Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

discontinue ad hoc and inappropriate use of "OAuth URI"s #279

Closed
wants to merge 2 commits into from
Closed

discontinue ad hoc and inappropriate use of "OAuth URI"s #279

wants to merge 2 commits into from

Conversation

bc-pi
Copy link
Member

@bc-pi bc-pi commented Oct 7, 2024

update the URIs somehow used with VCDM's termsOfUse to somehow indicate conformance to "those" specified in OpenID Federation and something about trust marks or whatever to something at least somewhat less wrong and not needing a permanent registration in an almost wholly unrelated IANA registry

https://www.rfc-editor.org/rfc/rfc6755.html

related to #274

@bc-pi
update the URIs somehow used with VCDM's termsOfUse to somehow indica…
6292d03 
…te conformance to "those" specified in OpenID Federation and something about trust marks or whatever to something at least somewhat less wrong and not needing a permanent registration in an almost wholly unrelated IANA registry
@bc-pi bc-pi mentioned this pull request Oct 7, 2024
Merged
@selfissued
Copy link
Member

Does anyone know what the procedure for registering urn:openid is?

@bc-pi
Copy link
Member Author

bc-pi commented Oct 7, 2024

Does anyone know what the procedure for registering urn:openid is?

There isn't one.

@selfissued
Copy link
Member

I think the registration procedure is described at https://www.rfc-editor.org/rfc/rfc8141.html#section-6.

@bc-pi
Copy link
Member Author

bc-pi commented Oct 7, 2024
edited
Loading

Sorry, I misread the question as what the procedure is for registration of something under urn:openid, for which I don't think there is anything.

As far as registering a general namespace like urn:openid, I don't honestly know for sure. RFC 8141 might be applicable. Maybe. That would seem to be something for the OpenID Foundation as a whole should pursue, should it be deemed useful or of interest to the work of the foundation.

At least one OIDF final standard has utilized URIs with an openid namespace already and there have been no consequences to the best of my knowledge.

Specifically, https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html uses:
urn:openid:params:grant-type:ciba
urn:openid:params:jwt:claim:auth_req_id
urn:openid:params:jwt:claim:rt_hash

@selfissued
Copy link
Member

I'd be fine putting these URIs in the urn:openid:params namespace.

@Sakurann
Copy link
Collaborator

Sakurann commented Oct 8, 2024

@bc-pi I am sorry, what is the biggest problem with using urn:ietf:params:oauth:? openid4vp claims to be an extension of oauth, so keep using urn:ietf:params:oauth: feels less work in terms of registerng new urn:openid, etc.

@bc-pi
Copy link
Member Author

bc-pi commented Oct 8, 2024

@bc-pi I am sorry, what is the biggest problem with using urn:ietf:params:oauth:? openid4vp claims to be an extension of oauth, so keep using urn:ietf:params:oauth: feels less work in terms of registerng new urn:openid, etc.

urn:openid isn't going to be registered so this is less work and doesn't enshrine this stuff in a permanent registry

@bc-pi
Copy link
Member Author

bc-pi commented Oct 8, 2024
edited
Loading

see also #274 (comment) and #274 (comment)

selfissued
selfissued approved these changes Oct 8, 2024
View reviewed changes
Copy link
Member

@selfissued selfissued left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for me

@Sakurann
Copy link
Collaborator

@bc-pi why is there no need to register urn:openid?

@jogu
Copy link
Collaborator

jogu commented Oct 10, 2024
edited
Loading

@Sakurann

@bc-pi why is there no need to register urn:openid?

As I think Brian's away the next few days I'll make the guess that I think what he was saying is that there's no IANA registry that exists today that we would need to register urns beginning urn:openid into. And even if we did register openid at https://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml#urn-namespaces-2 I don't think there's any requirement that the registry for urn:openid is run by IANA. (And as Brian mentioned above, https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html already uses urn:openid values so there's precedent for using them and not needing to register them anywhere)

@Sakurann
Copy link
Collaborator

Sakurann commented Oct 14, 2024
edited
Loading

from a name collision perspective, using a registration would be better. if we think no one will ever use these URNs, the better solution is to remove the section that uses these URNs than trying to go around the registration?

I am just saying that sounds like the problem is bigger than whether there is a need to register a urn value or not.

jogu added a commit that referenced this pull request Oct 14, 2024
@jogu
Remove urn:ietf:params:oauth urls
c601442 
As an alternative fix to the one in:

#279

Remove the paragraph that appears to create the controverial URNs.

If there URNs are needed, the federation-wallet spec:

https://github.com/peppelinux/federation-wallet

seems to be a more appropriate place to define them.
@jogu jogu mentioned this pull request Oct 14, 2024
Closed
@jogu
Copy link
Collaborator

jogu commented Oct 14, 2024

@Sakurann

from a name collision perspective, using a registration would be better.

a urn:openid: value created in an openid foundation spec is pretty close to being collision proof. If we really think it's important we could formally register 'openid'.

if we think no one will ever use these URNs, the better solution is to remove the section that uses these URNs than trying to go around the registration?

I am just saying that sounds like the problem is bigger than whether there is a need to register a urn value or not.

As an attempt to make any kind of progress, I've created an alternative pull request that removes the values instead:

#280

@bc-pi bc-pi mentioned this pull request Oct 15, 2024
Merged
@Sakurann
Copy link
Collaborator

Sakurann commented Oct 22, 2024
edited
Loading

superseded by #282

@Sakurann Sakurann closed this Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jogu jogu jogu approved these changes

@selfissued selfissued selfissued approved these changes

@tplooker tplooker tplooker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bc-pi @selfissued @Sakurann @jogu @tplooker