Metadata on client registration
Roland Hedberg
Vladimir Dzhuvinov
Hi Roland,
Hi!
Right now an RP can signal which client registration method it can use by setting ‘federation_type’in its metadata.
I think I want to change the parameter name to ‘client_registation_type’ because that’s what it’s all about.
This name change makes a lot of sense.
On the OP’s side it can publish it’s client registration support using ‘federation_type_supported’ which thenalso should change name, to ‘client_registation_type_supported’.
How about `client_registration_types_supported` ? Since it's a
JSON array, with potentially multiple values?
The OP has to publish another thing and that is what auth methods it supports.Here I’d like to use the parameter name ‘client_registration_auth_methods_supported’.This parameter then should publish 2 sets of auth methods, one for ’normal’ authorization request is used and one forwhen pushed authorization request is used.
If we use the normal abbreviation of pushed authorization request, PAR and consequently use AR for ’normal’ authorization request,then I would propose we use an JSON object as value. Like this:
‘client_registation_type_supported': {‘AR’: [‘request_object’], ‘PAR’:[‘private_key_jwt’, ‘ self_signed_tls_client_auth’]}
Shouldn't that be client_registration_auth_methods_supported?
This nested format has not occurred before, but it has the
benefit that it keeps everything under one roof and can
potentially accommodate with other endpoints as well (who knows ;)
Anyone against ?
I welcome these changes.
Vladimir
- Roland
Otium cum dignitate - latin proverb
--
You received this message because you are subscribed to the Google Groups "openid-federation-interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openid-federation-...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/8638390B-4592-491B-AC85-6DAD631304E8%40catalogix.se.
-- Vladimir Dzhuvinov
Roland Hedberg
On 18 Jun 2020, at 10:32, Vladimir Dzhuvinov <vlad...@connect2id.com> wrote:Hi Roland,
On 18/06/2020 10:49, Roland Hedberg wrote:Hi!Right now an RP can signal which client registration method it can use by setting ‘federation_type’in its metadata.I think I want to change the parameter name to ‘client_registation_type’ because that’s what it’s all about.This name change makes a lot of sense.
On the OP’s side it can publish it’s client registration support using ‘federation_type_supported’ which thenalso should change name, to ‘client_registation_type_supported’.How about `client_registration_types_supported` ? Since it's a JSON array, with potentially multiple values?
The OP has to publish another thing and that is what auth methods it supports.Here I’d like to use the parameter name ‘client_registration_auth_methods_supported’.This parameter then should publish 2 sets of auth methods, one for ’normal’ authorization request is used and one forwhen pushed authorization request is used.If we use the normal abbreviation of pushed authorization request, PAR and consequently use AR for ’normal’ authorization request,then I would propose we use an JSON object as value. Like this:‘client_registation_type_supported': {‘AR’: [‘request_object’], ‘PAR’:[‘private_key_jwt’, ‘ self_signed_tls_client_auth’]}Shouldn't that be client_registration_auth_methods_supported?
This nested format has not occurred before, but it has the benefit that it keeps everything under one roof and can potentially accommodate with other endpoints as well (who knows ;)
Anyone against ?I welcome these changes.
Mike Jones
We typically use lowercase for parameter names, so I’d advocate “par” rather than “PAR”.
-- Mike
--
You received this message because you are subscribed to the Google Groups "openid-federation-interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
openid-federation-...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/67E5B18F-1203-4880-A517-D7B24F09DD07%40catalogix.se.
Vladimir Dzhuvinov
I +1 Mike's suggestion.
Vladimir
---- 'Mike Jones' via openid-federation-interop wrote ----
Roland Hedberg
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/5vl0oi0vsp17r5ftf34hj3eu.1592585360885%40email.android.com.
Vladimir Dzhuvinov
Could client_registation_type also be made plural - client_registation_types, since it's a JSON array?
- client_registration_types_supported
- client_registration_auth_methods_supported
Mike Jones
I agree that since it’s plural, its name should have the “s” in it.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/15d7f154-8f28-7ed8-e8b0-d24f6d68f727%40connect2id.com.
Roland Hedberg
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/MN2PR00MB0686518CD7DFF772DDF24746F56E0%40MN2PR00MB0686.namprd00.prod.outlook.com.
Vladimir Dzhuvinov
Thanks!
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/2489E8B1-31A0-4014-A219-DA9E2DD544A6%40catalogix.se.
-- Vladimir Dzhuvinov
Mike Jones
I just pulled from master and diffed. Here’s additional issues I’d like to see addressed before we publish draft 12.
- client_registration_type should be client_registration_types, since it’s a list.
