[Openid-specs-mobile-profile] [Async JWT Profile] draft-oauth-versatile-jwt-profile-03

nicolas.aillery at orange.com nicolas.aillery at orange.com
Tue Apr 4 08:30:10 UTC 2017


Hello James,

   Thanks for the reviews!
   Here are my comments inline, and a draft v3,

Regards,

Nicolas

De : Manger, James [mailto:James.H.Manger at team.telstra.com]
Envoyé : samedi 1 avril 2017 10:10
À : AILLERY Nicolas IMT/OLPS
Cc : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>; MARAIS Charles IMT/OLPS; CLEMENT Philippe IMT TECHNO; MARIOTTE Hubert IMT/OLN
Objet : RE: [Async JWT Profile] draft-oauth-versatile-jwt-profile-02

Looks good.

Instead of §3 for both poll & push initial requests (even though they use different grant_types and different parameters), then separate sections §4 & §5 the rest of those flows, why not have 3 sections for the 3 grant_types?
[Nicolas] Ok, modified

You don't need to repeat the IANA registrations that draft-ietf-oauth-device-flow makes.
[Nicolas] Ok, done

There is one "...:push" in 4.2.2 that should be "...:push_mode"
[Nicolas] Ok, corrected

Saying "The "xx" attribute contains the "xx" value" feels unnecessary.
[Nicolas] Ok, done

I wasn't making any suggestion with comment #1 below. I was just reflecting on the design.
[Nicolas] OK

--
James Manger

From: nicolas.aillery at orange.com<mailto:nicolas.aillery at orange.com> [mailto:nicolas.aillery at orange.com]
Sent: Saturday, 1 April 2017 2:12 AM
To: Manger, James <James.H.Manger at team.telstra.com<mailto:James.H.Manger at team.telstra.com>>
Cc: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>; MARAIS Charles IMT/OLPS <charles.marais at orange.com<mailto:charles.marais at orange.com>>; CLEMENT Philippe IMT TECHNO <philippe.clement at orange.com<mailto:philippe.clement at orange.com>>; MARIOTTE Hubert IMT/OLN <hubert.mariotte at orange.com<mailto:hubert.mariotte at orange.com>>
Subject: [Async JWT Profile] draft-oauth-versatile-jwt-profile-02

Hi James,

   Here are my comments inline, and a draft v2,

Regards,

Nicolas

De : Manger, James [mailto:James.H.Manger at team.telstra.com]
Envoyé : jeudi 30 mars 2017 01:29
À : AILLERY Nicolas IMT/OLPS
Cc : openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>; MARAIS Charles IMT/OLPS; CLEMENT Philippe IMT TECHNO; MARIOTTE Hubert IMT/OLN
Objet : RE: [Openid-specs-mobile-profile] [Async JWT Profile] draft-oauth-versatile-jwt-profile-01

[James] comments inline

From: nicolas.aillery at orange.com<mailto:nicolas.aillery at orange.com> [mailto:nicolas.aillery at orange.com]
Sent: Thursday, 30 March 2017 12:47 AM
Hi James,

  Thanks for the review.

   Here are my comments:


1.       This doesn't define general async capabilities for the /token endpoint. It defines async for the one specific case of swapping a JWT for an access token.

--[Nicolas]-- The goal of this spec is to propose an async extension to the JWT Bearer grant type defined in RFC7523. This will cover the GSMA needs. We could also define a generic way to offer async capabilities to /token, extending the RFC6749 (OAuth 2.0). This would entail 3 specifications: "Async /token", then "Async JWT profile" (the current draft), then "server-to-server Connect profile". I'd like the advice of the working group on these approaches. On my side, both are Ok.

[James] I guess draft-ietf-oauth-device-flow also uses grant_type to indicate async behaviour.
[Nicolas] Agreed, but I don't understand what you'd suggest. Merging specs? Reusing grant_types? Renaming the profile?


