+1
Inline discovery and pre-configured discovery (ie, .well-known) should
at the very least be compatible and developed together. It's the
pre-configured discovery document that's at the root of the mix-up
attack in the first place.
-- Justin
On 1/19/2016 10:30 PM, Nat Sakimura wrote:
Just to give more context, at IETF 94, I have done a presentation on
discovery.
According to the minutes,
(f) Discovery (Nat)
Nat explains his document as an example of the work that has to be done
in the area of discovery, which is a topic that has been
identified
as necessary for interoperability since many years but so far
there
was not time to work on it. Mike, John and Nat are working on a
new
document that describes additional discovery-relevant components.
Poll: 19 for / zero against / 4 persons need more information.
The document discussed there was
https://tools.ietf.org/html/draft-sakimura-oauth-meta-05. This is a
simple (only 1-page!) but a very powerful document that nudges towards
HATEOAS which is at the core of RESTful-ness. It also mitigates the
Mix-up attack without introducing the concept of issuer which is not
in RFC6749. It is also good for selecting different endpoints
depending on the user authentication and authorization results and
more privacy sensitive than pre-announced Discovery document. It also
allows you to find to which protected resource endpoint you can use
the access token against.
In the last sentence of the minutes, it talks about "a new document
that describes additional discovery-relevant components". This is
https://tools.ietf.org/html/draft-jones-oauth-discovery-00. It went
for the call for adoption. However, it is only a half of the story. I
believe https://tools.ietf.org/html/draft-sakimura-oauth-meta-05 that
was discussed at IETF 94 and had support there should be adopted as well.
Nat Sakimura
2016年1月20日(水) 12:05 Nat Sakimura <sakim...@gmail.com
<mailto:sakim...@gmail.com>>:
Thanks Hannes.
I did not find
https://tools.ietf.org/html/draft-sakimura-oauth-meta-05, which
was discussed in Yokohama, and was largely in agreement if my
recollection is correct. Why is it not in the call for adoption?
2016年1月19日(火) 20:39 Hannes Tschofenig
<hannes.tschofe...@gmx.net <mailto:hannes.tschofe...@gmx.net>>:
Hi all,
we have submitted our new charter to the IESG (see
http://www.ietf.org/mail-archive/web/oauth/current/msg15379.html)
and
since some IESG members like to see an updated list of
milestones as
well. For this reason, based on a suggestion from Barry, we
are also
starting a call for adoption concurrently with the review of
the charter
text by the IESG.
We will post separate mails on the individual documents. Your
feedback
is important! Please take the time to look at the documents
and provide
your feedback.
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
