Hi Mike! Thank you, it looks good to me. I have updated my ballot to reflect 
that.

Francesca

On 08/04/2021, 23:20, "Mike Jones" <michael.jo...@microsoft.com> wrote:

    https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-34 incorporates the 
fixes you suggested.

                                Thanks again,
                                -- Mike

    -----Original Message-----
    From: Mike Jones 
    Sent: Thursday, April 8, 2021 6:49 AM
    To: Francesca Palombini <francesca.palomb...@ericsson.com>; i...@ietf.org
    Cc: draft-ietf-oauth-jws...@ietf.org; oauth-cha...@ietf.org; 
oauth@ietf.org; hannes.tschofe...@gmx.net
    Subject: RE: Francesca Palombini's No Objection on 
draft-ietf-oauth-jwsreq-32: (with COMMENT)

    Thanks for sweating the details, Francesca.  I'll plan to publish an 
updated draft after the telechat making the error handling for the case when 
the key isn't associated with the client clearer.

                                Thanks again,
                                -- Mike

    -----Original Message-----
    From: Francesca Palombini <francesca.palomb...@ericsson.com> 
    Sent: Thursday, April 8, 2021 2:47 AM
    To: Mike Jones <michael.jo...@microsoft.com>; i...@ietf.org
    Cc: draft-ietf-oauth-jws...@ietf.org; oauth-cha...@ietf.org; 
oauth@ietf.org; hannes.tschofe...@gmx.net
    Subject: Re: Francesca Palombini's No Objection on 
draft-ietf-oauth-jwsreq-32: (with COMMENT)

    Hi Mike!

    Thanks for the quick reply. It looks good to me, just one answer to point 
4. :

        4. -----

           specified in the "alg" Header Parameter.  If a "kid" Header Parameter
           is present, the key identified MUST be the key used, and MUST be a
           key associated with the client.  Algorithm verification MUST be

        ...

           same parameter is provided in the query parameter.  The Client ID
           values in the "client_id" request parameter and in the Request Object
           "client_id" claim MUST be identical.  The Authorization Server then

        FP: "MUST be a key associated with the client" - what if it is not? 
does the AS return an error to the client then? Same comment "... MUST be 
identical" - is any error returned if it's not?

        Mike> I believe that the responses to these validation errors are 
already described in the following paragraph, which says "If signature 
validation fails, the Authorization Server MUST return an 
'invalid_request_object' error to the client in response to the authorization 
request."

    FP: As I read it, the first paragraph says: 

       The Authorization Server MUST validate the signature of the JSON Web
       Signature [RFC7515] signed Request Object.  If a "kid" Header

    Then follows up with a number of other checks that need to be done (the 
text I quoted in my original comment). And then ends with the sentence you 
quoted:

       If signature validation fails, the Authorization Server MUST return
       an "invalid_request_object" error to the client in response to the
       authorization request.

    Same for the second - the text I reported is followed by:

      The Authorization Server then
       validates the request as specified in OAuth 2.0 [RFC6749].

    And then again from the text you quoted:

       If the validation fails, then the Authorization Server MUST return an
       error to the client in response to the authorization request, as
       specified in Section 5.2 of OAuth 2.0 [RFC6749].

    So while reading I considered that the validation (either of the signature 
for par 1 or of the request for par 2) is separate from the additional checks. 
The intent of it could be made clear by a minor addition in each par:

    1st paragraph:

    OLD:

       If signature validation fails, the Authorization Server MUST return
       an "invalid_request_object" error to the client in response to the
       authorization request.

    NEW:

       If signature validation fials, or if the key identified is not 
associated with the client, the Authorization Server MUST return
       an "invalid_request_object" error to the client in response to the
       authorization request.

    2nd paragraph:

    OLD:

       If the validation fails, then the Authorization Server MUST return an
       error to the client in response to the authorization request, as
       specified in Section 5.2 of OAuth 2.0 [RFC6749].

