Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
draft-ietf-oauth-assertions-18
Discuss
Yes
(Stephen Farrell)
No Objection
(Adrian Farrel)
(Benoît Claise)
(Brian Haberman)
(Gonzalo Camarillo)
(Martin Stiemerling)
(Ralph Droms)
(Robert Sparks)
(Ron Bonica)
(Russ Housley)
(Stewart Bryant)
(Wesley Eddy)
Note: This ballot was opened for revision 09 and is now closed.
Barry Leiba Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2013-02-02 for -10)
Unknown
I very much approve of the assertions set going ahead. I have a number of things I'd like to DISCUSS on this first: Point 1: -- Section 1.1 -- However, even when profiled for specific assertion types, additional profiling for specific use cases will be required to achieve full interoperability. In other words, even the SAML and JWT profiles aren't sufficient? Or do those documents do this sort of use-case profiling, resulting in something that can actually work? Or is Section 6 sufficient? If they do, or it is, then saying that here will help. (As a side note, I would really have preferred seeing at least the SAML draft in for IESG Eval at the same time as this doc.) If they don't, then I'm dismayed. OAuth already requires out-of-band agreement on what sort of token one is going to get. This framework additionally requires out-of-band agreement on assertion type. If even those assertion types that are defined *further* require o-o-b agreement on the semantics of the fields they use, it seems that we're adding to the mess and not building broad interoperability. Point 2: Related to point 1, would it not be good to explicitly define an "assertion type unsupported" error response (or two: "grant type unsupported" and "client assertion type unsupported"), so a server can be explicit in saying that that is why this request can't be processed? If not, why not? Point 3: Might it be a good idea, concomitant with the suggested URNs in Sections 4.1 an 4.2, to reserve the namespaces "urn:ietf:params:oauth:grant-type:" and "urn:ietf:params:oauth:client-assertion-type:" here, so they won't be used for anything else? If not, why not? Point 4: -- Section 5.2 -- I'm looking at the "SHOULD be the client_id"s in the first two bullets, and remembering the definition of "SHOULD" in RFC 2119 -- it says that not following a SHOULD requires full understanding of the implications and careful weighing. I see nothing here that gives me a clue how to evaluate the implications. *Why* SHOULD these be the client_id, and what will happen if they're not? (This also applies to some of the bullets in Sections 6.x.) Point 5: -- Section 5.2 -- o The assertion MAY contain an Assertion ID. An Authorization Server MAY dictate that Assertion ID is mandatory. How can a client know that an Authorization Server so dictates? Point 6: -- Section 6.1 -- When a client uses an assertion for authentication, it SHOULD do so according to Section 4.2. I'm confused: I thought 4.2 normatively described the protocol. What's that SHOULD here? (Same question applies to the intros to the other Sections 6.x.)
Sean Turner Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2013-02-07 for -10)
Unknown
1) RFC6749 includes an incomplete list of components that are partially or fully undefined in its "Interoperability" section. A similar section should be added to this document and I hope it can be a bit more specific. This section would gather all the out of scope or defined in the next specification items. The purpose being to aid implementers in following the bread crumbs leading towards interop. 2) Another point on verification: The only way for the RP to verify the "signature" is it to have the "signers" key. Since, this is mostly about keyed MACs you can't just send that key with the "signed" assertion. My point is, the key distribution is one more thing that's out of scope.
Stephen Farrell Former IESG member
Yes
Yes
(for -09)
Unknown
Adrian Farrel Former IESG member
No Objection
No Objection
(for -10)
Unknown
Benoît Claise Former IESG member
No Objection
No Objection
(for -10)
Unknown
Brian Haberman Former IESG member
No Objection
No Objection
(for -10)
Unknown
Gonzalo Camarillo Former IESG member
No Objection
No Objection
(for -10)
Unknown
Martin Stiemerling Former IESG member
No Objection
No Objection
(for -10)
Unknown
Pete Resnick Former IESG member
No Objection
No Objection
(2013-02-06 for -10)
Unknown
4.2:
When present, the "client_id" MUST
identify the client to the authorization server.
I don't understand what this is saying. How is the entity that is creating the assertion able to be sure that the client_id identifies the client to the authorization server? Is there some verification that must be done? If it doesn't identify the client, isn't the server simply going to send back and invalid_client error? What does this requirement mean?
5.1: Why aren't Issued At and Expires At REQUIRED to be at UTC?
5.2:
The Authorization
Server MUST verify that it is an intended audience for the
assertion.
This is written strangely. Don't you instead mean, "The Authorization Server MUST reject [with such-and-so error] an Audience value that it does not belong to" or something to that effect? Assuming that's right, is it completely out of band how the server determines that?
The
authorization server MUST verify that the expiration time has not
passed, subject to allowable clock skew between systems.
As above, don't you really mean that the the server MUST reject things that have expired?
The
authorization server SHOULD reject assertions with an Expires At
attribute value that is unreasonably far in the future.
Given that "unreasonably far in the future" is clearly a judgment call on the part of the server, the SHOULD requirement seems weird. Shouldn't that be: "The authorization server MAY reject assertions with an Expires At attribute value that the server considers unreasonably far in the future."?
The Authorization Server MUST validate the assertion's signature
to verify the Issuer of the assertion.
As above, I think you mean "Server MUST reject assertions which do not validate".
Strictly editorial: I liked the format of 4.1 and 4.2 better than 5.2. Instead of embedding "MUST contain" or "MAY contain", I prefer the format of:
Issuer REQUIRED. Blah blah.
Subject RECOMMENDED. Blah blah.
Issued At OPTIONAL. Blah Blah.
6.1: This is not clarifying; it appears to be completely redundant. If it is *not* redundant, you need to pull those things out and highlight them. I found myself jumping back and forth between this section and 4 and 5 trying to figure out what I missed. I couldn't find any differences. Keep the first sentence and the example; ditch the rest.
6.2: Skip the bits about client_assertion, client_assertion_type, Subject, Audience, and signature verification; they're redundant. Skip the first two sentences of "Issuer"; also redundant. Move the bit about STS into earlier sections; it gets re-used. Just keep the intro, the grant_type, and the example.
6.3 and 6.4 have similar issues to 6.1 and 6.2, and similar cleanups. I can go through in detail if you need, but I think you have the idea.
Ralph Droms Former IESG member
No Objection
No Objection
(for -10)
Unknown
Robert Sparks Former IESG member
No Objection
No Objection
(for -10)
Unknown
Ron Bonica Former IESG member
No Objection
No Objection
(for -10)
Unknown
Russ Housley Former IESG member
No Objection
No Objection
(for -10)
Unknown
Stewart Bryant Former IESG member
No Objection
No Objection
(for -10)
Unknown
Wesley Eddy Former IESG member
No Objection
No Objection
(for -10)
Unknown