I doubt that the ToS and Privacy Policy will be different for a given Trust Framework provider, as these are all bilateral agreements, I do expect these to be different between trust framework providers though
-----Original Message----- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura Sent: Tuesday, February 12, 2013 12:27 PM To: Justin Richer Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Registration: HAL _links structure and client self-URL Let me explain a bit more. A trust framework may supply several ToS and Privacy Policy options much like CC licenses. If we want to really automate the things, you really need it. Otherwise, the service's owner need to go read the ToS and Privacy Policy in person and makes the dynamic registration not so dynamic. Those option should be available through Discovery. In Discovery, the server may provide multiple options, out of which the client picks one. Think of something like Basic and Premium service. In the Registration response, then, should be the one that was picked by the client / assigned by the server. (The notion is closely related to the implicit consent model for the end users, which is in active discussion in bunch of places, by the way.) Nat 2013/2/13 Justin Richer <jric...@mitre.org>: > I agree with the previous statement that the AS's privacy/TOS would be > better handled through discovery, since it's not likely to change per > client instance. > > -- Justin > > > On 02/12/2013 03:04 PM, John Bradley wrote: >> >> There are two TOS and privacy policies. >> >> One for the AS that the client is agreeing to by registering. Will >> it hold up in court? don't know Facebook is doing this. >> The link would be a reference to a human readable file that the >> client >> (RP) can have someone look over before using the connection. >> This policy may relate to how long the client can cache info etc. >> >> The other is the privacy policy of the client that may be presented >> as a click through from the Authorization server. In general the >> user is not explicitly accepting this, only implicitly accepting it >> by continuing to the RP after having been given a chance to look at it if >> they want. >> >> These are very US fuse on privacy but ignoring them is probably a mistake. >> >> John B. >> On 2013-02-12, at 4:56 PM, Justin Richer <jric...@mitre.org> wrote: >> >>> One question though: How exactly would the client, a software >>> application, agree to the TOS? Is it supposed to fetch the content >>> of the tos_url and do some processing on it? I wasn't under the >>> impression that the tos_url contents were machine readable. Is it >>> supposed to present that to the user somehow? It seems that's a >>> better thing for the server to do at Authorization time, since it's got the >>> user's attention. >>> >>> Remember, this is meant to be for *automated* registration. The >>> developer of the Client has no say at this stage of the game. >>> >>> So, I think this is a bit of a red herring, to be honest. >>> >>> -- Justin >>> >>> On 02/12/2013 02:52 PM, John Bradley wrote: >>>> >>>> The current privacy policy and TOS URL in registration are the ones >>>> for the Client. >>>> >>>> Nat and I discussed adding ones for the Authorization server that >>>> the client agrees to as separate from ones that the user is agreeing to. >>>> >>>> The Authorization servers TOS would be in discovery and perhaps in >>>> the registration response to indicate what the client is agreeing to. >>>> >>>> As there rare standard relationships that cover this links Nat was >>>> speculating that they could be part of the _links object. >>>> >>>> That aside confirming the terms of service that the client has >>>> agreed to in some way is probably a good thing in the registration >>>> response. >>>> >>>> John B. >>>> >>>> On 2013-02-12, at 4:25 PM, Mike Jones <michael.jo...