Re: [kitten] Updating OAuth SASL
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 23 November 2012 07:52 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9AC821F8201 for <kitten@ietfa.amsl.com>; Thu, 22 Nov 2012 23:52:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E41KF+412j5Z for <kitten@ietfa.amsl.com>; Thu, 22 Nov 2012 23:52:37 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by ietfa.amsl.com (Postfix) with SMTP id D68EA21F8232 for <kitten@ietf.org>; Thu, 22 Nov 2012 23:52:31 -0800 (PST)
Received: (qmail invoked by alias); 23 Nov 2012 07:52:29 -0000
Received: from unknown (EHLO [10.255.134.168]) [194.251.119.201] by mail.gmx.net (mp004) with SMTP; 23 Nov 2012 08:52:29 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX19nRwl/AIZn8+kRyt5zMYc9ba/O2sH1JCL1z0qR9p AfcGeYOhkxVnuH
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <1353629831.97525.YahooMailNeo@web31801.mail.mud.yahoo.com>
Date: Fri, 23 Nov 2012 09:52:27 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6197D3BF-AA50-4383-AE77-7EC523AAC848@gmx.net>
References: <841A324B-C22C-4FB6-9D62-9CF0430BD940@gmx.net> <1353372782.48256.YahooMailNeo@web31804.mail.mud.yahoo.com> <E53F19E5-1665-4D0F-8C78-168081B29833@gmx.net> <1353629831.97525.YahooMailNeo@web31801.mail.mud.yahoo.com>
To: William Mills <wmills@yahoo-inc.com>
X-Mailer: Apple Mail (2.1085)
X-Y-GMX-Trusted: 0
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Updating OAuth SASL
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2012 07:52:41 -0000
Hi Bill, you are right that there are various aspects to consider. The first one is that there is a need to map the resource owner identifier from the OAuth exchange to the SASL/GSS-API used concepts. The need to describe such a mapping is created by the layering introduced. The text I distributed below tries to address that part (since it is not described elsewhere in the document). Then, there is a question of how the resource owner identifier is actually presented to the user (as part of the user interface). The problem is that there is no description in any of the OAuth documents about the syntax of the resource owner identifer. The only (not yet finished document) is the JWT that describes in which JSON field to put the string. It does, however, leave the syntax of the string undefined (intentionally). This obviously makes it a bit difficult to describe in the SASL OAuth document how such identifier canonicalization would look like. Ciao Hannes On Nov 23, 2012, at 2:17 AM, William Mills wrote: > Nowhere in OAuth do we talk about normalizing or canonicalizing names IIRC, so there's at least one way this won't work. I know what problem I was trying to solve with that language, I don't see how this language solves the problem. Perhaps it doesn't need solving, I could believe that. I think we need to define a way for the server to get (or derive by DB lookup for example) the identity out of the token, and we should also define how a server might get the client identity. Since nothing in the token is defined as usable for display the current text also addresses that by adding it as a requirement. > > How does the proposed language solve these things? > > -bill > > > From: Hannes Tschofenig <hannes.tschofenig@gmx.net> > To: William Mills <wmills@yahoo-inc.com>; Alexey Melnikov <alexey.melnikov@isode.com> > Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; kitten@ietf.org > Sent: Thursday, November 22, 2012 6:38 AM > Subject: Re: [kitten] Updating OAuth SASL > > Hi Bill, Hi Alexey, > > I am wondering whether we couldn't just re-use the text we have in the SASL OpenID specification. > Here is the relevant text from Section 4.1 of RFC 6616: > > ---- > > 4.1. GSS-API Principal Name Types for OpenID > > OpenID supports standard generic name syntaxes for acceptors such as > GSS_C_NT_HOSTBASED_SERVICE (see Section 4.1 of [RFC2743]). > > OpenID supports only a single name type for initiators: > GSS_C_NT_USER_NAME. GSS_C_NT_USER_NAME is the default name type for > OpenID. > > OpenID name normalization is covered by the OpenID specification; see > Section 7.2 of [OpenID]. > > The query, display, and exported name syntaxes for OpenID principal > names are all the same. There are no OpenID-specific name syntaxes > -- applications should use generic GSS-API name types such as > GSS_C_NT_USER_NAME and GSS_C_NT_HOSTBASED_SERVICE (see > Section 4 of [RFC2743]). The exported name token does, of course, conform to > Section 3.2 of [RFC2743], but the "NAME" part of the token should be > treated as a potential input string to the OpenID name normalization > rules. For example, the OpenID Identifier "https://openid.example/" > will have a GSS_C_NT_USER_NAME value of "https://openid.example/". > > GSS-API name attributes may be defined in the future to hold the > normalized OpenID Identifier. > > ------- > Of course instead of talking about OpenID identifiers (as URIs) we would be talking about resource owner identifiers, for example, the "Principal" defined in Section 4.1.6 of JWT (in case a JSON-based structure is used to encode information, as it was done with OpenID Connect). Note that the JWT spec does not define the syntax of the principal identifier. > > Section 3.2.1 and Section 3.2.2 of the current OAuth SASL draft would be impacted. > > Does this sound reasonable? > > Ciao > Hannes > > On Nov 20, 2012, at 2:53 AM, William Mills wrote: > > > We can strike that second sentence if you want, it was there to try to clarify, and if it's not doing that kill it. > > > > > > From: Hannes Tschofenig <hannes.tschofenig@gmx.net> > > To: kitten@ietf.org > > Sent: Sunday, November 18, 2012 11:43 PM > > Subject: [kitten] Updating OAuth SASL > > > > Hi all, > > > > I have incorporated Alexey's comments into the draft and also my own earlier review comments. > > Here is the current snapshot: > > https://github.com/hannestschofenig/tschofenig-ids/blob/master/sasl-oauth/draft-ietf-kitten-sasl-oauth-09.txt > > > > There is one issue that Alexey raised, which I still have to understand better myself, namely: > > > > ----- > > > > 3.2.2. Canonicalization > > > > The identity asserted by the OAuth authorization server is canonical > > for display. The server MAY provide a different canonical form based > > on local data. > > > > I don't understand the second sentence. SASL server? How can it do that? > > > > ------ > > > > Ciao > > Hannes > > > > _______________________________________________ > > Kitten mailing list > > Kitten@ietf.org > > https://www.ietf.org/mailman/listinfo/kitten > > > > > > >
- [kitten] Updating OAuth SASL Hannes Tschofenig
- Re: [kitten] Updating OAuth SASL Alexey Melnikov
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL Hannes Tschofenig
- Re: [kitten] Updating OAuth SASL William Mills
- Re: [kitten] Updating OAuth SASL Hannes Tschofenig