Hi Adam, Thanks for taking the time to do a thorough read of the specification. Replies are inline prefixed by "Mike>". -----Original Message----- From: Adam Roach [mailto:a...@nostrum.com] Sent: Monday, January 22, 2018 6:42 PM To: The IESG <i...@ietf.org> Cc: draft-ietf-oauth-discov...@ietf.org; Hannes Tschofenig <hannes.tschofe...@gmx.net>; oauth-cha...@ietf.org; hannes.tschofe...@gmx.net; oauth@ietf.org Subject: Adam Roach's Discuss on draft-ietf-oauth-discovery-08: (with DISCUSS and COMMENT)
Adam Roach has entered the following ballot position for draft-ietf-oauth-discovery-08: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-discovery/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks to everyone who worked on this specification. I think it's well-written, clear, and useful. I fully endorse publication, and intend to ballot "yes" once we come to an agreement on the issue I describe below. The problem I'm running into is the URL synthesis rules described in section 3.1 for multi-tenancy engage in exactly the kind of behavior that RFC 5785 was designed to head off: it creates URLs all over the path space of the authority, rather than coralling all synthesized URLs to live under only one top-level directory. One of the key aspects of the principles of the web architecture is URI opacity <https://www.w3.org/TR/webarch/#uri-opacity>, which generally precludes clients from synthesizing URLs. RFC 5785 was intended as a very limited carve-out to the principle of URI opacity, and was carefully limited to a single top-level path element. This specification oversteps that carve-out by exploding the location that "Well-Known" synthesized URLs can appear: it literally increases it from one location (the root) to infinite locations (at the end of any arbitrary path). Fortunately, this defect is trivial to fix. Rather than placing .well-known path components *after* the path identified by an issuer identifier, you place them *before* it, which amends this document's usage to be within the spirit intended by RFC 5785. For example, the example in section 3.1: GET /issuer1/.well-known/oauth-authorization-server HTTP/1.1 Host: example.com Would instead become: GET /.well-known/oauth-authorization-server/issuer1 HTTP/1.1 Host: example.com Mike> Interesting suggestion. I would agree with your suggestion if we were designing this from scratch. The problem is that this specification is based the much older and widely deployed specification "OpenID Connect Discovery 1.0" https://openid.net/specs/openid-connect-discovery-1_0.html, where these semantics are defined in the second paragraph of https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig. This OAuth spec removes the OpenID-specific parts of this discovery spec and keeps the rest, while remaining compatible with it by design. As discussed with Mark Nottingham during the IANA registration process for the .well-known URI (which he approved), this specification writes down what is already industry practice for publishing OAuth metadata - which subsets the OpenID Connect metadata to use only the OAuth-specific parts. The behavior of concatenating the .well-known suffix to the issuer path is hard-coded into at an absolute minimum, the eleven client libraries listed in the "RP Config" column of http://openid.net/certification/#RPs. In truth, it's hard-coded into essentially every OAuth client library that uses metadata to configure the OAuth client software and all the OAuth servers that support multiple tenants. These could number in the hundreds. An example showing a production deployment of the current method is https://login.microsoftonline.com/5608b4e0-e26d-4bd1-8a1a-d57d7ae2af8c/v2.0/.well-known/openid-configuration. There are many more. This spec is explicitly paving cowpaths. Yes, you suggest a better path that could have been taken. But (torturing the metaphor) it's not where the cows are. We owe it to the industry to codify the widespread and sufficiently-well-working existing practice. Thanks for your understanding of this. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 1.1: [this is an editorial suggestion that I leave to the editors' discretion] This document makes use of uncapitalized "must", "should", and "may" in places. Please consider using the RFC 8174 boilerplate instead of the RFC 2119 boilerplate. Mike> I'd be glad to update to the RFC 8174 boilerplate. Section 7.2: [this is an important procedural comment that really should be resolved prior to publication] The addition of restrictions to registries established by RFC 6749 would seem to require that this document formally include "Updates: RFC6749" in its metadata, as well as a mention of such an update in its Abstract and Introduction sections. Mike> I've actually worked with the IESG and IANA in the past to update the instructions for existing registries. https://tools.ietf.org/html/rfc7638#section-6 adds to the instructions to the Designated Experts for three existing registries. The way IANA did this was to add [RFC7638] to the References lists in the registries themselves. For instance, see that the instructions for the "JSON Web Key Types" registry at https://www.iana.org/assignments/jose/jose.xhtml#web-key-types has a References value of "[RFC7518][RFC7638]". RFC 7618 did not update RFC 7518 - only the registry established by it. I propose that we follow this precedent and do the same thing here. Thanks again, -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