@microsoft.com> >>>> wrote: >>>> >>>>> Part of the REST/JSON philosophy is that interfaces should be as >>>>> simple and developer-friendly as possible. XML was rejected by >>>>> developers, in part, because of the self-describing nature of the >>>>> structure, which required extra syntax that was often not useful >>>>> in practice. Trying to re-impose that structure using extra JSON >>>>> syntax conventions is just asking developers to have an allergic >>>>> reaction to our specs upon encountering them. The syntactic >>>>> complexity and *surprise factor* isn't worth the limited semantic >>>>> benefits of using "_links". >>>>> >>>>> Since you bring up privacy policy and terms of service, I'll note >>>>> that the OAuth Dynamic Registration spec already has these fields >>>>> to address >>>>> those: >>>>> policy_url >>>>> tos_url >>>>> >>>>> Those have been working fine for OpenID Connect too. There's no >>>>> need to likewise convolve them to add the extra syntax that you describe >>>>> below. >>>>> >>>>> (BTW, in a private thread, John Bradley pointed out that what the >>>>> two of you talked about in person was actually the possibility of >>>>> adding privacy policy and terms of service declarations at >>>>> *discovery time*, rather than registration time. That's a >>>>> different topic, which we should discuss separately, if you want >>>>> to pursue that.) >>>>> >>>>> Best wishes, >>>>> -- Mike >>>>> >>>>> -----Original Message----- >>>>> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On >>>>> Behalf Of Nat Sakimura >>>>> Sent: Tuesday, February 12, 2013 9:11 AM >>>>> To: Justin Richer; oauth@ietf.org >>>>> Subject: Re: [OAUTH-WG] Registration: HAL _links structure and >>>>> client self-URL >>>>> >>>>> Actually, if it is to return it in the HTTP header, then it should >>>>> also use the RFC5988 Web Linking format. >>>>> Now, that is nice to have, but for many JSON programmers, I agree >>>>> that it would be a hassle to obtain the header and store them in >>>>> addition to the JSON. So, it is nicer to have it in JSON body. >>>>> >>>>> Re: Is "_links.self.href" grossly complex over >>>>> "registration_access_url"? >>>>> >>>>> I do not think so. Accessing a flat top level parameter such as >>>>> registration_access_url and _links.self.href does not make any >>>>> difference from a client programmers point of view. That's a >>>>> beauty of JSON. Both can be treated as a parameter name. Doing a >>>>> group operation on the links makes difference though: the >>>>> structured one is easier since you can just operate on _links >>>>> while in case of the top level parameters, you have to have an >>>>> explicit list of them and do the matches. (See below for the necessity >>>>> for the grouping). >>>>> >>>>> I and John discussed this for at least half an hour F2F last week, >>>>> both technically and from operation/legal point of view, for >>>>> OpenID Connect Registration. >>>>> Similar points could be made to OAuth dyn reg. >>>>> >>>>> Here is what we have discussed: >>>>> >>>>> When dynamically registering the client to the server, the server >>>>> probably needs to return the following: >>>>> >>>>> * terms-of-service (terms of service of the server to the client) >>>>> * privacy-policy (privacy policy of the server to the client) >>>>> >>>>> Both are defined in RFC5988/IANA Link Relations registry. >>>>> >>>>> >>>>> They should be returned together with >>>>> >>>>> * self.href >>>>> >>>>> which is also defined in RFC5988/IANA Link Relations registry. >>>>> >>>>> There are several ways to do it. >>>>> >>>>> * Return these using RFC5988 (HTTP Header) >>>>> * Return these in entity body >>>>> * Use HAL (or OAuth-meta)/JSON Schema >>>>> * Use something else (e.g., a top level items) >>>>> >>>>> Returning it in the entity body has several advantage over HTTP header: >>>>> >>>>> * They can be captured in one call; >>>>> * They are protocol agnostic; >>>>> >>>>> We determined that these advantages outweighs the disadvantage of >>>>> creating a new standard. >>>>> >>>>> The question becomes then whether to: >>>>> >>>>> * Use HAL (or OAuth-meta)/JSON Schema >>>>> * Use something else (e.g., a top level items) >>>>> >>>>> First, we have to consider what needs to be returned in the >>>>> link/relationship category. If it were just _links.self.href, then >>>>> grouping probably does not make sense. However, since we have >>>>> terms-of-service and privacy-policy as well already, it may well make >>>>> sense. >>>>> >>>>> Moreover, when we think of a multi-tenant authorization server >>>>> that may want to use different OAuth authz and token endpoints for >>>>> different tennants, it would be better to be able to return those >>>>> in the registration response. Then, it would make sense to >>>>> register OAuth authz and token endpoints as rel type in the IANA >>>>> registry (like Bill Mills is trying to >>>>> do) and use them in a uniform manner. Note: these per tenant >>>>> endpoints may support different scopes etc. as well. Then, these >>>>> has to be coupled with the URIs. That is why all of >>>>> RFC5988/HAL/JSON Schema uses href instead of just having the URL >>>>> as the value of the parameter. The semantic relationship would >>>>> often have an associated URI, and other parameters that goes with it. >>>>> >>>>> e.g.: >>>>> >>>>> { >>>>> "_links": { >>>>> "terms-of-service": { >>>>> "href": "https: //server.example.com/tos" >>>>> }, >>>>> "privacy-policy": { >>>>> "href": "https: //server.example.com/pp" >>>>> }, >>>>> "self": { >>>>> "href": "https: //server.example.com/clients/1234", >>>>> "authorize": "Bearer" >>>>> }, >>>>> "oauth_authz": { >>>>> "href": "https: //server.example.com/authz", >>>>> "scopes": "openid profile email", >>>>> "response_types": [ >>>>> "token id_token", >>>>> "code id_token", >>>>> "token", >>>>> "code" >>>>> ] >>>>> }, >>>>> "oauth_token": { >>>>> "href": "https: //server.example.com/token", >>>>> "authorize": "Basic" >>>>> } >>>>> } >>>>> } >>>>> >>>>> In short, there are bunch of link relations that needs to be >>>>> returned with additional parameters. >>>>> Grouping them seems to make sense. >>>>> >>>>> Considering all these, John and I came to the conclusion that the >>>>> HAL type syntax would probably make more sense. >>>>> (Note: JSON Schema syntax does not make the parameter access as >>>>> easy as >>>>> HAL.) >>>>> >>>>> In fact, Mike Kelly (the author of HAL) and I have just submit a >>>>> new version of draft-sakimura-oauth-meta >>>>> >>>>> http://tools.ietf.org/html/draft-sakimura-oauth-meta-02 >>>>> >>>>> The proposal was discussed at IETF 85 OAuth WG and the chairs >>>>> asked to submit the draft. >>>>> The -00 appeared in December, and this -02 has some simplification >>>>> and the addition of the "operations" inspired by >>>>> https://tools.ietf.org/html/draft-ietf-scim-api-00#section-3.5 . >>>>> It is arguably a subset of HAL plus some OAuth specifics. >>>>> I have not added Discovery response example, but adding them would >>>>> makes even more sense, I think. >>>>> >>>>> Cheers, >>>>> >>>>> Nat >>>>> >>>>> >>>>> 2013/2/13 Justin Richer <jric...@mitre.org> >>>>>> >>>>>> Agreed - I didn't think that header-only was the proposal, but >>>>>> let's be explicit about the returned body always containing the >>>>>> URL. The way I read the 201 definition, it suggests (SHOULD) that >>>>>> you use the location header, but also says that the entity should >>>>>> refer to the new resource. It was my assumption that the returned >>>>>> JSON would still have some form of client-entity management URL >>>>>> (whether it's the HAL _links structure or registration_management_url or >>>>>> something else is still up for debate). >>>>>> >>>>>> -- Justin >>>>>> >>>>>> >>>>>> >>>>>> On 02/12/2013 10:28 AM, John Bradley wrote: >>>>>> >>>>>> Returning a location header in the 201 ids fine as long as we >>>>>> also have the same info as a claim. >>>>>> >>>>>> I think most clients will want to process the JSON and store all >>>>>> the parameters together. Making them fish out a header makes the >>>>>> W3C happy and is the correct thing to do but taking it from a >>>>>> claim is what developers are more comfortable with. >>>>>> >>>>>> John B. >>>>>> >>>>>> On 2013-02-12, at 11:25 AM, Justin Richer <jric...