draft-ietf-oauth-discovery-05.txt   draft-ietf-oauth-discovery-06.txt 
OAuth Working Group M. Jones OAuth Working Group M. Jones
Internet-Draft Microsoft Internet-Draft Microsoft
Intended status: Standards Track N. Sakimura Intended status: Standards Track N. Sakimura
Expires: July 23, 2017 NRI Expires: September 11, 2017 NRI
J. Bradley J. Bradley
Ping Identity Ping Identity
January 19, 2017 March 10, 2017
OAuth 2.0 Authorization Server Metadata OAuth 2.0 Authorization Server Metadata
draft-ietf-oauth-discovery-05 draft-ietf-oauth-discovery-06
Abstract Abstract
This specification defines a metadata format that an OAuth 2.0 client This specification defines a metadata format that an OAuth 2.0 client
can use to obtain the information needed to interact with an OAuth can use to obtain the information needed to interact with an OAuth
2.0 authorization server, including its endpoint locations and 2.0 authorization server, including its endpoint locations and
authorization server capabilities. authorization server capabilities.
Status of This Memo Status of This Memo
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 23, 2017. This Internet-Draft will expire on September 11, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Notation and Conventions . . . . . . . . . . 3 1.1. Requirements Notation and Conventions . . . . . . . . . . 3
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Authorization Server Metadata . . . . . . . . . . . . . . . . 3 2. Authorization Server Metadata . . . . . . . . . . . . . . . . 3
2.1. Signed Authorization Server Metadata . . . . . . . . . . 7 2.1. Signed Authorization Server Metadata . . . . . . . . . . 7
3. Obtaining Authorization Server Metadata . . . . . . . . . . . 7 3. Obtaining Authorization Server Metadata . . . . . . . . . . . 8
3.1. Authorization Server Metadata Request . . . . . . . . . . 8 3.1. Authorization Server Metadata Request . . . . . . . . . . 8
3.2. Authorization Server Metadata Response . . . . . . . . . 9 3.2. Authorization Server Metadata Response . . . . . . . . . 9
3.3. Authorization Server Metadata Validation . . . . . . . . 10 3.3. Authorization Server Metadata Validation . . . . . . . . 10
4. String Operations . . . . . . . . . . . . . . . . . . . . . . 10 4. String Operations . . . . . . . . . . . . . . . . . . . . . . 10
5. Compatibility Notes . . . . . . . . . . . . . . . . . . . . . 11 5. Compatibility Notes . . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6.1. TLS Requirements . . . . . . . . . . . . . . . . . . . . 11 6.1. TLS Requirements . . . . . . . . . . . . . . . . . . . . 11
6.2. Impersonation Attacks . . . . . . . . . . . . . . . . . . 11 6.2. Impersonation Attacks . . . . . . . . . . . . . . . . . . 11
6.3. Publishing Metadata in a Standard Format . . . . . . . . 12 6.3. Publishing Metadata in a Standard Format . . . . . . . . 12
6.4. Protected Resources . . . . . . . . . . . . . . . . . . . 12 6.4. Protected Resources . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7.1. OAuth Authorization Server Metadata Registry . . . . . . 13 7.1. OAuth Authorization Server Metadata Registry . . . . . . 13
7.1.1. Registration Template . . . . . . . . . . . . . . . . 14 7.1.1. Registration Template . . . . . . . . . . . . . . . . 14
7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 14 7.1.2. Initial Registry Contents . . . . . . . . . . . . . . 14
7.2. Updated Registration Instructions . . . . . . . . . . . . 17 7.2. Updated Registration Instructions . . . . . . . . . . . . 17
7.3. Well-Known URI Registry . . . . . . . . . . . . . . . . . 18 7.3. Well-Known URI Registry . . . . . . . . . . . . . . . . . 18
7.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 18 7.3.1. Registry Contents . . . . . . . . . . . . . . . . . . 18
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
8.1. Normative References . . . . . . . . . . . . . . . . . . 18 8.1. Normative References . . . . . . . . . . . . . . . . . . 18
8.2. Informative References . . . . . . . . . . . . . . . . . 21 8.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 21 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 21
Appendix B. Document History . . . . . . . . . . . . . . . . . . 21 Appendix B. Document History . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
This specification generalizes the metadata format defined by "OpenID This specification generalizes the metadata format defined by "OpenID
Connect Discovery 1.0" [OpenID.Discovery] in a way that is compatible Connect Discovery 1.0" [OpenID.Discovery] in a way that is compatible
with OpenID Connect Discovery, while being applicable to a wider set with OpenID Connect Discovery, while being applicable to a wider set
of OAuth 2.0 use cases. This is intentionally parallel to the way of OAuth 2.0 use cases. This is intentionally parallel to the way
that the "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591] that the "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591]
specification generalized the dynamic client registration mechanisms specification generalized the dynamic client registration mechanisms
defined by "OpenID Connect Dynamic Client Registration 1.0" defined by "OpenID Connect Dynamic Client Registration 1.0"
skipping to change at page 4, line 25 skipping to change at page 4, line 25
authorization_endpoint authorization_endpoint
REQUIRED. URL of the authorization server's authorization REQUIRED. URL of the authorization server's authorization
endpoint [RFC6749]. endpoint [RFC6749].
