it does that, then new
>> installs of our application will fail at registration
>> time with an (opaque) error to the human user and we
>> need the application developer to do an update to add
>> client_secret_supergood.
>>
>> Or, what seems more likely is that BIGreg.example.com
>> will have to keep offering the now insecure
>> client_secret_basic until essentially no interesting
>> applications remain that don't support the new, better
>> thing. And that's the bit I don't like so much.
>>
>> This spec could (maybe, I'm not 100% sure) have been
>> written to allow for the client and registration endpoint
>> to first try to use the new better things and, if that
>> doesn't work, to try fallback to the old not so good
>> things, but that is not supported here afaics - once
>> the client sees response metadata it doesn't like,
>> there's no way for the client to say "bummer, I'd have
>> been fine if only you'd said foo and not bar, can we
>> try register again and use foo?"
>>
>> And I also don't see how the client who is really stuck
>> can tell the registration endpoint "actually, I'm not
>> successfully registered because your said bar and I don't
>> like that bit of metadata" - won't that lead to our
>> BIGreg.example.com ending up with a misleading picture
>> of what clients were successfully registered?
>>
>> So my question is: is all that really ok, or am I confused
>> in the above? (And confused is quite possible - this is
>> OAuth after all:-)
>>
>> Cheers,
>> S.
>>
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
> 

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to