- I’d prefer that client_registration_auth_methods_supported be client_registration_authn_methods_supported so it’s clear that client authentication is occurring.
- s/The OP MUST publish that is supports/The OP MUST publish that it supports/
- You changed “two” to “three” in “When it comes to client authentication the applicable authentication methods are three:” but the list that follows only has two entries. What’s behind this inconsistency?
- s/There are three different path/There are three different paths/
- s/about them self/about themselves/
Thanks,
Roland Hedberg
On 30 Jun 2020, at 19:19, 'Mike Jones' via openid-federation-interop <openid-feder...@googlegroups.com> wrote:I just pulled from master and diffed. Here’s additional issues I’d like to see addressed before we publish draft 12.
- client_registration_type should be client_registration_types, since it’s a list.
- I’d prefer that client_registration_auth_methods_supported be client_registration_authn_methods_supported so it’s clear that client authentication is occurring.
- s/The OP MUST publish that is supports/The OP MUST publish that it supports/
- You changed “two” to “three” in “When it comes to client authentication the applicable authentication methods are three:” but the list that follows only has two entries. What’s behind this inconsistency?
- s/There are three different path/There are three different paths/
- s/about them self/about themselves/
Mike Jones
You wrote “There are 2 mTLS variants, one with self-signed certificates and the other one with Certificates signed by a CA.
I regard them as separate methods.” I understand what you’re saying and agree with it.
My main point is an editorial one. The spec says “three” followed by a list of two, which will confuse readers. Please break out the two mTLS variants so that they are separate list items. Then “three” will be followed by a list of three items.
Thanks,
-- Mike
P.S. When you next push, please build and also push the .txt and .html versions.
From: Roland Hedberg <rol...@catalogix.se>
Sent: Tuesday, June 30, 2020 10:32 AM
To: Mike Jones <Michae...@microsoft.com>
Cc: 'Mike Jones' via openid-federation-interop <openid-feder...@googlegroups.com>
Subject: Re: Metadata on client registration
Roland Hedberg
On 30 Jun 2020, at 19:47, 'Mike Jones' via openid-federation-interop <openid-feder...@googlegroups.com> wrote:You wrote “There are 2 mTLS variants, one with self-signed certificates and the other one with Certificatessigned by a CA.
Mike Jones
This looks good now. Let me know when you’re ready for -12 to be published.
-- Mike
Vladimir Dzhuvinov
Hi Roland,
I noticed some examples still use the old params:
2 x federation_types_supported
In 9.1.1.1. Using Request Object there is a "sub" specified for the request object JWT.
If the intent was to set it to prevent some potential JWT misuse if the "sub" is left undefined, then I'd suggest to have it set to the entity ID of the relying party, rather than the entity ID of the OP, since the JWT is "about" authentication of the RP.https://github.com/rohe/oidcfederation/blob/master/draft/openid-connect-federation-1_0.txt#L2324
The example that follows does set "sub" to the RP entity ID:
"sub": "https://rp.example.com"
Vladimir
--
You received this message because you are subscribed to the Google Groups "openid-federation-interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openid-federation-...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/CH2PR00MB0679B1CED2C7B7E144813C2EF56F0%40CH2PR00MB0679.namprd00.prod.outlook.com.
-- Vladimir Dzhuvinov
Mike Jones
Oops – I just caught on omission. Please create a History entry for draft -12.
Thanks,
-- Mike
Roland Hedberg
--
You received this message because you are subscribed to the Google Groups "openid-federation-interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openid-federation-...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/CH2PR00MB0679366EFC2F4FF183F6EA10F56C0%40CH2PR00MB0679.namprd00.prod.outlook.com.
Vladimir Dzhuvinov
Caught one more issue in the auto example:
https://github.com/rohe/oidcfederation/blob/master/draft/openid-connect-federation-1_0.txt#L2379
Request object (OIDC style) requires client_id, response_type and scope as top-level parameters.
https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests
So that the request is a valid OAuth 2.0 Authorization Request, values for the response_type and client_id parameters MUST be included using the OAuth 2.0 request syntax, since they are REQUIRED by OAuth 2.0. The values for these parameters MUST match those in the Request Object, if present.
Even if a scope parameter is present in the referenced Request Object, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request.
This will also make the request JAR (draft 21) compliant (requires only client_id as other top-level parameter).
Vladimir
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/3AF32FCC-F94E-49C3-AA37-F4540D636486%40catalogix.se.
-- Vladimir Dzhuvinov
Roland Hedberg
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/1c18933b-c391-92b7-4c61-bbd9e9635650%40connect2id.com.
Mike Jones
Looks good. Should I publish this as draft 12 now?