2.       Separate grant_type values indicating poll & push support would be better than one ...jwt-bearer:versatile value. The client needs to know the difference to know whether or not to include a client_notification_token (and whether or not it needs to be listening for notifications). The AS needs to know the difference to respond correctly. Separate values allow the AS to indicate support for poll, push, both, or neither by listing 0, 1 or both separate values in grant_types_supported in its metadata.

--[Nicolas]-- OK to support 3 grant-types: 'push' and 'poll' in the first request then 'polling' in the polling request. I think the grant_type 'both' is not necessary. I'll update the draft.



[James] That is exactly what I meant.

[Nicolas] OK





3.       A POSTed notification doesn't have an HTTP status code to distinguish success and error; both are JSON objects. The spec should explicitly state that the absence or presence of an "error" member in the JSON object distinguishes these cases.

[Nicolas]-- Neither CIBA nor UserQuestioning have a status code in notifications. In UQ, it was present in the first drafts and removed on working group's request. I suggest to use no 'status', except if the working group changes its mind.



[James] I wasn't asking for a 'status' member. But for one clear rule in the doc that all clients will use to determines whether the POSTed JSON object is an error or success. The examples in 5.1 & 5.2 could be distinguished by looking for any of 'access_token', 'token_type', 'refresh_token', 'expires_in', 'error', or 'error_description'. Let's make 1 rule: if the JSON object has an 'error' member it's an error, otherwise it is a successful token response. That implies a successful response MUST never include an 'error' member.

[Nicolas] Ok. Done.



4.       The properties required for a transaction_id are not clear, and I suspect they are quite different for the poll & push cases. Can it be a counter (1,2,3,...)? Can it repeat after the "expires_in" time? In the polling case, transaction_id acts as a bearer token; it would be better renamed poll_token. In the push case, it can probably be ignored as the client can use client_notification_token to link request & notification.

--[Nicolas]-- A counter could be OK, but as Client authentication is optional in RFC7523, it's better to have a random transaction_id with good entropy and no repeatition. I'll update the draft to mention it. As the client_notification_token is chosen by the Client, it's good to keep the transaction_id so that there can be entropy in the notification even when the Client enforces low security in its client_notification_token.



[James] Does any client auth on the first call to /token need to be repeated for each subsequent /token polling request? Or is transaction_id (maybe renamed poll_token) sufficient for those?

[Nicolas] If used, the Client authentication must be repeated. Spec updated.



5.       Is it okay for a client to always use the same client_notification_token with a given AS (basically treat it as the AS's password)? Probably yes, just not recommended due to revocation implications.

--[Nicolas]-- It's Ok but not recommended for a Client to reuse the client_notification_token. Can you detail what you mean by "revocation implications", not sure to understand?



[James] Ignore the "revocation" bit, I just meant that if you reuse the same value you need a process to change it if it is ever compromised.

[Nicolas] Added that client_notification_token should not be reused.



6.       Need IANA registrations for client_notification_token, transaction_id (or whatever it is renamed to), authorization_pending, slow_down, and the other error codes if existing ones cannot be reused

--[Nicolas]-- Ok for "client_notification_token", "transaction_id" and the "invalid_transaction_id" error. Other errors come from "draft-ietf-oauth-device-flow-05", shall we refer to this draft?

[James] I forgot about draft-ietf-oauth-device-flow. I guess you don't really need to refer to that spec as its error codes will make it to the IANA registry.
[Nicolas] I let a reference to draft-ietf-oauth-device-flow. I'll change it as soon as the device flow becomes a RFC.




_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170404/52d42ef7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-oauth-versatile-jwt-profile-03.txt.pdf
Type: application/pdf
Size: 25418 bytes
Desc: draft-oauth-versatile-jwt-profile-03.txt.pdf
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170404/52d42ef7/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: draft-oauth-versatile-jwt-profile-03.xml
Type: application/xml
Size: 40719 bytes
Desc: draft-oauth-versatile-jwt-profile-03.xml
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170404/52d42ef7/attachment-0001.xml>


More information about the Openid-specs-mobile-profile mailing list