Skip to main content

Last Call Review of draft-ietf-oauth-resource-metadata-08
review-ietf-oauth-resource-metadata-08-secdir-lc-mandelberg-2024-08-16-00

Request Review of draft-ietf-oauth-resource-metadata
Requested revision No specific revision (document currently at 12)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-08-26
Requested 2024-08-12
Authors Michael B. Jones , Phil Hunt , Aaron Parecki
I-D last updated 2024-08-16
Completed reviews Artart Last Call review of -08 by Arnt Gulbrandsen (diff)
Secdir Last Call review of -08 by David Mandelberg (diff)
Opsdir Last Call review of -08 by Bo Wu (diff)
Httpdir Telechat review of -10 by Mike Bishop (diff)
Assignment Reviewer David Mandelberg
State Completed
Request Last Call review on draft-ietf-oauth-resource-metadata by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ECNOFeCe8_ow088A_oWmsjjZSR4
Reviewed revision 08 (document currently at 12)
Result Has nits
Completed 2024-08-16
review-ietf-oauth-resource-metadata-08-secdir-lc-mandelberg-2024-08-16-00
Overall, looks good. I just have a couple of questions that might not need any
changes to the doc.

Section 5.2 says "SHOULD retrieve the updated protected resource metadata and
use the new metadata values obtained" which makes sense for the values included
directly in the metadata. For the URLs like jwks_uri though, is the client
expected to retrieve those again even if the URL itself didn't change? Or does
that not need to be specified?

What do you think about adding something to section 5.2 about redoing all
validation (like checking the resource field and validating the signature in
signed_metadata) before using new values? I'd hope that any implementations
would do that without it being specified, but I could see some bugs if the code
path for fetching initial values is different than the code path for updating
values.