    NEW:

       If the validation of the request or the Client ID check fails, then the 
Authorization Server MUST return an
       error to the client in response to the authorization request, as
       specified in Section 5.2 of OAuth 2.0 [RFC6749].


    I think this would clarify the text, but I'll leave it up to you to decide 
if it's worth adding.
    Thanks,
    Francesca

    On 08/04/2021, 06:45, "Mike Jones" <michael.jo...@microsoft.com> wrote:

        Thanks for your review, Francesca.  We've published 
https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-33 to address your and 
other IESG comments.

        Responses are inline below, prefixed by "Mike>".

        -----Original Message-----
        From: Francesca Palombini via Datatracker <nore...@ietf.org> 
        Sent: Wednesday, April 7, 2021 3:29 AM
        To: The IESG <i...@ietf.org>
        Cc: draft-ietf-oauth-jws...@ietf.org; oauth-cha...@ietf.org; 
oauth@ietf.org; hannes.tschofe...@gmx.net
        Subject: Francesca Palombini's No Objection on 
draft-ietf-oauth-jwsreq-32: (with COMMENT)

        Francesca Palombini has entered the following ballot position for
        draft-ietf-oauth-jwsreq-32: No Objection

        When responding, please keep the subject line intact and reply to all 
email addresses included in the To and CC lines. (Feel free to cut this 
introductory paragraph, however.)


        Please refer to 
https://www.ietf.org/iesg/statement/discuss-criteria.html
        for more information about IESG DISCUSS and COMMENT positions.


        The document, along with other ballot positions, can be found here:
        https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/



        ----------------------------------------------------------------------
        COMMENT:
        ----------------------------------------------------------------------

        Thank you for the work on this document. I only have minor comments, 
the most interesting is probably 4. about if additional failure behavior should 
be defined at the AS.

        Francesca

        1. -----

           A Request Object (Section 2.1) has the "mime-type" "application/

        FP: Please use "media type" instead of "mime-type" and reference
        https://tools.ietf.org/html/rfc6838

        Mike> Thanks, updated, although referencing RFC 2046 for the term 
"media type" (which is not superseded by RFC 6838).

        2. -----

           The following is an example of the Claims in a Request Object before
           base64url encoding and signing.  Note that it includes the extension

        FP: This example is the first time "base64url" appears in the document. 
I think it would make sense to mention that base64url is used when JWT is 
introduced, for example in the first paragraph of section 4.

        Mike> Reference added.

        3. -----

           If decryption fails, the Authorization Server MUST return an
           "invalid_request_object" error.

        ...

           If signature validation fails, the Authorization Server MUST return
           an "invalid_request_object" error.

        ...

           If the validation fails, then the Authorization Server MUST return an
           error as specified in OAuth 2.0 [RFC6749].

        FP: very minor, but I suggests you add "to the client, in response to 
the request defined in 5.2.2. of this specification". The reason is that the 
doc specifies that the AS might be having other exchanges (to fetch the Request
        Object) at the same time, and it can't hurt to be precise. Also 
regarding the reference to RFC 6749 - can you add a specific section to 
reference?

        Mike> Done

        4. -----

           specified in the "alg" Header Parameter.  If a "kid" Header Parameter
           is present, the key identified MUST be the key used, and MUST be a
           key associated with the client.  Algorithm verification MUST be

        ...

           same parameter is provided in the query parameter.  The Client ID
           values in the "client_id" request parameter and in the Request Object
           "client_id" claim MUST be identical.  The Authorization Server then

        FP: "MUST be a key associated with the client" - what if it is not? 
does the AS return an error to the client then? Same comment "... MUST be 
identical" - is any error returned if it's not?

        Mike> I believe that the responses to these validation errors are 
already described in the following paragraph, which says "If signature 
validation fails, the Authorization Server MUST return an 
'invalid_request_object' error to the client in response to the authorization 
request."

        5. -----

           location, (b) check the content type of the response is "application/

        FP: For consistency, please change "content type" to "media type".

        Mike> Done

                                        Thanks again,
                                        -- Mike




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to