@mitre.org> wrote: >>>>>> >>>>>> I'd be fine with the return from a creation request being a 201 >>>>>> instead of a 200. >>>>>> >>>>>> -- Justin >>>>>> >>>>>> On 02/11/2013 06:33 PM, Richard Harrington wrote: >>>>>> >>>>>> Since the request is an HTTP POST and a resource is created >>>>>> (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.5) >>>>>> the response should be an HTTP 201 Created >>>>>> (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.2 >>>>>> ) which is supposed to include the location of the newly created >>>>>> resource. >>>>>> >>>>>> This is a good pattern to follow since, as you say, it does >>>>>> provide flexibility. >>>>>> >>>>>> >>>>>> >>>>>> On Feb 11, 2013, at 1:14 PM, Justin Richer <jric...@mitre.org> wrote: >>>>>> >>>>>> Draft -05 of OAuth Dynamic Client Registration [1] returns a URL >>>>>> pointer for the client to perform update and secret rotation >>>>>> actions. This functionality arose from discussions on the list >>>>>> about moving towards a more RESTful pattern, and Nat Sakimura >>>>>> proposed this approach in the OpenID Connect Working Group. This >>>>>> URL may be distinct from the Client Registration Endpoint URL, >>>>>> but draft -05 makes no promises as to its content, form, or structure, >>>>>> though it does contain implementor's notes on possible methods. >>>>>> >>>>>> Two questions arise from this change: >>>>>> - The semantics of returning the client manipulation URL >>>>>> - The syntax (derived from HAL for JSON [2], an individual I-D >>>>>> submission) >>>>>> >>>>>> On semantics: >>>>>> >>>>>> Pro: >>>>>> - The server has flexibility on how to define the "update" >>>>>> endpoint, sending all clients to one URL, sending different >>>>>> clients to different URLs, or sending clients to a URL with a >>>>>> baked-in query parameter >>>>>> - The client can take the URL as-is and use it for all management >>>>>> operations (ie, it doesn't have to generate or compose the URL >>>>>> based on component parts) >>>>>> >>>>>> Con: >>>>>> - The client must remember one more piece of information from the >>>>>> server at runtime if it wants to do manipulation and management >>>>>> of itself at the server (in addition to client_id, client_secret, >>>>>> registration_access_token, and others) >>>>>> >>>>>> Alternatives include specifying a URL pattern for the server to >>>>>> use and all clients to follow, specifying a query parameter for >>>>>> the update action, and specifying a separate endpoint entirely >>>>>> and using the presence of items such as client_id and the >>>>>> registration access token to differentiate the requests. Note >>>>>> that *all* of these alternatives can be accommodated using the >>>>>> semantics described above, with the same actions on the client's part. >>>>>> >>>>>> >>>>>> On syntax: >>>>>> >>>>>> Pro: >>>>>> - Follows the designs of RFC5988 for link relations >>>>>> - The HAL format is general, and allows for all kinds of other >>>>>> information to be placed inside the _links structure >>>>>> - Allows for full use of the JSON object to specify advanced >>>>>> operations on the returned endpoint if desired >>>>>> >>>>>> Con: >>>>>> - The rest of OAuth doesn't follow link relation guidelines >>>>>> (though it's been brought up) >>>>>> - The HAL format is general, and allows for all kinds of other >>>>>> information to be placed inside the _links structure >>>>>> - The HAL-JSON document is an expired individual I-D, and it's >>>>>> unclear what wider adoption looks like right now >>>>>> >>>>>> Alternatives include returning the URL as a separate data member >>>>>> (registration_update_url), using HTTP headers, or using JSON Schema. >>>>>> >>>>>> -- Justin >>>>>> >>>>>> >>>>>> >>>>>> [1] http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-05 >>>>>> [2] http://tools.ietf.org/html/draft-kelly-json-hal-03 >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>>> >>>>> >>>>> -- >>>>> Nat Sakimura (=nat) >>>>> Chairman, OpenID Foundation >>>>> http://nat.sakimura.org/ >>>>> @_nat_en >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