-- Mike
From: openid-feder...@googlegroups.com <openid-feder...@googlegroups.com>
On Behalf Of Roland Hedberg
Sent: Wednesday, July 1, 2020 8:08 AM
To: Vladimir Dzhuvinov <vlad...@connect2id.com>
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/1581F42F-B526-40BE-8F77-6C9D9D9040E0%40gmail.com.
Roland Hedberg
On 1 Jul 2020, at 18:33, 'Mike Jones' via openid-federation-interop <openid-feder...@googlegroups.com> wrote:
Looks good. Should I publish this as draft 12 now?-- MikeFrom: openid-feder...@googlegroups.com <openid-feder...@googlegroups.com> On Behalf Of Roland Hedberg
Sent: Wednesday, July 1, 2020 8:08 AM
To: Vladimir Dzhuvinov <vlad...@connect2id.com>
Cc: openid-feder...@googlegroups.com
Subject: Re: Metadata on client registrationFixed
On 1 Jul 2020, at 12:16, Vladimir Dzhuvinov <vlad...@connect2id.com> wrote:
Caught one more issue in the auto example:Request object (OIDC style) requires client_id, response_type and scope as top-level parameters.
So that the request is a valid OAuth 2.0 Authorization Request, values for theresponse_type and client_id parameters MUST be included using the OAuth 2.0 request syntax, since they are REQUIRED by OAuth 2.0. The values for these parameters MUST match those in the Request Object, if present.Even if a scope parameter is present in the referenced Request Object, a scopeparameter MUST always be passed using the OAuth 2.0 request syntax containing theopenid scope value to indicate to the underlying OAuth 2.0 logic that this is an OpenID Connect request.
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/CH2PR00MB067876D8A17BFA7EE0BE64F7F56C0%40CH2PR00MB0678.namprd00.prod.outlook.com.
Mike Jones
This is now published at https://openid.net/specs/openid-connect-federation-1_0-12.html and https://openid.net/specs/openid-connect-federation-1_0.html.
I’ll also make a blog post on openid.net saying that this release has been informed by the experiences from the June 2020 interop.
Thanks all!
-- Mike
Vladimir Dzhuvinov
Thanks Mike and congratulations everyone!
Switching the client auth on auto registration to JAR or JAR was a significant update and I believe will make the spec appeal to other application domains.
We updated the SDK to draft 12 earlier today, plus the RP examples:
Regarding D - open issues - "How are federation operator keys retrieved?" - I think we should aim for federations which can be operated in a fully automated fashion and avoid manual configs where possible. This means automatic key retrieval, updates and roll-over. Since the anchor JWK set is available in its statement at a well known URL, all participating entities can be configured with the anchor URL and then let to work out the rest automatically - meaning retrieve and cache the anchor keys. Thus relying on PKI / TLS for the key authenticity and integrity.
If a statement issued by the anchor about another entity refers
to a JWK "kid" that isn't cached, this can be used as a signal to
trigger a refresh of the JWK set. For this to work efficiently the
statement "jwks" will need to add a requirement for including an
identifier for each JWK (currently not required).
If the anchor keys will be configured manually by some, using
some other way to distribute them, it will help to provide some
general guidance / pointers how to do this securely.
Vladimir
To view this discussion on the web, visit https://groups.google.com/d/msgid/openid-federation-interop/CH2PR00MB0679005896E22B19A75A9C15F56C0%40CH2PR00MB0679.namprd00.prod.outlook.com.
-- Vladimir Dzhuvinov
Roland Hedberg
On 1 Jul 2020, at 22:26, Vladimir Dzhuvinov <vlad...@connect2id.com> wrote:Thanks Mike and congratulations everyone!
Switching the client auth on auto registration to JAR or JAR was a significant update and I believe will make the spec appeal to other application domains.
We updated the SDK to draft 12 earlier today, plus the RP examples:
Regarding D - open issues - "How are federation operator keys retrieved?" - I think we should aim for federations which can be operated in a fully automated fashion and avoid manual configs where possible.
This means automatic key retrieval, updates and roll-over.
Since the anchor JWK set is available in its statement at a well known URL, all participating entities can be configured with the anchor URL and then let to work out the rest automatically - meaning retrieve and cache the anchor keys. Thus relying on PKI / TLS for the key authenticity and integrity.
If a statement issued by the anchor about another entity refers to a JWK "kid" that isn't cached, this can be used as a signal to trigger a refresh of the JWK set. For this to work efficiently the statement "jwks" will need to add a requirement for including an identifier for each JWK (currently not required).
If the anchor keys will be configured manually by some, using some other way to distribute them, it will help to provide some general guidance / pointers how to do this securely.