token_endpoint token_endpoint
URL of the authorization server's token endpoint [RFC6749]. This URL of the authorization server's token endpoint [RFC6749]. This
is REQUIRED unless only the implicit grant type is used. is REQUIRED unless only the implicit grant type is used.
jwks_uri jwks_uri
OPTIONAL. URL of the authorization server's JWK Set [JWK] OPTIONAL. URL of the authorization server's JWK Set [JWK]
document. This contains the signing key(s) the client uses to document. The referenced document contains the signing key(s) the
validate signatures from the authorization server. The JWK Set client uses to validate signatures from the authorization server.
MAY also contain the server's encryption key(s), which are used by This URL MUST use the "https" scheme. The JWK Set MAY also
clients to encrypt requests to the server. When both signing and contain the server's encryption key(s), which are used by clients
to encrypt requests to the server. When both signing and
encryption keys are made available, a "use" (public key use) encryption keys are made available, a "use" (public key use)
parameter value is REQUIRED for all keys in the referenced JWK Set parameter value is REQUIRED for all keys in the referenced JWK Set
to indicate each key's intended usage. to indicate each key's intended usage.
registration_endpoint registration_endpoint
OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic OPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic
Client Registration endpoint [RFC7591]. Client Registration endpoint [RFC7591].
scopes_supported scopes_supported
RECOMMENDED. JSON array containing a list of the OAuth 2.0 RECOMMENDED. JSON array containing a list of the OAuth 2.0
skipping to change at page 7, line 35 skipping to change at page 7, line 37
In addition to JSON elements, metadata values MAY also be provided as In addition to JSON elements, metadata values MAY also be provided as
a "signed_metadata" value, which is a JSON Web Token (JWT) [JWT] that a "signed_metadata" value, which is a JSON Web Token (JWT) [JWT] that
asserts metadata values about the authorization server as a bundle. asserts metadata values about the authorization server as a bundle.
A set of claims that can be used in signed metadata are defined in A set of claims that can be used in signed metadata are defined in
Section 2. The signed metadata MUST be digitally signed or MACed Section 2. The signed metadata MUST be digitally signed or MACed
using JSON Web Signature (JWS) [JWS] and MUST contain an "iss" using JSON Web Signature (JWS) [JWS] and MUST contain an "iss"
(issuer) claim denoting the party attesting to the claims in the (issuer) claim denoting the party attesting to the claims in the
signed metadata. Consumers of the metadata MAY ignore the signed signed metadata. Consumers of the metadata MAY ignore the signed
metadata if they do not support this feature. If the consumer of the metadata if they do not support this feature. If the consumer of the
metadata supports signed metadata, metadata values conveyed in the metadata supports signed metadata, metadata values conveyed in the
signed metadata MUST take precedence over those conveyed using plain signed metadata MUST take precedence over the corresponding values
JSON elements. conveyed using plain JSON elements.
Signed metadata is included in the authorization server metadata JSON Signed metadata is included in the authorization server metadata JSON
object using this OPTIONAL member: object using this OPTIONAL member:
signed_metadata signed_metadata
A JWT containing metadata values about the authorization server as A JWT containing metadata values about the authorization server as
claims. This is a string value consisting of the entire signed claims. This is a string value consisting of the entire signed
JWT. A "signed_metadata" metadata value SHOULD NOT appear as a JWT. A "signed_metadata" metadata value SHOULD NOT appear as a
claim in the JWT. claim in the JWT.
skipping to change at page 18, line 32 skipping to change at page 18, line 32
[BCP195] Sheffer, Y., Holz, R., and P. Saint-Andre, [BCP195] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of Transport Layer "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
2015, <http://www.rfc-editor.org/info/bcp195>. 2015, <http://www.rfc-editor.org/info/bcp195>.
[IANA.OAuth.Parameters] [IANA.OAuth.Parameters]
IANA, "OAuth Parameters", IANA, "OAuth Parameters",
<http://www.iana.org/assignments/oauth-parameters>. <http://www.iana.org/assignments/oauth-parameters>.
[JWA] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015,
<http://tools.ietf.org/html/rfc7518>.
[JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", [JWE] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
RFC 7516, DOI 10.17487/RFC7516, May 2015, RFC 7516, DOI 10.17487/RFC7516, May 2015,
<http://tools.ietf.org/html/rfc7516>. <http://tools.ietf.org/html/rfc7516>.
[JWK] Jones, M., "JSON Web Key (JWK)", RFC 7517, [JWK] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015, DOI 10.17487/RFC7517, May 2015,
<http://tools.ietf.org/html/rfc7517>. <http://tools.ietf.org/html/rfc7517>.
[JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [JWS] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
skipping to change at page 19, line 21 skipping to change at page 19, line 16
de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M. de Medeiros, B., Ed., Scurtescu, M., Tarjan, P., and M.
Jones, "OAuth 2.0 Multiple Response Type Encoding Jones, "OAuth 2.0 Multiple Response Type Encoding
Practices", February 2014, <http://openid.net/specs/ Practices", February 2014, <http://openid.net/specs/
oauth-v2-multiple-response-types-1_0.html>. oauth-v2-multiple-response-types-1_0.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, DOI 10.17487/RFC2246, January 1999,
<http://www.rfc-editor.org/info/rfc2246>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226, IANA Considerations Section in RFCs", BCP 26, RFC 5226,
DOI 10.17487/RFC5226, May 2008, DOI 10.17487/RFC5226, May 2008,
<http://www.rfc-editor.org/info/rfc5226>. <http://www.rfc-editor.org/info/rfc5226>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<http://www.rfc-editor.org/info/rfc5246>. <http://www.rfc-editor.org/info/rfc5246>.
skipping to change at page 20, line 28 skipping to change at page 20, line 9
August 2013, <http://www.rfc-editor.org/info/rfc7009>. August 2013, <http://www.rfc-editor.org/info/rfc7009>.
[RFC7033] Jones, P., Salgueiro, G., Jones, M., and J. Smarr, [RFC7033] Jones, P., Salgueiro, G., Jones, M., and J. Smarr,
"WebFinger", RFC 7033, DOI 10.17487/RFC7033, September "WebFinger", RFC 7033, DOI 10.17487/RFC7033, September
2013, <http://www.rfc-editor.org/info/rfc7033>. 2013, <http://www.rfc-editor.org/info/rfc7033>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
2014, <http://www.rfc-editor.org/info/rfc7159>. 2014, <http://www.rfc-editor.org/info/rfc7159>.
[RFC7565] Saint-Andre, P., "The 'acct' URI Scheme", RFC 7565,
DOI 10.17487/RFC7565, May 2015,
<http://www.rfc-editor.org/info/rfc7565>.
[RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and [RFC7591] Richer, J., Ed., Jones, M., Bradley, J., Machulak, M., and
P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol", P. Hunt, "OAuth 2.0 Dynamic Client Registration Protocol",
RFC 7591, DOI 10.17487/RFC7591, July 2015, RFC 7591, DOI 10.17487/RFC7591, July 2015,
<http://www.rfc-editor.org/info/rfc7591>. <http://www.rfc-editor.org/info/rfc7591>.
[RFC7636] Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key [RFC7636] Sakimura, N., Ed., Bradley, J., and N. Agarwal, "Proof Key
for Code Exchange by OAuth Public Clients", RFC 7636, for Code Exchange by OAuth Public Clients", RFC 7636,
DOI 10.17487/RFC7636, September 2015, DOI 10.17487/RFC7636, September 2015,
<http://www.rfc-editor.org/info/rfc7636>. <http://www.rfc-editor.org/info/rfc7636>.
skipping to change at page 21, line 39 skipping to change at page 21, line 17
Dynamic Client Registration 1.0", November 2014, Dynamic Client Registration 1.0", November 2014,
<http://openid.net/specs/ <http://openid.net/specs/
openid-connect-registration-1_0.html>. openid-connect-registration-1_0.html>.
Appendix A. Acknowledgements Appendix A. Acknowledgements
This specification is based on the OpenID Connect Discovery 1.0 This specification is based on the OpenID Connect Discovery 1.0
specification, which was produced by the OpenID Connect working group specification, which was produced by the OpenID Connect working group
of the OpenID Foundation. of the OpenID Foundation.
Review comments resulting in substantive edits to the specification The authors would like to thank the following people for their
were made by Brian Campbell, William Denniss, Vladimir Dzhuvinov, reviews of this specification: Brian Campbell, William Denniss,
Samuel Erdtman, George Fletcher, Phil Hunt, Tony Nadalin, Justin Vladimir Dzhuvinov, Samuel Erdtman, George Fletcher, Phil Hunt, Tony
Richer, and Hans Zandbelt. Nadalin, Justin Richer, Hannes Tschofenig, and Hans Zandbelt.
Appendix B. Document History Appendix B. Document History
[[ to be removed by the RFC Editor before publication as an RFC ]] [[ to be removed by the RFC Editor before publication as an RFC ]]
-06
o Incorporated resolutions to working group last call comments.
-05 -05
o Removed the "protected_resources" element and the reference to o Removed the "protected_resources" element and the reference to
draft-jones-oauth-resource-metadata. draft-jones-oauth-resource-metadata.
-04 -04
o Added the ability to list protected resources with the o Added the ability to list protected resources with the
"protected_resources" element. "protected_resources" element.
o Added ability to provide signed metadata with the o Added ability to provide signed metadata with the
 End of changes. 14 change blocks. 
34 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/