Last Call Review of draft-ietf-oauth-resource-metadata-08
review-ietf-oauth-resource-metadata-08-opsdir-lc-wu-2024-08-29-00
Request | Review of | draft-ietf-oauth-resource-metadata |
---|---|---|
Requested revision | No specific revision (document currently at 12) | |
Type | Last Call Review | |
Team | Ops Directorate (opsdir) | |
Deadline | 2024-08-26 | |
Requested | 2024-08-12 | |
Authors | Michael B. Jones , Phil Hunt , Aaron Parecki | |
I-D last updated | 2024-08-29 | |
Completed reviews |
Artart Last Call review of -08
by Arnt Gulbrandsen
(diff)
Secdir Last Call review of -08 by David Mandelberg (diff) Opsdir Last Call review of -08 by Bo Wu (diff) Httpdir Telechat review of -10 by Mike Bishop (diff) |
|
Assignment | Reviewer | Bo Wu |
State | Completed | |
Request | Last Call review on draft-ietf-oauth-resource-metadata by Ops Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/ops-dir/oAjZXgYQyPVDk33y778pxC531fg | |
Reviewed revision | 08 (document currently at 12) | |
Result | Has nits | |
Completed | 2024-08-29 |
review-ietf-oauth-resource-metadata-08-opsdir-lc-wu-2024-08-29-00
Hi, I'm the assigned Ops reviewer. I think this document is ready with nits. Here are some nits and questions: nits: 1) The Figure 1 Sequence Diagram does not seem to match the text in the steps. For example, step 5 in the diagram corresponds to step 5 and the first half of step 6 in the text description, and there is no "user agent" (step 8) in the diagram. Therefore, it is recommended that sequence numbers be added to the diagram. 2) s/The resource value returned/The "resource" value returned 3) s/specific member names such as resource/specific member names such as "resource" Some questions: 1) Section 1 Introduction The metadata for a protected resource is retrieved from a well-known location as a JSON [RFC8259] document, which declares information about its capabilities and optionally, its relationships to other services. Do other services refer to authorization servers? If yes, then it is recommended to use authorization servers directly. 2) Section 1 Introduction The means by which the client obtains the location of the protected resource is out of scope. In some cases, the location may be manually configured into the client. In Section 5.3, there is also text: This specification is intended to be deployed in scenarios where the client has no prior knowledge about the resource server, It seems that text in Introduction means that the resource server is prior knowledge of the client if I understand correctly. Am I correct? 3) Section 1.2. Terminology Resource Identifier: The Protected resource's resource identifier, which is a URL that uses the https scheme and has no query or fragment components. Protected resource metadata is published at a .well-known location [RFC8615] derived from this resource identifier, as described in Section 3. resource REQUIRED. The protected resource's resource identifier, which is a URL that uses the https scheme and has no query or fragment components. Using these well-known resources is described in Section 3. The two descriptions look almost same. Perhaps the reference of the definition can be used, for example: Resource Identifier: The Protected resource's resource identifier, which is a URL (see Section 2). 4) Section 5.3 Client Identifier and Client Authentication There are some existing methods by which an unrecognized client can make use of an authorization server, such as using Dynamic Client Registration [RFC7591] to register the client prior to initiating the authorization flow. Future extensions might define alternatives, such as using URLs to identify clients. On “Future extensions",does this mean the extensions of RFC 7591? Thanks, Bo Wu