Thanks a bunch for your review, William. Draft -06 incorporates the results of
your feedback. Replies are inline.
-- Mike
From: OAuth [mailto:[email protected]] On Behalf Of William Denniss
Sent: Monday, February 20, 2017 4:59 PM
To: Hannes Tschofenig <[email protected]>
Cc: [email protected]
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Authorization
Server Metadata
I have reviewed version 05. Two minor comments regarding Section 2.1:
1. Should we clarify that alg:none isn't supported for the signed_metadata JWT
(since it would be contradictory)?
It already says “The signed metadata MUST be digitally signed or MACed using
JSON Web Signature (JWS) [JWS]”. Given that “alg”: “none” doesn’t satisfy this
MUST, I don’t think we need to say anything additional about it.
2. Re: "metadata values conveyed in the signed metadata MUST take precedence
over those conveyed using plain JSON elements." Does this imply that *all*
values in the plain JSON elements should be ignored when the signed_metadata is
being used (not just ones present in the JWT)? If not, should it?
This is a good request for clarification. It’s been updated to say “If the
consumer of the metadata supports signed metadata, metadata values conveyed in
the signed metadata MUST take precedence over the corresponding values conveyed
using plain JSON elements.”
Overall, I strongly support the publishing of this document as an RFC for the
following reasons:
Having "machine readable" configuration metadata published by authorization
servers is a useful concept. The Google authorization server (like many others)
publishes metadata compliant with this specification, and the AppAuth series of
client libraries are capable of consuming it.
Without this standardized machine-readable metadata, developers must read
documentation to extract the relevant information, and configure clients
manually. This is cumbersome, error prone, and may get out of date.
This specification can also help prevent one category of "mix up" attack in
systems which allow self-registration of OAuth endpoints for connected
services. Rather than the developer supplying both the authorization and token
endpoints themselves (which may enable them to specify a malicious token
endpoint), such a system can use the token endpoint specified in the
authorization server's metadata, thus preventing this category of attack (and
simplifying the registration process to boot).
On Mon, Feb 20, 2017 at 1:45 AM, Hannes Tschofenig
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
it was roughly a year ago when we issued a working group last call on
draft-ietf-oauth-discovery, see
https://www.ietf.org/mail-archive/web/oauth/current/msg15796.html. Lots
of feedback resulted in a significant restructuring of the document.
The authors of the draft now believe it is ready for a second WGLC and
hence we would like to start a 2-week review period.
Please provide your review comments no later than March 6th.
Here is the link to the document again:
https://tools.ietf.org/html/draft-ietf-oauth-discovery-05
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
